Edit tour

Windows Analysis Report
MicrosoftOfficeWord.exe

Overview

General Information

Sample name:	MicrosoftOfficeWord.exe
Analysis ID:	1587447
MD5:	2db79d70849a29f5c04cdc4ef1e40674
SHA1:	69104324e2f4c6516ccfaf1ac86012a1376bd2f7
SHA256:	92e52a846763c071696b7a5c01beab41e07b0c9fd66f493617a8940345388aa0
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

MicrosoftOfficeWord.exe (PID: 8120 cmdline: "C:\Users\user\Desktop\MicrosoftOfficeWord.exe" MD5: 2DB79D70849A29F5C04CDC4EF1E40674)

csc.exe (PID: 5932 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2531358241.0000000009D90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2530178907.0000000008762000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2528762930.00000000075C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: csc.exe PID: 5932	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.csc.exe.9d90000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.csc.exe.87e6a48.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MicrosoftOfficeWord.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: MicrosoftOfficeWord.exe	ReversingLabs: Detection: 65%
Source: MicrosoftOfficeWord.exe	Virustotal: Detection: 69%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Unpacked PE file: 4.2.MicrosoftOfficeWord.exe.4460000.2.unpack

Source: MicrosoftOfficeWord.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MicrosoftOfficeWord.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb@@ source: MicrosoftOfficeWord.exe
Source:	Binary string: Fxjvdwlxzkd.pdb source: csc.exe, 00000007.00000002.2530999315.0000000009C20000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.000000000885C000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb source: MicrosoftOfficeWord.exe

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 4_2_0040F130 GetCurrentProcess,GetMappedFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,

4_2_0040F130

Source: global traffic

TCP traffic: 192.168.2.10:49821 -> 181.71.216.203:30203

Source: Joe Sandbox View

IP Address: 181.71.216.203 181.71.216.203

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net

Source: csc.exe, 00000007.00000002.2528762930.000000000781D000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2528762930.00000000075C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2528762930.00000000075C1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: MicrosoftOfficeWord.exe	String found in binary or memory: https://zoom.us/privacy/Zoom

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 4_2_004300A0	4_2_004300A0
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 4_2_00430BEA	4_2_00430BEA
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 4_2_0040DC50	4_2_0040DC50
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 4_2_004304AC	4_2_004304AC
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 4_2_00403F13	4_2_00403F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_05A142C5	7_2_05A142C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_05A142C8	7_2_05A142C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D1D5E0	7_2_09D1D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D15758	7_2_09D15758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D1D917	7_2_09D1D917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D14DC0	7_2_09D14DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D14DBC	7_2_09D14DBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D13577	7_2_09D13577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D15749	7_2_09D15749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D13697	7_2_09D13697
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D1E688	7_2_09D1E688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E42D60	7_2_09E42D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E42148	7_2_09E42148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E474B0	7_2_09E474B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E44640	7_2_09E44640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E449E1	7_2_09E449E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E474A1	7_2_09E474A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E478B9	7_2_09E478B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E42490	7_2_09E42490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E44631	7_2_09E44631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E713A8	7_2_09E713A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E7FA88	7_2_09E7FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E7F1D8	7_2_09E7F1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E7F188	7_2_09E7F188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E7FA78	7_2_09E7FA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E7FA50	7_2_09E7FA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E7E4D4	7_2_09E7E4D4

Source: MicrosoftOfficeWord.exe	Binary or memory string: OriginalFilename vs MicrosoftOfficeWord.exe
Source: MicrosoftOfficeWord.exe, 00000004.00000002.1462191608.00000000044EC000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYxttxbmsat.exe" vs MicrosoftOfficeWord.exe
Source: MicrosoftOfficeWord.exe	Binary or memory string: OriginalFilenameZoom* vs MicrosoftOfficeWord.exe

Source: MicrosoftOfficeWord.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 4_2_004113D0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

4_2_004113D0

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 4_2_00411A50 CoInitializeEx,CoUninitialize,CoCreateInstance,SysAllocString,SysFreeString,CoSetProxyBlanket,_com_issue_error,

4_2_00411A50

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\mono1234

Source: MicrosoftOfficeWord.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MicrosoftOfficeWord.exe	ReversingLabs: Detection: 65%
Source: MicrosoftOfficeWord.exe	Virustotal: Detection: 69%

Source: unknown	Process created: C:\Users\user\Desktop\MicrosoftOfficeWord.exe "C:\Users\user\Desktop\MicrosoftOfficeWord.exe"
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Section loaded: crowdstrikeceoisextragay.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Section loaded: sentinelisabadedrtrynexttimemaybe.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MicrosoftOfficeWord.exe

Static file information: File size 3567616 > 1048576

Source: MicrosoftOfficeWord.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x33c000

Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MicrosoftOfficeWord.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: MicrosoftOfficeWord.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb@@ source: MicrosoftOfficeWord.exe
Source:	Binary string: Fxjvdwlxzkd.pdb source: csc.exe, 00000007.00000002.2530999315.0000000009C20000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.000000000885C000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb source: MicrosoftOfficeWord.exe

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Unpacked PE file: 4.2.MicrosoftOfficeWord.exe.4460000.2.unpack

Yara detected Costura Assembly Loader

Source: Yara match	File source: 7.2.csc.exe.9d90000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.csc.exe.87e6a48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2531358241.0000000009D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2530178907.0000000008762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2528762930.00000000075C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5932, type: MEMORYSTR

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: MicrosoftOfficeWord.exe

Static PE information: real checksum: 0x6698e should be: 0x36d21b

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 4_2_0040E90C push es; ret	4_2_0040E91C
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 4_2_00414F64 push ecx; ret	4_2_00414F77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_05A1780C pushad ; iretd	7_2_05A17825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_073851FD push ebx; ret	7_2_07385203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D13891 push edi; iretd	7_2_09D13892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D13889 push edi; iretd	7_2_09D1388A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D13840 push edi; iretd	7_2_09D13842
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D13860 push edi; iretd	7_2_09D13862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D13868 push edi; iretd	7_2_09D1386A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D13577 push edi; iretd	7_2_09D1383A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D146D8 pushad ; iretd	7_2_09D146DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09D13697 push edi; iretd	7_2_09D1383A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E7519C push 8B53D08Bh; iretd	7_2_09E75161
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E7C150 push esp; iretd	7_2_09E7C151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 7_2_09E7BA80 push eax; retf	7_2_09E7BA81

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 5A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 75C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 72E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 8252			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 1603			Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

API coverage: 0.9 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -59891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6112	Thread sleep count: 8252 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6112	Thread sleep count: 1603 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -59766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -59656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -59546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -59434s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -59328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -59219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -59107s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -59000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -58890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -58781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -58672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -58562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -58453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -58344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -58234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -58125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -58016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -57906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -57797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -57687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -57578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -57469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -57359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -57250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -57141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -57031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -56922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -56812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -56702s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -56537s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -56391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -56219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -56109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -55891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -55781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -55671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -55562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -55452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -55343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -55234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -55125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -55016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -54891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -54766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -54656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -54547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -54437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6104	Thread sleep time: -54328s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 4_2_0040F130 GetCurrentProcess,GetMappedFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,

4_2_0040F130

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59434	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59107	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56537	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54328	Jump to behavior

Source: csc.exe, 00000007.00000002.2525053423.0000000005893000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllache

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 7_2_09D1FAC0 LdrInitializeThunk,

7_2_09D1FAC0

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 4_2_00414A32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00414A32

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 4_2_0040D830 GetModuleFileNameW,SHGetSpecialFolderPathW,GetProcessHeap,HeapAlloc,SHGetSpecialFolderPathW,GetWindowsDirectoryW,GetProcessHeap,HeapAlloc,

4_2_0040D830

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 4_2_00414A32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00414A32
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 4_2_00414BA6 SetUnhandledExceptionFilter,	4_2_00414BA6
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 4_2_004146B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_004146B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5400000			Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 51CA008			Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 4_2_00411F70 OpenProcessToken,GetLastError,DuplicateTokenEx,GetLastError,AllocateAndInitializeSid,GetLastError,CreateWellKnownSid,GetLastError,GetProcessHeap,HeapAlloc,GetLastError,CreateWellKnownSid,GetLastError,CreateRestrictedToken,GetLastError,AllocateAndInitializeSid,GetLastError,SetTokenInformation,GetLastError,CloseHandle,CloseHandle,FreeSid,GetProcessHeap,HeapFree,FreeSid,CloseHandle,

4_2_00411F70

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 4_2_00414851 cpuid

4_2_00414851

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 4_2_00414C65 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00414C65

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: csc.exe, 00000007.00000003.1481198731.000000000A0C8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2525053423.00000000057E7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	31 Process Injection	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Process Injection	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	134 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MicrosoftOfficeWord.exe	66%	ReversingLabs	Win32.Trojan.Leonem
MicrosoftOfficeWord.exe	69%	Virustotal		Browse
MicrosoftOfficeWord.exe	100%	Avira	TR/Crypt.XPACK.Gen3

Name	IP	Active	Malicious	Antivirus Detection	Reputation
newstaticfreepoint24.ddns-ip.net	181.71.216.203	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2528762930.00000000075C1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://zoom.us/privacy/Zoom	MicrosoftOfficeWord.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000007.00000002.2528762930.000000000781D000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2528762930.00000000075C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	csc.exe, 00000007.00000003.1696846210.0000000008B75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.2531479442.0000000009DF0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000007.00000003.1696846210.0000000008A3E000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
181.71.216.203	newstaticfreepoint24.ddns-ip.net	Colombia		27831	ColombiaMovilCO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587447
Start date and time:	2025-01-10 11:41:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MicrosoftOfficeWord.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 92 Number of non-executed functions: 62
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:42:44	API Interceptor	1746560x Sleep call for process: csc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
181.71.216.203	AdobePDF.exe	Get hash	malicious	Unknown	Browse
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
newstaticfreepoint24.ddns-ip.net	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	181.71.216.203
	SHROsQyiAd.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	4JwhvqLe8n.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	181.131.217.244

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	6.elf	Get hash	malicious	Unknown	Browse	181.70.170.80
	173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.133380080323117
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MicrosoftOfficeWord.exe
File size:	3'567'616 bytes
MD5:	2db79d70849a29f5c04cdc4ef1e40674
SHA1:	69104324e2f4c6516ccfaf1ac86012a1376bd2f7
SHA256:	92e52a846763c071696b7a5c01beab41e07b0c9fd66f493617a8940345388aa0
SHA512:	f4b7fb079d320bdad76c47a6f61ac7dc61f7c5159df65292645e3046c63bb4e02438bb06eff37a98297163b6c53f1d313c4dd5ec4b1ff1aceae07356831d957e
SSDEEP:	49152:Usxci/uNQrNcXei/uNXQVNcXei/uNQ4NcXei/uNkqO10oh7JDfglOXv:U84N8NtNfqW0udfglOf
TLSH:	46F58CB8E76FEC42D8216A7F1092634E0323DEFE594385975248F764A4B3EC439E8467
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........rt..............k.......f.......f.......f.......f.......{.......{.......f.......f..........=....f.......f...............f.....

File Icon


Icon Hash:	e082c4e4ae8c82e8

Static PE Info

General

Entrypoint:	0x414670
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6743E4D1 [Mon Nov 25 02:45:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	73fea8e21025ec6f368037fae3afc60a

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F4A84668A82h
jmp 00007F4A846682ADh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
push dword ptr [esi]
call 00007F4A84668CA3h
push dword ptr [ebp+14h]
mov dword ptr [esi], eax
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push esi
push 00413F30h
push 00429024h
call 00007F4A84668BD4h
add esp, 1Ch
pop esi
pop ebp
ret
jmp 00007F4A84667CB6h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041932Ch]
push dword ptr [ebp+08h]
call dword ptr [00419324h]
push C0000409h
call dword ptr [00419270h]
push eax
call dword ptr [00419368h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00419330h]
test eax, eax
je 00007F4A84668447h
push 00000002h
pop ecx
int 29h
mov dword ptr [0042CB80h], eax
mov dword ptr [0042CB7Ch], ecx
mov dword ptr [0042CB78h], edx
mov dword ptr [0042CB74h], ebx
mov dword ptr [0042CB70h], esi
mov dword ptr [0042CB6Ch], edi
mov word ptr [0042CB98h], ss
mov word ptr [0042CB8Ch], cs
mov word ptr [0042CB68h], ds
mov word ptr [0042CB64h], es
mov word ptr [00000000h], fs

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x248e8	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x33becc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x58800	0x5f38	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x59000	0x2acc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x21cd8	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x21e40	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x21d48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x5b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18000	0x17e00	194a7255282fe9d7ae81b72636d3958e	False	0.4041639397905759	data	6.147389640020991	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x10000	0xf400	705b94a546f1abb8fba1e84ce4933d03	False	0.29005507172131145	data	5.0324726546167895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x29000	0x5000	0x3a00	22c50ae1b95257f8c3a44ff7a2de2c94	False	0.10162984913793104	data	2.0443500313558287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e000	0x33becc	0x33c000	4d3fa0f36523000af465d39a2916abf9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x2e72c	0x2ec	data			0.56951871657754
RT_CURSOR	0x2ea18	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"			0.4117647058823529
RT_BITMAP	0x2ed04	0x5428	Device independent bitmap graphic, 224 x 32 x 24, image size 0, resolution 3780 x 3780 px/m			0.1578165614556257
RT_BITMAP	0x3412c	0xbd28	Device independent bitmap graphic, 336 x 48 x 24, image size 0, resolution 3780 x 3780 px/m			0.13666776804890138
RT_BITMAP	0x3fe54	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.5168697022617881
RT_BITMAP	0xb2878	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.6944626655875964
RT_BITMAP	0x12529c	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.701893342420241
RT_BITMAP	0x197cc0	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.7138369467989948
RT_ICON	0x20a6e4	0xc5c0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.6268963337547409
RT_ICON	0x216ca4	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144			0.1756923691451904
RT_ICON	0x258ccc	0x6375f	PC bitmap, Windows 3.x format, 51811 x 2 x 49, image size 407651, cbSize 407391, bits offset 54			0.9921942310949432
RT_ICON	0x2bc42c	0x528	Device independent bitmap graphic, 16 x 32 x 32, image size 1280	English	United States	0.4401515151515151
RT_ICON	0x2bc954	0xb68	Device independent bitmap graphic, 24 x 48 x 32, image size 2880	English	United States	0.29486301369863016
RT_ICON	0x2bd4bc	0x1428	Device independent bitmap graphic, 32 x 64 x 32, image size 5120	English	United States	0.23507751937984497
RT_ICON	0x2be8e4	0x2d28	Device independent bitmap graphic, 48 x 96 x 32, image size 11520	English	United States	0.17439446366782008
RT_ICON	0x2c160c	0x5028	Device independent bitmap graphic, 64 x 128 x 32, image size 20480	English	United States	0.12339181286549708
RT_ICON	0x2c6634	0x14028	Device independent bitmap graphic, 128 x 256 x 32, image size 81920	English	United States	0.0954123962908736
RT_ICON	0x2da65c	0xc16d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0005250721974273
RT_RCDATA	0x2e67cc	0xfd8	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced			1.0027120315581854
RT_RCDATA	0x2e77a4	0x9d36	PNG image data, 98 x 102, 8-bit/color RGBA, non-interlaced			0.33521343736023457
RT_RCDATA	0x2f14dc	0x9d36	PNG image data, 98 x 102, 8-bit/color RGBA, non-interlaced			0.24362669582070268
RT_RCDATA	0x2fb214	0xcbf0	Delphi compiled form 'TfFileProperties'			0.31453034017775056
RT_RCDATA	0x307e04	0x3c248	Delphi compiled form 'TfMain'			0.6290065924073653
RT_GROUP_ICON	0x34404c	0x68	data	English	United States	0.7403846153846154
RT_VERSION	0x3440b4	0x364	data	English	United States	0.43317972350230416
RT_ANIICON	0x344418	0x25932	PC bitmap, Windows 3.x format, 19581 x 2 x 38, image size 154747, cbSize 153906, bits offset 54			0.9913128792899563
RT_MANIFEST	0x369d4c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetCurrentThreadId, QueryDosDeviceW, VirtualProtect, HeapFree, EnterCriticalSection, GetCurrentProcess, ReleaseSemaphore, WriteFile, GetModuleFileNameW, WaitForMultipleObjects, LeaveCriticalSection, InitializeCriticalSection, SetFilePointer, ResumeThread, GetModuleHandleA, OpenProcess, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, CreateEventW, Process32NextW, CreateFileA, SetEvent, Process32FirstW, FreeLibrary, HeapAlloc, GetWindowsDirectoryW, VerSetConditionMask, GetProcessHeap, GetModuleHandleW, CreateSemaphoreW, FlushInstructionCache, VerifyVersionInfoW, CreateDirectoryA, SetDllDirectoryW, VirtualQuery, LoadLibraryExW, FlushFileBuffers, LocalFree, SetErrorMode, GetPrivateProfileStringW, GetTempFileNameW, CreateFileW, OutputDebugStringW, IsWow64Process, MultiByteToWideChar, SetConsoleCtrlHandler, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, CreateThread, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetProcAddress, LoadLibraryW, ExitProcess, DeleteCriticalSection, CloseHandle, DeleteFileW, TerminateThread, GetLastError, GetTickCount64, Sleep, WaitForSingleObject, InitializeCriticalSectionEx, TerminateProcess, CreateDirectoryW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead
USER32.dll	GetMessageW, GetUserObjectInformationA, SetTimer, TranslateMessage, PostThreadMessageW, DispatchMessageW, GetProcessWindowStation, MessageBoxW
ADVAPI32.dll	GetTokenInformation, RegGetValueW, RegOpenKeyExW, OpenProcessToken, RegEnumKeyExW, RegCloseKey, DuplicateTokenEx, FreeSid, CreateRestrictedToken, ImpersonateLoggedOnUser, CreateWellKnownSid, AllocateAndInitializeSid, SetTokenInformation, RevertToSelf
SHELL32.dll	SHGetKnownFolderPath, SHGetSpecialFolderPathW, ShellExecuteExW, SHGetSpecialFolderPathA
ole32.dll	CoInitialize, CoUninitialize, CoTaskMemFree, CoInitializeEx, CoSetProxyBlanket, OleRun, CoCreateInstance
OLEAUT32.dll	VariantClear, SysAllocString, SysFreeString
SHLWAPI.dll	PathAppendW, PathIsRelativeW
PSAPI.DLL	GetModuleInformation, GetModuleFileNameExW, GetMappedFileNameW, EnumProcessModules
WINTRUST.dll	WinVerifyTrust, WTHelperProvDataFromStateData, WTHelperGetProvCertFromChain, WTHelperGetProvSignerFromChain
CRYPT32.dll	CertGetNameStringW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:42:45.031132936 CET	49821	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:42:45.035896063 CET	30203	49821	181.71.216.203	192.168.2.10
Jan 10, 2025 11:42:45.035996914 CET	49821	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:42:45.067748070 CET	49821	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:42:45.072511911 CET	30203	49821	181.71.216.203	192.168.2.10
Jan 10, 2025 11:42:45.072563887 CET	49821	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:42:45.077327967 CET	30203	49821	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:06.397931099 CET	30203	49821	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:06.398087978 CET	49821	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:06.401679039 CET	49821	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:06.406487942 CET	30203	49821	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:06.534713030 CET	49958	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:06.539678097 CET	30203	49958	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:06.539911985 CET	49958	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:06.540801048 CET	49958	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:06.545620918 CET	30203	49958	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:06.545804024 CET	49958	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:06.550565958 CET	30203	49958	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:27.898144960 CET	30203	49958	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:27.898238897 CET	49958	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:27.898416042 CET	49958	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:27.903284073 CET	30203	49958	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:28.003453970 CET	49978	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:28.008430958 CET	30203	49978	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:28.008588076 CET	49978	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:28.009362936 CET	49978	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:28.014157057 CET	30203	49978	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:28.014348984 CET	49978	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:28.019180059 CET	30203	49978	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:49.367851019 CET	30203	49978	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:49.367919922 CET	49978	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:49.368103981 CET	49978	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:49.372860909 CET	30203	49978	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:49.472497940 CET	49979	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:49.610613108 CET	30203	49979	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:49.610744953 CET	49979	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:49.611757040 CET	49979	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:49.616534948 CET	30203	49979	181.71.216.203	192.168.2.10
Jan 10, 2025 11:43:49.616717100 CET	49979	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:43:49.621543884 CET	30203	49979	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:10.979789972 CET	30203	49979	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:10.979887009 CET	49979	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:10.980119944 CET	49979	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:10.985913992 CET	30203	49979	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:11.097255945 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:11.102202892 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:11.102336884 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:11.103142977 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:11.107934952 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:11.108015060 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:11.112775087 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:16.019439936 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:16.026477098 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:16.026561975 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:16.032449007 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:26.317095041 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:26.322016001 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:26.322113037 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:26.326915026 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:26.362420082 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:26.367386103 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:26.367438078 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:26.372454882 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:27.268685102 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:27.273497105 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:27.274081945 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:27.278918982 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:30.017334938 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:30.022139072 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:30.022243023 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:30.027020931 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:32.467533112 CET	30203	49980	181.71.216.203	192.168.2.10
Jan 10, 2025 11:44:32.469715118 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:32.469715118 CET	49980	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 11:44:32.474555016 CET	30203	49980	181.71.216.203	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:42:45.007333040 CET	56432	53	192.168.2.10	1.1.1.1
Jan 10, 2025 11:42:45.029206991 CET	53	56432	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:42:45.007333040 CET	192.168.2.10	1.1.1.1	0xb3a9	Standard query (0)	newstaticfreepoint24.ddns-ip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:42:45.029206991 CET	1.1.1.1	192.168.2.10	0xb3a9	No error (0)	newstaticfreepoint24.ddns-ip.net		181.71.216.203	A (IP address)	IN (0x0001)	false

Target ID:	4
Start time:	05:42:23
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\MicrosoftOfficeWord.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MicrosoftOfficeWord.exe"
Imagebase:	0x400000
File size:	3'567'616 bytes
MD5 hash:	2DB79D70849A29F5C04CDC4EF1E40674
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:42:42
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0xcf0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2531358241.0000000009D90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2530178907.0000000008762000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2528762930.00000000075C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00403F13 Relevance: 83.0, APIs: 2, Strings: 44, Instructions: 2467COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00403F1D

Strings

r, xrefs: 00408E68
t, xrefs: 0040699D
s, xrefs: 00408854
png, xrefs: 00403F7F
W, xrefs: 00408E84
c, xrefs: 004069AB
], xrefs: 00406159
t, xrefs: 0040696C
i, xrefs: 0040881C
a, xrefs: 00408E6F
c, xrefs: 0040883F
GetModuleHandleExW, xrefs: 00405BDF
e, xrefs: 00408846
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
o, xrefs: 00408E3E
V, xrefs: 00406957
l, xrefs: 00406981
r, xrefs: 00408831
bmp, xrefs: 00403FAB
L, xrefs: 00408E37
t, xrefs: 00408823
LoadLibraryW, xrefs: 00405081
P, xrefs: 00406988
r, xrefs: 00406965
y, xrefs: 00408E7D
jpg, xrefs: 00403F94
r, xrefs: 00408E76
a, xrefs: 0040697A
b, xrefs: 00408E61
i, xrefs: 00408E5A
o, xrefs: 00408838
a, xrefs: 00408E45
gif, xrefs: 00403FC4
e, xrefs: 004069A4
o, xrefs: 00406996
t, xrefs: 004069B2
i, xrefs: 0040695E
u, xrefs: 00406973
s, xrefs: 0040884D
r, xrefs: 0040698F
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_
String ID: E$GetModuleHandleExW$L$L$LoadLibraryW$P$P$V$W$]$a$a$a$b$bmp$c$c$d$e$e$gif$i$i$i$jpg$l$o$o$o$png$r$r$r$r$r$s$s$t$t$t$t$u$x$y
API String ID: 2427045233-3217341300
Opcode ID: 24c789fa4daecbd349568caf682134c91fe02bd9c879d5a9ec86189862ec8d49
Instruction ID: 8772a5d91f2c69b3084cbf90925906af69786a0451df771bb4d847c438c2977d
Opcode Fuzzy Hash: 24c789fa4daecbd349568caf682134c91fe02bd9c879d5a9ec86189862ec8d49
Instruction Fuzzy Hash: 20D208B4A052A8CBDB24CB18C988BDDBBB1AF45314F1081EAE459BB381D7755F81CF19

Function 00403FE4 Relevance: 95.0, APIs: 1, Strings: 53, Instructions: 503COMMON

Download Yara Rule

Strings

r, xrefs: 00408E68
s, xrefs: 00408854
W, xrefs: 0040479F
L, xrefs: 00404752
H, xrefs: 00404136
i, xrefs: 0040881C
a, xrefs: 00408E6F
e, xrefs: 00404159
d, xrefs: 00408E4C
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00404113
L, xrefs: 00408E37
t, xrefs: 00408823
l, xrefs: 00404152
x, xrefs: 00404167
y, xrefs: 00408E7D
M, xrefs: 0040410C
n, xrefs: 00404144
e, xrefs: 0040412F
d, xrefs: 0040414B
a, xrefs: 00408E45
o, xrefs: 00404759
i, xrefs: 00404775
d, xrefs: 0040411A
u, xrefs: 00404121
l, xrefs: 00404128
L, xrefs: 0040476E
b, xrefs: 0040477C
G, xrefs: 004040F7
W, xrefs: 00408E84
r, xrefs: 00404791
E, xrefs: 00404160
c, xrefs: 0040883F
e, xrefs: 00408846
e, xrefs: 004040FE
P, xrefs: 0040882A
W, xrefs: 0040416E
o, xrefs: 00408E3E
a, xrefs: 0040413D
t, xrefs: 00404105
d, xrefs: 00404767
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
a, xrefs: 00404760
y, xrefs: 00404798
o, xrefs: 00408838
r, xrefs: 00404783
a, xrefs: 0040478A
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$E$G$H$L$L$L$L$M$P$W$W$W$a$a$a$a$a$b$b$c$d$d$d$d$e$e$e$e$i$i$i$l$l$n$o$o$o$o$r$r$r$r$r$s$s$t$t$u$x$x$y$y
API String ID: 0-1389426690
Opcode ID: 6c52c70809327a56088b94180972d0ec2f26b9a01d5ece6e06692af3203bd157
Instruction ID: 736e9a2ff06c9903231fdc911306428f10f64ae89d11f3f6351f21f0fe3a524d
Opcode Fuzzy Hash: 6c52c70809327a56088b94180972d0ec2f26b9a01d5ece6e06692af3203bd157
Instruction Fuzzy Hash: 90D11D64A086E8CBEB21CB24CC487C9BB75AF55704F0450E9914CAB391D7BA4FC4CF2A

Function 00408801 Relevance: 95.0, APIs: 1, Strings: 53, Instructions: 464COMMON

Download Yara Rule

Strings

r, xrefs: 00408E68
s, xrefs: 00408854
W, xrefs: 0040479F
L, xrefs: 00404752
H, xrefs: 00404136
i, xrefs: 0040881C
a, xrefs: 00408E6F
e, xrefs: 00404159
d, xrefs: 00408E4C
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00404113
L, xrefs: 00408E37
t, xrefs: 00408823
l, xrefs: 00404152
x, xrefs: 00404167
y, xrefs: 00408E7D
M, xrefs: 0040410C
n, xrefs: 00404144
e, xrefs: 0040412F
d, xrefs: 0040414B
a, xrefs: 00408E45
o, xrefs: 00404759
i, xrefs: 00404775
d, xrefs: 0040411A
u, xrefs: 00404121
l, xrefs: 00404128
L, xrefs: 0040476E
b, xrefs: 0040477C
G, xrefs: 004040F7
W, xrefs: 00408E84
r, xrefs: 00404791
E, xrefs: 00404160
c, xrefs: 0040883F
e, xrefs: 00408846
e, xrefs: 004040FE
P, xrefs: 0040882A
W, xrefs: 0040416E
o, xrefs: 00408E3E
a, xrefs: 0040413D
t, xrefs: 00404105
d, xrefs: 00404767
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
a, xrefs: 00404760
y, xrefs: 00404798
o, xrefs: 00408838
r, xrefs: 00404783
a, xrefs: 0040478A
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$E$G$H$L$L$L$L$M$P$W$W$W$a$a$a$a$a$b$b$c$d$d$d$d$e$e$e$e$i$i$i$l$l$n$o$o$o$o$r$r$r$r$r$s$s$t$t$u$x$x$y$y
API String ID: 0-1389426690
Opcode ID: 282d2022df174df892bc0fa8082b37abe8beab81664315bf64815537b9bee3b7
Instruction ID: 5a33921d472eb5b1d54932414b158a79c7060a2ea52495a653e6a93cb6c8b944
Opcode Fuzzy Hash: 282d2022df174df892bc0fa8082b37abe8beab81664315bf64815537b9bee3b7
Instruction Fuzzy Hash: 68C1E0749086E8CAEB21CB24CD447D9BAB5AF55708F0441E9914C7B391D7BA4FC4CF2A

Function 004070FD Relevance: 44.6, APIs: 2, Strings: 23, Instructions: 899memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: 6f1aed589faa056a0852ec4fa35efdb10074c7c864bb1c776dfdcc7162dddfda
Instruction ID: 680e258f425ee6c68fe86b2117ead666fda9975553f3b758cf5b8f653f7fc27b
Opcode Fuzzy Hash: 6f1aed589faa056a0852ec4fa35efdb10074c7c864bb1c776dfdcc7162dddfda
Instruction Fuzzy Hash: E6222BB4E042A98BDB24CB14C984BE9BBB1AF44304F1081E9E548BB781D7755FC1CF59

Function 00408170 Relevance: 44.6, APIs: 2, Strings: 23, Instructions: 849memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: f7c28a94e09f94054dd5d783e1d24e2702e967a16eb50db53d6b77a3e3e9e812
Instruction ID: 9b5f17017330220ca9fff1c45d645742c72bd43d93c1bf5158f13f9b32c0fa46
Opcode Fuzzy Hash: f7c28a94e09f94054dd5d783e1d24e2702e967a16eb50db53d6b77a3e3e9e812
Instruction Fuzzy Hash: A81205B4A042A88BDB24CB18C984BEDBBB1AF54314F1045EAE459BB381D7795FC1CF19

Function 00406AE2 Relevance: 44.4, APIs: 2, Strings: 23, Instructions: 604COMMON

Download Yara Rule

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: 331e01e38dd0f510206513c9ea5a78eff6aa6bc09356ec22b1eb7b402da7404d
Instruction ID: 2adf2b18feb625bed8cfcb78b62098ecdcb4c0a0e1b3b05bb58cff684be47f1c
Opcode Fuzzy Hash: 331e01e38dd0f510206513c9ea5a78eff6aa6bc09356ec22b1eb7b402da7404d
Instruction Fuzzy Hash: 7CE104B4A042A88BDB25CB24C948BD9BBB1BF54714F1051EAE04DBB381D7794F85CF1A

Function 00407D5A Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 397COMMON

Download Yara Rule

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: 7f62187aef5625279c27ea7d94b2c2c094b0ce3406f1ae28e1879990c4459e22
Instruction ID: 1df6281eaa33ee93b9c615ee13f399540a00456e0d95a1d980fabfb698b6a851
Opcode Fuzzy Hash: 7f62187aef5625279c27ea7d94b2c2c094b0ce3406f1ae28e1879990c4459e22
Instruction Fuzzy Hash: 27A1C3B4A082A88BDB21CB28CD447D9BBB1AF55704F1041E9E14CBB381D7794F85CF5A

Function 00407DAF Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 378COMMONLIBRARYCODE

Download Yara Rule

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: dcdebe5f72c0ccc379f0a9a28b8152a2cbb9d2d85e5b684ba006bc1f1b1b4051
Instruction ID: dd75d956de814c05ae4584f52afdb768220d78640f5e590803b18e4e1626968d
Opcode Fuzzy Hash: dcdebe5f72c0ccc379f0a9a28b8152a2cbb9d2d85e5b684ba006bc1f1b1b4051
Instruction Fuzzy Hash: 3891C2B4A082A88BDB218B28C9487D9BBB1AF55704F1045E9E14CBB381D7794F85CF5A

Function 00407DD2 Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 372COMMONLIBRARYCODE

Download Yara Rule

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: 3ee205ec0df50246e207656a30364f65ceff2ff80cf25e697aceff67b9a198bf
Instruction ID: 0a7123dfe8a5327e98d8b2165b2be4c7d76cd1d813a51559d9bb141b6610bf7c
Opcode Fuzzy Hash: 3ee205ec0df50246e207656a30364f65ceff2ff80cf25e697aceff67b9a198bf
Instruction Fuzzy Hash: 2E91C3B4A082A8CBDB218B28C9447D9BBB1AF55704F1045E9E14CBB381D77A4F85CF5A

Function 00407BAB Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 353COMMON

Download Yara Rule

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: 80adb4852b0960b0d3162291facd05290ea9be920a23199fe1d5f1715aae6800
Instruction ID: 8002ac30c2fbda6335aa2e2110aad2d2e01338a9879cba067224349d9c433c38
Opcode Fuzzy Hash: 80adb4852b0960b0d3162291facd05290ea9be920a23199fe1d5f1715aae6800
Instruction Fuzzy Hash: 2481C6B4A082A8CBDB21CB24CD447D9BBB5AB55704F0045E9A14CAB381C7B94F85CF5A

Function 00407C40 Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 323COMMON

Download Yara Rule

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: e80f974e5b24f2e604f31b36c1f62663b58aceb74e947806e38518b29f20a73d
Instruction ID: 42eea9e0e97cf5b612de837b8b02b13f81132edb7b819d993aa0766d76aa8ddb
Opcode Fuzzy Hash: e80f974e5b24f2e604f31b36c1f62663b58aceb74e947806e38518b29f20a73d
Instruction Fuzzy Hash: 6171C8B49082A8CBEB21CB24CD447D9BAB5AF15704F1045E9E14CBB381C7BA4F85CF5A

Function 00407C9A Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 306
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: d0b0a7fe9d406b5fe98e0eefc5c2cdd973b16e86ce0152bcd6a534d4b6762cda
Instruction ID: ec2d891c00d131031af488a7aeab7433c2fa4461e8dab624ac9fccc522e3d025
Opcode Fuzzy Hash: d0b0a7fe9d406b5fe98e0eefc5c2cdd973b16e86ce0152bcd6a534d4b6762cda
Instruction Fuzzy Hash: 7871C9B49082A8CBEB21CB24CD447D9BAB5AF15704F1045E9D14CBB381C77A4F85CF1A

Function 004085BD Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 266
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: cd97989d0c3b1013a5e7116e7ab31a4db66f0d0539c0911fbc3551e6ae52f1fe
Instruction ID: 625d281dfe30ccee287b8e8f0ea624e1b992baa3afb4f701c74c0ff8d4e14b8f
Opcode Fuzzy Hash: cd97989d0c3b1013a5e7116e7ab31a4db66f0d0539c0911fbc3551e6ae52f1fe
Instruction Fuzzy Hash: 1161C8B49082A8CAEB21CB24CD447D9BAB5AF15704F0445E9D14CBB391C7BA4F85CF2A

Function 004080FE Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 262
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

r, xrefs: 00408E68
y, xrefs: 00408E7D
s, xrefs: 00408854
W, xrefs: 00408E84
r, xrefs: 00408E76
b, xrefs: 00408E61
i, xrefs: 00408E5A
i, xrefs: 0040881C
o, xrefs: 00408838
a, xrefs: 00408E6F
c, xrefs: 0040883F
e, xrefs: 00408846
a, xrefs: 00408E45
d, xrefs: 00408E4C
P, xrefs: 0040882A
E, xrefs: 0040880E
L, xrefs: 00408E53
r, xrefs: 00408831
o, xrefs: 00408E3E
t, xrefs: 00408823
L, xrefs: 00408E37
s, xrefs: 0040884D
x, xrefs: 00408815

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: 26e8d5b9a9d3ffa4bebdb6377f811e48dd6436d8b2e435224c717ff429529648
Instruction ID: 376e2767f3cf7e469c955a49fa83cff2aaf57e068d71da198fb35e287fd87543
Opcode Fuzzy Hash: 26e8d5b9a9d3ffa4bebdb6377f811e48dd6436d8b2e435224c717ff429529648
Instruction Fuzzy Hash: F661DBB49082A8CBEB21CB24CD447D9BAB5AF55704F1445E9914CBB381D7BA4FC4CF2A

Function 00409A07 Relevance: 2.1, APIs: 1, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(DEADBEEF), ref: 0040A477

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 72a79fb50813daf9641634454f6812f554216fd05c69cff620f9039262b24773
Instruction ID: c008a3a88fbbd9c5b9f150bc327e9043af79050cbe7d05808c07bc7f694a12f5
Opcode Fuzzy Hash: 72a79fb50813daf9641634454f6812f554216fd05c69cff620f9039262b24773
Instruction Fuzzy Hash: 20D1F7B4A042A88BCB64CF54C984BEDBBB1BB44315F2086EAE459B7751D7349EC1CF09

Function 004097D3 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df21ca10aed49071c5b6b2f28568336d275df7644821752aeb7a37ebf4f4b97c
Instruction ID: 8814cd1c3c061a6c33971eeb85ef7a85a703eda32cd3c751a69f55dd44878a16
Opcode Fuzzy Hash: df21ca10aed49071c5b6b2f28568336d275df7644821752aeb7a37ebf4f4b97c
Instruction Fuzzy Hash: 1801A9F49046A98FCB248B54CD88BDDBBB4BB05305F1442EAD519B7741D7345E85CF09

Function 00409429 Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(DEADBEEF), ref: 0040A477

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 65f52e8dd54f9a268cfcf699dfda5c29f93e292edebcae2cc65d72117e3ed62b
Instruction ID: 83806e5cf736b1ee28465a3577a62dddcaab2ffde1162d51884bde53348236b6
Opcode Fuzzy Hash: 65f52e8dd54f9a268cfcf699dfda5c29f93e292edebcae2cc65d72117e3ed62b
Instruction Fuzzy Hash: 3FF0B2F8A042A88FCB248F14CC88BD9BB74BB04309F0445EAE11AB7381D7349E85CF09

Non-executed Functions

Function 00411F70 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 205
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(00000000,00000002,00000000,00000000), ref: 00411FDA
GetLastError.KERNEL32 ref: 00411FE4
DuplicateTokenEx.ADVAPI32(00000000,02000000,00000000,00000002,00000002,00000000), ref: 00412001
GetLastError.KERNEL32 ref: 0041200B
CloseHandle.KERNEL32(00000000), ref: 00412173
CloseHandle.KERNEL32(00000000), ref: 00412181
FreeSid.ADVAPI32(00000000), ref: 0041218F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041219C
HeapFree.KERNEL32(00000000), ref: 004121A3
FreeSid.ADVAPI32(?), ref: 004121B1
CloseHandle.KERNEL32(00000000), ref: 004121C3

Strings

, xrefs: 0041214D

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CloseFreeHandle$ErrorHeapLastProcessToken$DuplicateOpen
String ID:
API String ID: 1790262672-3916222277
Opcode ID: 3f1a59d8f73edaad4b434cf73b553cf54cd56f2ab1023acbd563036531d9d7d6
Instruction ID: a903014ab0d868ded00178ac02ce73e7f8232d77ebbf52772378c1a350528e59
Opcode Fuzzy Hash: 3f1a59d8f73edaad4b434cf73b553cf54cd56f2ab1023acbd563036531d9d7d6
Instruction Fuzzy Hash: 1761D170A40208BBEB14DFA1DD59BEE7B78AB08B01F144125FA01F6290D7B89E558B69

Function 0040D830 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 214memoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00429070,000007CF,00000000,00000000), ref: 0040D852
SHGetSpecialFolderPathW.SHELL32(00000000,0042A010,0000001A,00000000,00429070,0042906E,00429070,0042906E), ref: 0040D946
GetProcessHeap.KERNEL32(00000000,00000004), ref: 0040D9CD
HeapAlloc.KERNEL32(00000000), ref: 0040D9D4
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000024,00000000), ref: 0040DA19
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040DA38
GetProcessHeap.KERNEL32(00000000,00000026), ref: 0040DA7C
HeapAlloc.KERNEL32(00000000), ref: 0040DA83

Strings

$, xrefs: 0040D9C3
\, xrefs: 0040DA5F

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Heap$AllocFolderPathProcessSpecial$DirectoryFileModuleNameWindows
String ID: $$\
API String ID: 2560937269-1395706711
Opcode ID: c2cb07e2c611a4aaa378541a72539b26cc0aaaf703b57eb2e97274b412ec1d77
Instruction ID: 06cb1b4999db3c3cde009c85b0b3182518ded17d7e086e67de86218526070a2f
Opcode Fuzzy Hash: c2cb07e2c611a4aaa378541a72539b26cc0aaaf703b57eb2e97274b412ec1d77
Instruction Fuzzy Hash: FE713371B002049BDB20AFA8DD45BAA7365EB48704F8445BBE906EB2D0D77C9E49CB4D

Function 00411A50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,?), ref: 00411A8F
CoUninitialize.OLE32 ref: 00411ACF

Strings

ROOT\CIMV2, xrefs: 00411B41

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: InitializeUninitialize
String ID: ROOT\CIMV2
API String ID: 3442037557-2786109267
Opcode ID: 7154ad24f0ce045c8ebfdc6c4ce43aeb2f04787b459809e6e5fcd4b27f8df5be
Instruction ID: 6ab19ea00e4a884013ecfa3ee51ab5763124654a81a6a4930a193ff57cc8d813
Opcode Fuzzy Hash: 7154ad24f0ce045c8ebfdc6c4ce43aeb2f04787b459809e6e5fcd4b27f8df5be
Instruction Fuzzy Hash: E451C671B41205ABEB21DF64CC55F9ABBB4EF04744F10415AE909AB3D0DB79AD80CB98

Function 0040F130 Relevance: 6.2, APIs: 4, Instructions: 190COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?), ref: 0040F17E
GetMappedFileNameW.PSAPI(00000000,?,?,?), ref: 0040F185
GetLogicalDriveStringsW.KERNEL32(00000103,?,?,?,?,?,?,?), ref: 0040F1DA
QueryDosDeviceW.KERNEL32(00000FA0,?,00000103,?,?,?,?,?,?), ref: 0040F214

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CurrentDeviceDriveFileLogicalMappedNameProcessQueryStrings
String ID:
API String ID: 1028133890-0
Opcode ID: 8032052f7ecf8c49a705a95394094d809a3f8ada2613e8f619425ca6245f0eb5
Instruction ID: 48b8bba606bf70ced818c55d0dde4bd3379a05982e34b3b01aafbcf70260f82a
Opcode Fuzzy Hash: 8032052f7ecf8c49a705a95394094d809a3f8ada2613e8f619425ca6245f0eb5
Instruction Fuzzy Hash: 9B51D479A002099BDB249F64DC557EA73B8FF44704F4440BEEC0AE7681EB359E45CB68

Function 004113D0 Relevance: 6.1, APIs: 4, Instructions: 78processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000001C,00000000), ref: 004113F6
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0041142F
Process32NextW.KERNEL32(00000000,0000022C), ref: 00411478
CloseHandle.KERNEL32(00000000), ref: 00411483

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e5b8cd542245b9e5d170e6a0bb264918fa009bff68f2b0f059f730a2013b970c
Instruction ID: ed6ce81f11c814b95676c3b144244a8704dff2a5250c1b87c862d7b63bcea838
Opcode Fuzzy Hash: e5b8cd542245b9e5d170e6a0bb264918fa009bff68f2b0f059f730a2013b970c
Instruction Fuzzy Hash: 0721B735601219ABCB20DF75DC98FEE73B8AF48704F0441AAF90997290DB389E85CA59

Function 00414A32 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00414A3E
IsDebuggerPresent.KERNEL32 ref: 00414B0A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00414B2A
UnhandledExceptionFilter.KERNEL32(?), ref: 00414B34

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: eb54633653b1e7136daff6d8c49d900db8813ee08b08b0927fb5eae355787c96
Instruction ID: e027bf533add66c97cff3441150d370cccecafee1f68af7ea3ec92b8e2f9eeb7
Opcode Fuzzy Hash: eb54633653b1e7136daff6d8c49d900db8813ee08b08b0927fb5eae355787c96
Instruction Fuzzy Hash: A3311A75D4521CDBDB10DFA4D949BCDBBB8BF08704F1041AAE50DA7250EB749A848F49

Function 0040DC50 Relevance: 5.3, APIs: 4, Instructions: 336memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,00000000), ref: 0040DCB6
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DC12,?), ref: 0040DCBD

Part of subcall function 00412BD0: GetCurrentProcess.KERNEL32(?,?), ref: 00412C87
Part of subcall function 00412BD0: IsWow64Process.KERNEL32(00000000), ref: 00412C8E
Part of subcall function 00412BD0: RegGetValueW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,20010002,00000000,?,00000800), ref: 00412CED

Part of subcall function 00412A50: SHGetKnownFolderPath.SHELL32(00419BA0,00000000,00000000,?), ref: 00412B08
Part of subcall function 00412A50: CoTaskMemFree.OLE32(?), ref: 00412B43

GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEE1
HeapFree.KERNEL32(00000000), ref: 0040DEE8

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: HeapProcess$Free$AllocCurrentFolderKnownPathTaskValueWow64
String ID:
API String ID: 296583963-0
Opcode ID: 72626ed7ebf942f3da3b4ff624644a62b2db256d44a538c0bd3af436bd098ac9
Instruction ID: 00c302652f448dc867151c1637c7350e428b9fb300c2f3923f77f2eb57857071
Opcode Fuzzy Hash: 72626ed7ebf942f3da3b4ff624644a62b2db256d44a538c0bd3af436bd098ac9
Instruction Fuzzy Hash: 86C1A071E002169BCF14DFA5D984BEEB7B5AF94304F04813AE812B73D1DB389958CB99

Function 00414851 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00414867

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 85a69eae14f70fac69dded71679b64cec421971be0a92efe753145918f18106b
Instruction ID: 1fa32a7a9fe8101fc44ca39a3572bb05595d9e056a4a196d7830266f7ff49f08
Opcode Fuzzy Hash: 85a69eae14f70fac69dded71679b64cec421971be0a92efe753145918f18106b
Instruction Fuzzy Hash: 4A5128B1E102198FDB28CF65E9856ABBBF4FB88350F54847AD406EB350D378A941CB58

Function 00414BA6 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00414BC0,004144D5), ref: 00414BAB

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 440e09a70d4185e5134bd87ad335f7482d09bb33f6763d4479a60e5079aa7941
Instruction ID: 190a85c4e36117c4851cde842c683295131adae64d9cec044f87a4c0bc670d8d
Opcode Fuzzy Hash: 440e09a70d4185e5134bd87ad335f7482d09bb33f6763d4479a60e5079aa7941
Instruction Fuzzy Hash:

Function 004300A0 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68eadc18075bdc65311dabbbd5e33a507b9c8c5ec6331530920b369572d2fcb4
Instruction ID: 856b991f6e70e0fb9ef2f4d066a2f33dcaea3df2205236e27f0407f8aebd5464
Opcode Fuzzy Hash: 68eadc18075bdc65311dabbbd5e33a507b9c8c5ec6331530920b369572d2fcb4
Instruction Fuzzy Hash: 0E52FE31E00249CECB2CDEBDC6E96DDFFB5AB84350F10E25B9089A7598C7315A469F60

Function 00430BEA Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7c172fee57f1ed6548c406c90953512d452ac45c9f20a0457aeeb3b1aa6324
Instruction ID: 82ae146b6ef45b9bf12d15841689aaa0a6ce40555f9a682480e8bc04d299ba44
Opcode Fuzzy Hash: 3d7c172fee57f1ed6548c406c90953512d452ac45c9f20a0457aeeb3b1aa6324
Instruction Fuzzy Hash: 7A71D231A01219CEDB2CDF78C7E9ADDFF75AB94210F10E19B9089A7598C7316F429E60

Function 004304AC Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bafcd4f452923c6dd5c3b503312fcff292afa5b617bf38974f011cb8c44b16
Instruction ID: b7484dc350ae4b698d06df24e6f54f8242ce954ef6036649c6e2d9891a72fd00
Opcode Fuzzy Hash: 54bafcd4f452923c6dd5c3b503312fcff292afa5b617bf38974f011cb8c44b16
Instruction Fuzzy Hash: 6A710A32E00209CECB2CDEB9C6E99DDFF76BB94600F10E25F9095A7598C7356A429E50

Function 0040D0B0 Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 308
registrylibraryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDllDirectoryW.KERNEL32(00419D44), ref: 0040D0D1
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 0040D107
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 0040D113
VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 0040D11F
VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D12B
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 0040D13A
GetLastError.KERNEL32(?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D144
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D190
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D19C
VerifyVersionInfoW.KERNEL32(?,00000003,00000000), ref: 0040D1AB
LoadLibraryExW.KERNEL32(cryptnet.dll,00000000,00000800,SOFTWARE\Microsoft\Cryptography\Defaults\Provider,Image Path,SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv,Dll,?,?,00000001,00000001,?,?,00000010,00000003), ref: 0040D1ED
GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D200
OpenProcessToken.ADVAPI32(00000000,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D207
GetTokenInformation.ADVAPI32(0000011C,00000014(TokenIntegrityLevel),?,00000004,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003), ref: 0040D22B
CloseHandle.KERNEL32(?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D241
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Policies\Zoom\Zoom Meetings\General,00000000,00020019,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003), ref: 0040D267
RegGetValueW.ADVAPI32(?,00000000,Disable3rdModuleVerify,0000FFFF,00000006,?,?,?,?,00000001,00000001,?,?,00000010,00000003), ref: 0040D2A0
RegCloseKey.ADVAPI32(?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D2AC
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?,?,00000118), ref: 0040D315
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000118), ref: 0040D376
CreateFileA.KERNEL32(?,10000000,00000003,00000000,00000002,00000080,00000000), ref: 0040D3AB
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000118), ref: 0040D3BC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 0040D3E3
CreateSemaphoreW.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 0040D3FE
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040D411
CreateThread.KERNEL32(00000000,00000000,0040EA50,00429068,00000004,00000000), ref: 0040D43A
ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000118), ref: 0040D454
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D477
GetProcAddress.KERNEL32(00000000,LdrRegisterDllNotification), ref: 0040D489
GetProcAddress.KERNEL32(00000000,LdrUnregisterDllNotification), ref: 0040D497

Strings

ZoomVDI, xrefs: 0040D33B, 0040D35B
LdrUnregisterDllNotification, xrefs: 0040D48F
Dll, xrefs: 0040D1C3
LdrRegisterDllNotification, xrefs: 0040D483
\appsafecheck.txt, xrefs: 0040D37C
SOFTWARE\Policies\Zoom\Zoom Meetings\General, xrefs: 0040D259
SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv, xrefs: 0040D1C8
Disable3rdModuleVerify, xrefs: 0040D295
ntdll.dll, xrefs: 0040D472
SOFTWARE\Microsoft\Cryptography\Defaults\Provider, xrefs: 0040D1D7
Image Path, xrefs: 0040D1D2
cryptnet.dll, xrefs: 0040D1E8

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ConditionCreateMask$CloseHandle$AddressDirectoryFileInfoOpenProcProcessThreadTokenVerifyVersion$CurrentErrorEventFolderInformationLastLibraryLoadModulePathResumeSemaphoreSpecialValue
String ID: Disable3rdModuleVerify$Dll$Image Path$LdrRegisterDllNotification$LdrUnregisterDllNotification$SOFTWARE\Microsoft\Cryptography\Defaults\Provider$SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv$SOFTWARE\Policies\Zoom\Zoom Meetings\General$ZoomVDI$\appsafecheck.txt$cryptnet.dll$ntdll.dll
API String ID: 695945955-2430632280
Opcode ID: e1f959e6f971e7319ddb763f41403bf31d78c8abb299f65c2b581fd2ccc26623
Instruction ID: e3f8eedf6af3ffbc4967407a62473a63f14479d3ec8d4df312e392e0d987a7e2
Opcode Fuzzy Hash: e1f959e6f971e7319ddb763f41403bf31d78c8abb299f65c2b581fd2ccc26623
Instruction Fuzzy Hash: F1B1B370B40301BBE7209F60DC4AF9B77A8EB44B05F40893AF655E61E0D7B89909CB5E

Function 00412270 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 222
filelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 0041229A
GetPrivateProfileStringW.KERNEL32(ZoomChat,com.zoom.test.disable_crash_handler,00000000,?,00000008,?), ref: 00412309
SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00412340
PathAppendW.SHLWAPI(?,ZoomVDI), ref: 00412357
PathAppendW.SHLWAPI(?,logs), ref: 0041236A
GetCurrentProcessId.KERNEL32 ref: 00412375
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00412388
GetLastError.KERNEL32 ref: 00412396
ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 004123C1
GetLastError.KERNEL32 ref: 004123CD
CloseHandle.KERNEL32(?), ref: 004123D7
CreateDirectoryW.KERNEL32(?,00000000), ref: 004123EB
GetTempFileNameW.KERNEL32(?,zoomtest,00000000,?), ref: 0041241F
DeleteFileW.KERNEL32(?), ref: 00412431
RevertToSelf.ADVAPI32 ref: 0041243C
CloseHandle.KERNEL32(00000000), ref: 00412447
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 004124F5
VerSetConditionMask.KERNEL32(00000000), ref: 004124FD
VerSetConditionMask.KERNEL32(00000000), ref: 00412505
VerifyVersionInfoW.KERNEL32(?), ref: 0041253A
GetModuleHandleW.KERNEL32(zCrashReport.dll), ref: 0041257E
GetProcAddress.KERNEL32(00000000,crSetZoomHome), ref: 0041258E

Strings

ZoomVDI, xrefs: 0041234A, 0041259A
com.zoom.test.disable_crash_handler, xrefs: 004122FF
ZoomChat, xrefs: 00412304
crSetZoomHome, xrefs: 00412588
logs, xrefs: 0041235D
zoomtest, xrefs: 00412412
zCrashReport.dll, xrefs: 00412579
yes, xrefs: 0041231A
\Zoom\data\Zoom.us.ini, xrefs: 004122A8

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Path$ConditionHandleMask$AppendCloseErrorFileFolderLastProcessSpecial$AddressCreateCurrentDeleteDirectoryImpersonateInfoLoggedModuleNameOpenPrivateProcProfileRevertSelfStringTempUserVerifyVersion
String ID: ZoomChat$ZoomVDI$\Zoom\data\Zoom.us.ini$com.zoom.test.disable_crash_handler$crSetZoomHome$logs$yes$zCrashReport.dll$zoomtest
API String ID: 1294346636-1563055977
Opcode ID: 6d4db1bb0bed33e30413c97dc72b642164295202b736abbae61969f2f0ffef42
Instruction ID: 12433930e13e6caf05908e59b317de0784475af6ab8e2ec7126003c472830eac
Opcode Fuzzy Hash: 6d4db1bb0bed33e30413c97dc72b642164295202b736abbae61969f2f0ffef42
Instruction Fuzzy Hash: FA81A271645344ABE720DFA0ED09FDB77ECAF84B01F40492AF948D61D0DBB89948CB5A

Function 004125C0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 129
memoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WTHelperProvDataFromStateData.WINTRUST(?,00000000,00000000,00000000,?,?,?,?,?,00412868), ref: 004125CF
WTHelperGetProvSignerFromChain.WINTRUST(00000000,00000000,00000000,00000000,?,?,?,?,?,00412868), ref: 004125F7
WTHelperGetProvCertFromChain.WINTRUST(00000000,00000000,?,?,?,?,?,00412868), ref: 00412618
CertGetNameStringW.CRYPT32(?,00000004,00000000,00000000,00000000,00000000,?,?,?,?,?,00412868), ref: 0041263C
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,00412868), ref: 004126C8
HeapFree.KERNEL32(00000000,?,?,?,?,?,00412868), ref: 004126CF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,00412868), ref: 00412704
HeapFree.KERNEL32(00000000,?,?,?,?,?,00412868), ref: 0041270B

Strings

Zoom Video Communications, Inc., xrefs: 004126A7
h(A, xrefs: 004126A1

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Heap$FromHelperProv$CertChainDataFreeProcess$NameSignerStateString
String ID: Zoom Video Communications, Inc.$h(A
API String ID: 1193424130-546350467
Opcode ID: f5d44680248929655a779e8b52e6a80615bd4f95dfae2ca292d3e3ad0e7b2e22
Instruction ID: b50a9664b00a001a61916bde13f5431a76f3f421a5cc4ad1fd8f560c47aafd93
Opcode Fuzzy Hash: f5d44680248929655a779e8b52e6a80615bd4f95dfae2ca292d3e3ad0e7b2e22
Instruction Fuzzy Hash: 2241C330A40310BFDB209FA59D88BDFBB78FF48711F1044AAE905E72D0C6B499908A6C

Function 00402820 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 421
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0040282A

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

Part of subcall function 00402E6C: __EH_prolog3.LIBCMT ref: 00402E73

Strings

[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] SendImgConvertProgressMessage strTaskID:, xrefs: 00402C3A
[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] SendImgConvertFinishMessage strTaskID:, xrefs: 00402DFC
, strEncryptedFilePath:, xrefs: 00402B01, 00402C1A
, strPageImgName:, xrefs: 00402888
, m_nVbsSucessNum:, xrefs: 00402DF7
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 0040286C, 00402914, 00402AE8, 00402C04, 00402D14, 00402DD2
, uPageIndexFinished:, xrefs: 0040288E, 00402C20
[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] m_ipcSender is NULL!, xrefs: 00402934
[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] EncryptImgFile bEncrypt:, xrefs: 00402B19
[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] strTaskID:, xrefs: 00402893
, strImageFilePath:, xrefs: 00402B06
[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] fn.IsExists is false! strImageFilePath:, xrefs: 00402D34
, m_nPPTSliderShowNum:, xrefs: 00402C35

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$H_prolog3ProtectVirtual
String ID: , m_nPPTSliderShowNum:$, m_nVbsSucessNum:$, strEncryptedFilePath:$, strImageFilePath:$, strPageImgName:$, uPageIndexFinished:$[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] EncryptImgFile bEncrypt:$[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] SendImgConvertFinishMessage strTaskID:$[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] SendImgConvertProgressMessage strTaskID:$[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] fn.IsExists is false! strImageFilePath:$[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] m_ipcSender is NULL!$[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] strTaskID:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 2383558652-3366109944
Opcode ID: bd2a8017478969f8550b368d860d8566346eaa83fdf1b42b377f117a52fa0dba
Instruction ID: 7ac1cac9bd74252e321e61f593a8f3a43cd74f212c4c8407b1e11f1666e8ce68
Opcode Fuzzy Hash: bd2a8017478969f8550b368d860d8566346eaa83fdf1b42b377f117a52fa0dba
Instruction Fuzzy Hash: 96F15C31944308ABDB14DB64DD5ABDD7BB4AF08314F1085AEE44AB71E1DF786E84CB18

Function 0040385C Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 0040394D
GetLastError.KERNEL32(00419E1C), ref: 00403998
__EH_prolog3_GS.LIBCMT ref: 00403866

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvert::InitPPTApp] already init success, don't need init twice!, xrefs: 00403913
[CDocConvert::::InitPPTApp] m_appPPT.CreateInstance Begin!, xrefs: 00403A35
[CDocConvert::InitPPTApp] Success, xrefs: 00403B4C
[CDocConvert::::InitPPTApp] m_appPPT.CreateInstance End!, xrefs: 00403AD8
[CDocConvert::InitPPTApp] bRet: , xrefs: 00403C49
GetLastError:, xrefs: 0040399F, 00403BB4
[CDocConvert::InitPPTApp] m_appPPT.CreateInstance failed! hr:, xrefs: 00403BBF
[CDocConvert::InitPPTApp], xrefs: 004038A5
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00403889, 004038F0, 00403970, 00403A12, 00403ABB, 00403B2F, 00403B8B, 00403C28
[CDocConvert::InitPPTApp] CoInitialize failed! hr:, xrefs: 004039AA

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ErrorH_prolog3_InitializeLastProtectVirtual
String ID: GetLastError:$[CDocConvert::::InitPPTApp] m_appPPT.CreateInstance Begin!$[CDocConvert::::InitPPTApp] m_appPPT.CreateInstance End!$[CDocConvert::InitPPTApp]$[CDocConvert::InitPPTApp] CoInitialize failed! hr:$[CDocConvert::InitPPTApp] Success$[CDocConvert::InitPPTApp] already init success, don't need init twice!$[CDocConvert::InitPPTApp] bRet: $[CDocConvert::InitPPTApp] m_appPPT.CreateInstance failed! hr:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 81410529-2550331507
Opcode ID: a1d979d50b407f588d9ae7c930a741d1c243bb16bd1f797c0998d9925e67fd5d
Instruction ID: 57b23c03f83f004b13c8609271ebef5c86295075e4918dc55f590b15d17cc4e0
Opcode Fuzzy Hash: a1d979d50b407f588d9ae7c930a741d1c243bb16bd1f797c0998d9925e67fd5d
Instruction Fuzzy Hash: 09B17F71A40304AFDB049FA4EC9ABDD7B74EB08721F20856EF552B61E1DB785E81CA1C

Function 0040E290 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 276
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(004270B0,00000000,00000000,00000000,-00000002,?), ref: 0040E42C
LeaveCriticalSection.KERNEL32(004270B0,?,?), ref: 0040E46E
GetProcessWindowStation.USER32 ref: 0040E50C
GetUserObjectInformationA.USER32(00000000,00000001,?,0000000C,00000000), ref: 0040E534
MessageBoxW.USER32(00000000,00000000,Zoom VDI Workspace,00000134), ref: 0040E56A
GetCurrentProcess.KERNEL32(00000000), ref: 0040E5BC
TerminateProcess.KERNEL32(00000000), ref: 0040E5C3

Strings

from an unknown publisher., xrefs: 0040E394
/, xrefs: 0040E31A
Zoom VDI Workspace, xrefs: 0040E562
Are you sure you want to run this software?, xrefs: 0040E3A0
\, xrefs: 0040E313
is using , xrefs: 0040E37F

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Process$CriticalSection$CurrentEnterInformationLeaveMessageObjectStationTerminateUserWindow
String ID: Are you sure you want to run this software?$ from an unknown publisher.$ is using $/$Zoom VDI Workspace$\
API String ID: 2420998183-416803619
Opcode ID: 2bf8120df42d5ae13eb7732456e3f9a56e850d34b8fa7da0e23844d81cef106c
Instruction ID: 267653b6ebe412005e2447c441a6f636b24535a257520f429c62a23f51abf88a
Opcode Fuzzy Hash: 2bf8120df42d5ae13eb7732456e3f9a56e850d34b8fa7da0e23844d81cef106c
Instruction Fuzzy Hash: 8BB1D131A00209DBCB14DFA5C995BEEB7B1EF44304F14893EE802A72D1DB78AD95CB58

Function 00414227 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0042CA60,00000FA0,?,?,00414205), ref: 00414233
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00414205), ref: 0041423E
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00414205), ref: 0041424F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00414261
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041426F
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00414205), ref: 00414292
DeleteCriticalSection.KERNEL32(0042CA60,00000007,?,?,00414205), ref: 004142B5
CloseHandle.KERNEL32(00000000,?,?,00414205), ref: 004142C5

Strings

kernel32.dll, xrefs: 0041424A
WakeAllConditionVariable, xrefs: 00414267
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00414239
SleepConditionVariableCS, xrefs: 0041425B

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 7be4f200a74566f98bae5b6bf37b9bf44712cfd1cf6637fc1aae46b7f6747bf0
Instruction ID: eadbdf53527f21697c7c976fa47b2d8f361e7f744fd41d0908bb9d316aa554bb
Opcode Fuzzy Hash: 7be4f200a74566f98bae5b6bf37b9bf44712cfd1cf6637fc1aae46b7f6747bf0
Instruction Fuzzy Hash: 7901D231B807156BDB209B70BD5DBDF3A98AF84B907144472FC01D2290EA788CC08A9D

Function 00411550 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00411609
SysFreeString.OLEAUT32(-00000001), ref: 0041168E
SysFreeString.OLEAUT32(-00000001), ref: 004116D1
VariantClear.OLEAUT32(00000000), ref: 00411798
VariantClear.OLEAUT32(00000001), ref: 00411807
CoUninitialize.OLE32(?,?,?), ref: 0041183C
_com_issue_error.COMSUPP ref: 00411862

Strings

POWERPNT.exe, xrefs: 004115B9
SELECT * FROM Win32_Process where name='%s', xrefs: 004115BE
ProcessId, xrefs: 0041177C
WQL, xrefs: 0041163C

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: String$ClearFreeVariant$AllocUninitialize_com_issue_error
String ID: POWERPNT.exe$ProcessId$SELECT * FROM Win32_Process where name='%s'$WQL
API String ID: 4015948099-2835684465
Opcode ID: 4cae6ba28725c6cddbb5ed1f9e0ff0da51b4a2f84b92ba040e82ed207b66b41a
Instruction ID: a58cffc29cf6f6dc8c416da25baa1a5b74b5660a5db0f35f5bfc5b23c7ff9db2
Opcode Fuzzy Hash: 4cae6ba28725c6cddbb5ed1f9e0ff0da51b4a2f84b92ba040e82ed207b66b41a
Instruction Fuzzy Hash: EC9191706043019FD310DF24C855F9BB7E8AF88708F14851EF559DB2A0EB79E985CB9A

Function 004035BE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 191threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004035C8
TerminateThread.KERNEL32(00000000,00000000), ref: 00403737
CloseHandle.KERNEL32(00000000), ref: 00403740

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

TerminateThread.KERNEL32(00000000,00000000), ref: 00403840
CloseHandle.KERNEL32(00000000), ref: 00403849

Strings

CDocConvert CleanThread , xrefs: 00403603
[CDocConvert::CleanThread] m_eventExitDetectThreadRsp.Lock lockRet:, xrefs: 0040379E
[CDocConvert::CleanThread] TerminateThread m_hThreadConvert!, xrefs: 004036FC
[CDocConvert::CleanThread] TerminateThread m_hThreadDetect!, xrefs: 0040380F
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 004035E7, 0040366A, 004036E0, 0040377D, 004037EF
[CDocConvert::CleanThread] m_eventExitConvertThreadRsp.Lock lockRet:, xrefs: 0040368B

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CloseHandleTerminateThread$H_prolog3ProtectVirtual
String ID: CDocConvert CleanThread $[CDocConvert::CleanThread] TerminateThread m_hThreadConvert!$[CDocConvert::CleanThread] TerminateThread m_hThreadDetect!$[CDocConvert::CleanThread] m_eventExitConvertThreadRsp.Lock lockRet:$[CDocConvert::CleanThread] m_eventExitDetectThreadRsp.Lock lockRet:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 3327035812-490934195
Opcode ID: ee8d1510abf3b5228d5ff3d454226bc46edae28d685278d321626e8e0c5e821f
Instruction ID: c58c28c889137a41e0bcbd66b77d7563fd19abb7d98ff48b9d8d5a56de94fa08
Opcode Fuzzy Hash: ee8d1510abf3b5228d5ff3d454226bc46edae28d685278d321626e8e0c5e821f
Instruction Fuzzy Hash: 6E61A471950700ABD7249F60DC5ABDE7BB4FF08721F244A6EF452A61E1DBB85E80CA0C

Function 0040AB56 Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 377COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0040AC75
__EH_prolog3_GS.LIBCMT ref: 0040AC85

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvertVbsIPCServer::Init] is already inited. UnInit first., xrefs: 0040AD04
[CDocConvertVbsIPCServer::Init] is_good:, xrefs: 0040AFA3
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040ACE5, 0040ADB1, 0040AEDD, 0040AF7A
[CDocConvertVbsIPCServer::Init], xrefs: 0040ACA2
com.zoom.ipc.doccovtvbsapp_, xrefs: 0040AD73
[CDocConvertVbsIPCServer::Init] ipc_server_:, xrefs: 0040AF00
[CDocConvertVbsIPCServer::CDocConvertVbsIPCServer] chanel_name_:, xrefs: 0040ADD1
, start_succ:, xrefs: 0040AF91

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Concurrency::cancel_current_taskH_prolog3_ProtectVirtual
String ID: , start_succ:$[CDocConvertVbsIPCServer::CDocConvertVbsIPCServer] chanel_name_:$[CDocConvertVbsIPCServer::Init]$[CDocConvertVbsIPCServer::Init] ipc_server_:$[CDocConvertVbsIPCServer::Init] is already inited. UnInit first.$[CDocConvertVbsIPCServer::Init] is_good:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp$com.zoom.ipc.doccovtvbsapp_
API String ID: 2490808664-150838044
Opcode ID: 53ac09ad68d1f9039d5a559351e08a01484ee2d6fa628184f6c129e6662fa568
Instruction ID: 149bc477d0c5e852371e299875de303a08aa14c6ab15b4b396115825e528068c
Opcode Fuzzy Hash: 53ac09ad68d1f9039d5a559351e08a01484ee2d6fa628184f6c129e6662fa568
Instruction Fuzzy Hash: 22E1BC71900314ABDB149F64DD9ABDEBBB1FF48304F14806EE40AA72D1DB785E81CB19

Function 0040A48F Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0040A687
GetProcAddress.KERNEL32 ref: 0040A497

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvertIPCAgent::LoadWebService] Error, pfInitModule is NULL!, xrefs: 0040A4DC
zoomus.class.ISBWebServiceAPI, xrefs: 0040A583
[CDocConvertIPCAgent::LoadWebService] Error, pSBWebService is NULL!, xrefs: 0040A5D6
[CDocConvertIPCAgent::LoadWebService] Error, pMQClientWebService is NULL!, xrefs: 0040A554
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertIPCAgent.cpp, xrefs: 0040A4B9, 0040A531, 0040A5B4, 0040A61B, 0040A6B7
[CDocConvertIPCAgent::LoadWebService] bRet is false, will unload!, xrefs: 0040A63B
[CDocConvertIPCAgent::LoadWebService] bRet:, xrefs: 0040A6DC

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: AddressFreeLibraryProcProtectVirtual
String ID: [CDocConvertIPCAgent::LoadWebService] Error, pMQClientWebService is NULL!$[CDocConvertIPCAgent::LoadWebService] Error, pSBWebService is NULL!$[CDocConvertIPCAgent::LoadWebService] Error, pfInitModule is NULL!$[CDocConvertIPCAgent::LoadWebService] bRet is false, will unload!$[CDocConvertIPCAgent::LoadWebService] bRet:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertIPCAgent.cpp$zoomus.class.ISBWebServiceAPI
API String ID: 534670035-2533332826
Opcode ID: 3290f3a2f0dd1c719ba24301017fcf22caaa84da7f66635076d447e772284814
Instruction ID: af3e93a29a9dffe31318a46e62a52793d8324cc7d565a543d3ddef1080db9eef
Opcode Fuzzy Hash: 3290f3a2f0dd1c719ba24301017fcf22caaa84da7f66635076d447e772284814
Instruction Fuzzy Hash: D061CF72A40304ABE7149B64DC5ABEE77B0EF04720F24496EE512F62E1DBB84D81CA0D

Function 00412720 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 138memoryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000), ref: 0041275C
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,?), ref: 004127F3
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00412814
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00412832
GetProcessHeap.KERNEL32(00000000,?), ref: 00412881
HeapFree.KERNEL32(00000000), ref: 00412888
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 0041289F

Strings

4, xrefs: 004127BB

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: TrustVerify$Heap$CreateFileFreeProcess
String ID: 4
API String ID: 844456146-4088798008
Opcode ID: 9e3167213d219f8f1cf1ea40f5b04b6ce5d237ab1975849d844118587953a85b
Instruction ID: 30a4058f0173cd2fa46ea9dbc6a0dfddb02297b452ecc5d162b3dce015d20828
Opcode Fuzzy Hash: 9e3167213d219f8f1cf1ea40f5b04b6ce5d237ab1975849d844118587953a85b
Instruction Fuzzy Hash: A65121B1D002499BDF10DFD9C984BEEBBB8BF48314F108229E815B7290D7B45999CF65

Function 0040A716 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,TermModule), ref: 0040A7E8
FreeLibrary.KERNEL32(00000000), ref: 0040A874
__EH_prolog3.LIBCMT ref: 0040A720

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvertIPCAgent::UnLoadWebService] Error, m_hModuleWebservice is NULL!, xrefs: 0040A7C0
[CDocConvertIPCAgent::UnLoadWebService], xrefs: 0040A75B
TermModule, xrefs: 0040A7E0
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertIPCAgent.cpp, xrefs: 0040A732, 0040A743, 0040A7A4, 0040A806, 0040A894
[CDocConvertIPCAgent::UnLoadWebService] return CmmTrue!, xrefs: 0040A8B4
[CDocConvertIPCAgent::UnLoadWebService] Error, pfTermModule is NULL!, xrefs: 0040A826

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: AddressFreeH_prolog3LibraryProcProtectVirtual
String ID: TermModule$[CDocConvertIPCAgent::UnLoadWebService]$[CDocConvertIPCAgent::UnLoadWebService] Error, m_hModuleWebservice is NULL!$[CDocConvertIPCAgent::UnLoadWebService] Error, pfTermModule is NULL!$[CDocConvertIPCAgent::UnLoadWebService] return CmmTrue!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertIPCAgent.cpp
API String ID: 3777936632-3443123305
Opcode ID: ceb88864714ad80e6b653e614704c2039d078bb7c436caedcb3683162fbccc4e
Instruction ID: ba2ad7c8cb7d965e1e82bf5b0aabdcc5086ac0a5988c5af8798d1d52c742b88f
Opcode Fuzzy Hash: ceb88864714ad80e6b653e614704c2039d078bb7c436caedcb3683162fbccc4e
Instruction Fuzzy Hash: 3B41A172940300AFE714AB64DC5ABDE37B0FB04325F20897EE042A61E1DBBC9D91CA1D

Function 004128E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 118memoryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,00429068,?,?), ref: 0041293A
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,?), ref: 004129A5
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 004129C6
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 004129E4
GetProcessHeap.KERNEL32(00000000,?), ref: 004129FE
HeapFree.KERNEL32(00000000), ref: 00412A05
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00412A1C
CloseHandle.KERNEL32(00000000), ref: 00412A35

Strings

4, xrefs: 00412979

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: TrustVerify$Heap$CloseCreateFileFreeHandleProcess
String ID: 4
API String ID: 2170017040-4088798008
Opcode ID: 8770e014fbd8c3404b5246c69a0cf5acd8f86c54a6182c4c019deb2d28d51030
Instruction ID: 4e2db92958abd06cf54a71d5c530e8a3d2865fa8e82589dd7844bb842cae8d26
Opcode Fuzzy Hash: 8770e014fbd8c3404b5246c69a0cf5acd8f86c54a6182c4c019deb2d28d51030
Instruction Fuzzy Hash: 8C4130B1D00218ABDB10CFD9DD84BDEBBB8EF04324F10422AE825B72D0D7B459458F64

Function 0040C292 Relevance: 15.1, APIs: 10, Instructions: 76windowthreadtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040C29C

Part of subcall function 0040D0B0: SetDllDirectoryW.KERNEL32(00419D44), ref: 0040D0D1
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 0040D107
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 0040D113
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 0040D11F
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D12B
Part of subcall function 0040D0B0: VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 0040D13A
Part of subcall function 0040D0B0: GetLastError.KERNEL32(?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D144
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D190
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D19C
Part of subcall function 0040D0B0: VerifyVersionInfoW.KERNEL32(?,00000003,00000000), ref: 0040D1AB
Part of subcall function 0040D0B0: LoadLibraryExW.KERNEL32(cryptnet.dll,00000000,00000800,SOFTWARE\Microsoft\Cryptography\Defaults\Provider,Image Path,SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv,Dll,?,?,00000001,00000001,?,?,00000010,00000003), ref: 0040D1ED
Part of subcall function 0040D0B0: GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D200
Part of subcall function 0040D0B0: OpenProcessToken.ADVAPI32(00000000,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D207

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 0041229A
Part of subcall function 00412270: GetPrivateProfileStringW.KERNEL32(ZoomChat,com.zoom.test.disable_crash_handler,00000000,?,00000008,?), ref: 00412309
Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00412340
Part of subcall function 00412270: PathAppendW.SHLWAPI(?,ZoomVDI), ref: 00412357
Part of subcall function 00412270: PathAppendW.SHLWAPI(?,logs), ref: 0041236A
Part of subcall function 00412270: GetCurrentProcessId.KERNEL32 ref: 00412375
Part of subcall function 00412270: OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00412388
Part of subcall function 00412270: GetLastError.KERNEL32 ref: 00412396

SetErrorMode.KERNEL32(00000002,?,000001B0), ref: 0040C2BD

Part of subcall function 004121E0: GetModuleHandleW.KERNEL32(zCrashReport.dll,0040C2C8,?,000001B0), ref: 004121E5
Part of subcall function 004121E0: GetProcAddress.KERNEL32(00000000,crSetCrashCallbackW), ref: 004121F5

GetCurrentThreadId.KERNEL32 ref: 0040C31F
SetConsoleCtrlHandler.KERNEL32(Function_0000C1F0,00000001), ref: 0040C331
SetTimer.USER32(00000000,00000001,00000032,Function_0000C280), ref: 0040C340
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040C352
TranslateMessage.USER32(?), ref: 0040C364
DispatchMessageW.USER32(?), ref: 0040C371
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040C381
SetConsoleCtrlHandler.KERNEL32(Function_0000C1F0,00000000), ref: 0040C38D

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ConditionMask$MessagePathProcess$CurrentError$AppendConsoleCtrlFolderHandlerInfoLastOpenSpecialVerifyVersion$AddressDirectoryDispatchH_prolog3_HandleLibraryLoadModeModulePrivateProcProfileStringThreadTimerTokenTranslate
String ID:
API String ID: 3343810788-0
Opcode ID: 8dadc06e9dbc00c87a32a17101f0fe4498e6a079432756071ec74662e6223704
Instruction ID: 0df3743305b4662a0f30d548fb76cd88d12e2cbeb7f902348f3e3a882e6e6513
Opcode Fuzzy Hash: 8dadc06e9dbc00c87a32a17101f0fe4498e6a079432756071ec74662e6223704
Instruction Fuzzy Hash: 332151B1900219DBDB209B61DC98ADE7778BF46705F4086BAF506A21A0D7388E45CF59

Function 0040BA63 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 254COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040BA6D

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

Strings

[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] strIPCMessage:, xrefs: 0040BAB4
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040BA97, 0040BB0B, 0040BC60, 0040BD10
, nPageCount:, xrefs: 0040BC8C
[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] call HandleIPC_VBSIPCConvertProgressMessage., xrefs: 0040BD2D
, nPageShowCount:, xrefs: 0040BC86
[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] m_MessageHandler is NULL!, xrefs: 0040BB2B
[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] strTaskID:, xrefs: 0040BC91

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$ProtectVirtual
String ID: , nPageCount:$, nPageShowCount:$[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] call HandleIPC_VBSIPCConvertProgressMessage.$[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] m_MessageHandler is NULL!$[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] strIPCMessage:$[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] strTaskID:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 624373510-3212152969
Opcode ID: 33cc2ba9570ac06e666546046795ba742bea2b67b153925532d20454076ccba8
Instruction ID: 4651389eddfd64d4942431231ff233d34f5cc01462db626f5184f5cb9502775e
Opcode Fuzzy Hash: 33cc2ba9570ac06e666546046795ba742bea2b67b153925532d20454076ccba8
Instruction Fuzzy Hash: 5A916B32904309ABDB159BA4DC99ADDBBB4EF18311F20802EE406B72D1DF785E85CB5C

Function 0040BD99 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 243COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040BDA3

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

Strings

, nPageFinishIndex:, xrefs: 0040BFD6
[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] m_MessageHandler is NULL!, xrefs: 0040BE76
[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] strIPCMessage:, xrefs: 0040BDF6
, strImgName:, xrefs: 0040BFC4
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040BDD9, 0040BE56, 0040BFAE, 0040C061
[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] strTaskID:, xrefs: 0040BFDB
[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] call HandleIPC_VBSIPCConvertProgressMessage., xrefs: 0040C07E

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$ProtectVirtual
String ID: , nPageFinishIndex:$, strImgName:$[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] call HandleIPC_VBSIPCConvertProgressMessage.$[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] m_MessageHandler is NULL!$[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] strIPCMessage:$[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] strTaskID:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 624373510-647356355
Opcode ID: 6eb867db84de515e8873a264e4678672b7ceeaedb205744788f40ebcfedc3da4
Instruction ID: 469fe8e027f0674d6574de2f878ccbdcf436e3ac4ee0606df8ab73521b966ea5
Opcode Fuzzy Hash: 6eb867db84de515e8873a264e4678672b7ceeaedb205744788f40ebcfedc3da4
Instruction Fuzzy Hash: 1F918C7190020ADBDB149B64DD9ABDDBBB4EF04314F1080AEE50AB71E1DF385E85CB58

Function 00403C87 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00403C91
CoUninitialize.OLE32 ref: 00403E2C

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

_com_issue_error.COMSUPP ref: 00403E99

Strings

[CDocConvert::ExitPPTApp] m_appPPT->Quit() , xrefs: 00403D72
[CDocConvert::ExitPPTApp] End, xrefs: 00403E62
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00403CB0, 00403D4F, 00403DD8, 00403E42
[CDocConvert::ExitPPTApp] m_bInitApp: , xrefs: 00403CD6
[CDocConvert::ExitPPTApp] m_appPPT->Release() , xrefs: 00403DF4

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectUninitializeVirtual_com_issue_error
String ID: [CDocConvert::ExitPPTApp] End$[CDocConvert::ExitPPTApp] m_appPPT->Quit() $[CDocConvert::ExitPPTApp] m_appPPT->Release() $[CDocConvert::ExitPPTApp] m_bInitApp: $c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 2656218265-3493313017
Opcode ID: 68727294244794ec20b2fcd33cccc9c7da88c9a4e79c3c41485c4c0f148f8f61
Instruction ID: 18cc4debb24305264030b38cec7edcd4e448e4ec5132a04508bf7c38e9d3671c
Opcode Fuzzy Hash: 68727294244794ec20b2fcd33cccc9c7da88c9a4e79c3c41485c4c0f148f8f61
Instruction Fuzzy Hash: C8519A32940714ABDB15DF60EC9ABDE7B74FF08321F24466EE411AA1E1CB785E81CA4C

Function 004030A4 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 132COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004030AE
GetTickCount64.KERNEL32 ref: 004030C1

Strings

[CDocConvert::ConvertDetectTimeout]! strDetectGUID: , xrefs: 00403172
u64CurTicket:, xrefs: 0040315D
> u64Timestamp:, xrefs: 00403152
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00403124
enumDetectFunc: , xrefs: 0040316D
u32TimeoutMS:, xrefs: 00403165

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Count64H_prolog3_Tick
String ID: > u64Timestamp:$ enumDetectFunc: $ u32TimeoutMS:$ u64CurTicket:$[CDocConvert::ConvertDetectTimeout]! strDetectGUID: $c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 2049389690-960057003
Opcode ID: aeb70f4b85a6121d81040206a75301ce84ee70978a23e64459917e3ece7cfb56
Instruction ID: 5c79b996fac3b27d7f1accdab238eb015067ee496fef3d9631b613940f5ef827
Opcode Fuzzy Hash: aeb70f4b85a6121d81040206a75301ce84ee70978a23e64459917e3ece7cfb56
Instruction Fuzzy Hash: 45413B72D04208AFDF05EFE4E8599DDBBB5AF08311F20842EF401B72E1DB7869818B58

Function 0040D500 Relevance: 13.7, APIs: 9, Instructions: 201registrylibraryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?,?,?,?,00000118), ref: 0040D599
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000C7,00000000,00000000,00000000,00000000), ref: 0040D5D6
RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,?), ref: 0040D651
RegGetValueW.ADVAPI32(00000000,00000000,?,0000FFFF,?,?,00000F9E), ref: 0040D6B4
RegCloseKey.ADVAPI32(?), ref: 0040D6C2
PathIsRelativeW.SHLWAPI(?), ref: 0040D706
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0040D722
RegEnumKeyExW.ADVAPI32(?,00000001,?,?,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00000118), ref: 0040D766
RegCloseKey.ADVAPI32(?,?,?,?,00000118), ref: 0040D780

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CloseEnumOpen$LibraryLoadPathRelativeValue
String ID:
API String ID: 1037566479-0
Opcode ID: e0210c049c3d1df363a3a1cebf10b4b002481ffbb24948399b8ebf1762638dab
Instruction ID: 192eedeed3cfc7c9a8b2c8425a5b0a1a089aeacab8846db5a4ff0d926e04e858
Opcode Fuzzy Hash: e0210c049c3d1df363a3a1cebf10b4b002481ffbb24948399b8ebf1762638dab
Instruction Fuzzy Hash: D261B435E00218ABDB349F94CC55FEB7378EB48744F0405AAFA09B7280D775AF89CA58

Function 00413C50 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00411653,00411655,00000000,00000000,?,00000000,00000008,?,00414680,00424798,000000FE,?,00411653,WQL), ref: 00413CD9
MultiByteToWideChar.KERNEL32(00000000,00000000,00411653,?,00000000,00000000,?,00414680,00424798,000000FE,?,00411653), ref: 00413D54
SysAllocString.OLEAUT32(00000000), ref: 00413D5F
_com_issue_error.COMSUPP ref: 00413D88
_com_issue_error.COMSUPP ref: 00413D92
GetLastError.KERNEL32(80070057,?,00000000,00000008,?,00414680,00424798,000000FE,?,00411653,WQL), ref: 00413D97
_com_issue_error.COMSUPP ref: 00413DAA
GetLastError.KERNEL32(00000000,?,00414680,00424798,000000FE,?,00411653,WQL,?,?,?,?,?,?,?,00000000), ref: 00413DC0
_com_issue_error.COMSUPP ref: 00413DD3

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: f41af25578efc29595986d2abd5c4557e3d975c5f5e72a05fad108283b35a71f
Instruction ID: 91591ea8f3ca65aa41be0f87e43bea3bc54f9acd7f89503e693b53a03cfc1328
Opcode Fuzzy Hash: f41af25578efc29595986d2abd5c4557e3d975c5f5e72a05fad108283b35a71f
Instruction Fuzzy Hash: 1C41F672A00219ABCB109F65D845BEFBBA8AB48715F14422FF515E7380D7389A8087E8

Function 0040B7C5 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 193COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B7CF

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

Part of subcall function 0040BD99: __EH_prolog3_GS.LIBCMT ref: 0040BDA3

Strings

[CDocConvertVbsIPCServer::Handle_VBSIPCMessage] strVBSIPCInfo:, xrefs: 0040B897, 0040B9AA
, strCmd:, xrefs: 0040B99E
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B86F, 0040B87E, 0040B8FD, 0040B98C
[CDocConvertVbsIPCServer::Handle_VBSIPCMessage] strVBSIPCInfo find_first_of STR_VBS_IPC_PARAMETER_DIVIDER failed! strVBSIPCInfo:, xrefs: 0040B916
VBSGetSliderCount, xrefs: 0040B9FC
VBSConvertProgress, xrefs: 0040BA1F

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$ProtectVirtual
String ID: , strCmd:$VBSConvertProgress$VBSGetSliderCount$[CDocConvertVbsIPCServer::Handle_VBSIPCMessage] strVBSIPCInfo find_first_of STR_VBS_IPC_PARAMETER_DIVIDER failed! strVBSIPCInfo:$[CDocConvertVbsIPCServer::Handle_VBSIPCMessage] strVBSIPCInfo:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 624373510-2640463817
Opcode ID: 4c79963274a99e6e87e80073ed61d85432a18d6ec956ebc9e7b6fdb969bcb2dc
Instruction ID: 95473a93403c734b4744852b84c608a8a78e287613164ef3d788b91043617ffc
Opcode Fuzzy Hash: 4c79963274a99e6e87e80073ed61d85432a18d6ec956ebc9e7b6fdb969bcb2dc
Instruction Fuzzy Hash: 50716B72A00208AFDB05EB65DC69ADD7B75EF08314F1480AEE506A72E1DF385E85CB5C

Function 00402330 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 199COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040233A

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

TerminateProcess.KERNEL32(00000000,00000000), ref: 00402569

Strings

[CDocConvert::::HandleIPC_ImgCancelConvertRequest] strTaskID:, xrefs: 00402377
[CDocConvert::HandleIPC_ImgCancelConvertRequest] strTaskID:, xrefs: 00402508
, hProcess:, xrefs: 00402503
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 0040235B, 004024E0

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3H_prolog3_ProcessProtectTerminateVirtual
String ID: , hProcess:$[CDocConvert::::HandleIPC_ImgCancelConvertRequest] strTaskID:$[CDocConvert::HandleIPC_ImgCancelConvertRequest] strTaskID:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1443114193-3907194096
Opcode ID: 62c1d0d3a1d2aa6c8f8c39956a4fa7234f39c7e915bfc192421f75184da31638
Instruction ID: df8e3d83f7ba511f450b37bb38ee689344465493e2f3a48e0635173aeccd5823
Opcode Fuzzy Hash: 62c1d0d3a1d2aa6c8f8c39956a4fa7234f39c7e915bfc192421f75184da31638
Instruction Fuzzy Hash: 85814B70A00305AFCB04DFA4D999BEEBBB4BF08314F10816EE515A72D1DB78AA45CB59

Function 0040EA70 Relevance: 10.7, APIs: 7, Instructions: 177fileCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 0040EABC
EnterCriticalSection.KERNEL32(?), ref: 0040EAF6
LeaveCriticalSection.KERNEL32(?), ref: 0040EB32
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040EB66
WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 0040EB8D
FlushFileBuffers.KERNEL32(?), ref: 0040EB9C
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0040EC65

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: File$CriticalMultipleObjectsSectionWait$BuffersEnterFlushLeavePointerWrite
String ID:
API String ID: 212290116-0
Opcode ID: 0c28ca6caadaf3cd7fd16936cff9f9c79cba6f6055e8f539de9031ddcb989b14
Instruction ID: e57b76790d50655fa2c6df5fcb4680fefcc05084cd1c1b2089238f56aaf1b74d
Opcode Fuzzy Hash: 0c28ca6caadaf3cd7fd16936cff9f9c79cba6f6055e8f539de9031ddcb989b14
Instruction Fuzzy Hash: CE615A71A00208AFDB14CFA9DD95BEEBBF4FB48310F14453AE916EB290D77469408B54

Function 004020C0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 163COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004020CA

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

Strings

strImgFolderPath:, xrefs: 00402188
strDocFilePath:, xrefs: 0040218D
[CDocConvert::::HandleIPC_ImgStartConvertRequest] strTaskID:, xrefs: 00402192
strImgFormat:, xrefs: 00402183
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402160

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$ProtectVirtual
String ID: strImgFolderPath:$ strDocFilePath:$ strImgFormat:$[CDocConvert::::HandleIPC_ImgStartConvertRequest] strTaskID:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 624373510-391708754
Opcode ID: b347c1ec5e03e1f920b73b53c7eff73245ed50fb2dbedb36dde4246b0f2a28a8
Instruction ID: 4298c3ca66f6c55349da1e56c2f7dc802e2da2487d28eea6cf766b38ea9a3579
Opcode Fuzzy Hash: b347c1ec5e03e1f920b73b53c7eff73245ed50fb2dbedb36dde4246b0f2a28a8
Instruction Fuzzy Hash: BC61793194021A9FCB24DF64D895BEDB7B1EF48314F1040AEE54AA3291DB74AE85CF08

Function 00403315 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154sleepCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040331F

Part of subcall function 0040385C: __EH_prolog3_GS.LIBCMT ref: 00403866

Sleep.KERNEL32(00000028), ref: 004034AE

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvert::::ConvertDocThreadFunc] InitPPTApp failed ! exit thread!, xrefs: 004033DC
[CDocConvert::ConvertDocThreadFunc] bInit: , xrefs: 00403364
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00403347, 004033BC, 004034FB
[CDocConvert::::ConvertDocThreadFunc] End! Exit thread!, xrefs: 00403521

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$ProtectSleepVirtual
String ID: [CDocConvert::::ConvertDocThreadFunc] End! Exit thread!$[CDocConvert::::ConvertDocThreadFunc] InitPPTApp failed ! exit thread!$[CDocConvert::ConvertDocThreadFunc] bInit: $c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 2544358551-2000447865
Opcode ID: 0cf408eb4a5164c052d667c61260c2e33cb84e120fbb79ec39a0b8052d1349c6
Instruction ID: fc12af958fceb45b22afabc9c8cc1d154353b66f118d34e3f76e0e89f02dc691
Opcode Fuzzy Hash: 0cf408eb4a5164c052d667c61260c2e33cb84e120fbb79ec39a0b8052d1349c6
Instruction Fuzzy Hash: 2D518F31904704AFEB14EF61CC9ABD9BBB5EB04315F1084AEE40AA61E1DB785E84CF19

Function 0040B3BA Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B3C4

Part of subcall function 0040B6A9: __EH_prolog3.LIBCMT ref: 0040B6B3

Strings

, message size = , xrefs: 0040B463
[CDocConvertVbsIPCServer::PumpMessage] msg._message is NULL! return!, xrefs: 0040B56C
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B43D, 0040B4D3, 0040B54B
[CDocConvertVbsIPCServer::PumpMessage] i = , xrefs: 0040B471
[CDocConvertVbsIPCServer::PumpMessage] m_SaftyMessageVector is NULL! return!, xrefs: 0040B4F3

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3
String ID: , message size = $[CDocConvertVbsIPCServer::PumpMessage] i = $[CDocConvertVbsIPCServer::PumpMessage] m_SaftyMessageVector is NULL! return!$[CDocConvertVbsIPCServer::PumpMessage] msg._message is NULL! return!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 431132790-2754882026
Opcode ID: 89dec19caac37b4c8b580c3a910641b03a2b4ef723a527013792012bb428126b
Instruction ID: 180f00dd34122d70fab5881e58e1ba8803f1677b7fbebd3ec06e2c8a7cebe460
Opcode Fuzzy Hash: 89dec19caac37b4c8b580c3a910641b03a2b4ef723a527013792012bb428126b
Instruction Fuzzy Hash: 1D51AD71A41304ABDB149BA0DD5ABAD77B0EF44324F64457EE406B62E1CF7C5E818A4C

Function 0040E060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,004270B0), ref: 0040E0FC
EnterCriticalSection.KERNEL32(?), ref: 0040E165
LeaveCriticalSection.KERNEL32(?,?,?), ref: 0040E199
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 0040E1A9

Strings

loaded by , xrefs: 0040E0C6
didn't pass the verification, error code , xrefs: 0040E128

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveProcessReleaseSemaphore
String ID: didn't pass the verification, error code $ loaded by
API String ID: 61496330-2439791217
Opcode ID: 3c26809dd974048e095aac905a104eef7292435528225e789fd9183ae77c5755
Instruction ID: b52a9aa818815cb245682506643f326b322c2aa792aca06c5a04712bf6ea24bb
Opcode Fuzzy Hash: 3c26809dd974048e095aac905a104eef7292435528225e789fd9183ae77c5755
Instruction Fuzzy Hash: 3D519271A00209EBCB14DB75DC59BEEB7B5FB44304F00867AF41AA7291DB386D94CB98

Function 004026E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004026EA

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvert::HandleIPC_VBSIPCPageNumberMessage] SendImgStartConvertResponse strTaskID:, xrefs: 004027BE
[CDocConvertVbsIPCServer::HandleIPC_VBSIPCPageNumberMessage] m_ipcSender is NULL!, xrefs: 0040272C
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402710, 00402790
, m_strImgFolderPath:, xrefs: 004027A9
, uPageShowNumTotal:, xrefs: 004027AF

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: , m_strImgFolderPath:$, uPageShowNumTotal:$[CDocConvert::HandleIPC_VBSIPCPageNumberMessage] SendImgStartConvertResponse strTaskID:$[CDocConvertVbsIPCServer::HandleIPC_VBSIPCPageNumberMessage] m_ipcSender is NULL!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1809373692-2569159283
Opcode ID: 52bf61267d8c5c46e6bcbc487db2412ca6a1e92767f63a18dccdb58333a4c9ae
Instruction ID: 0ca3b86902d35b3fc8ab79bdec02e4fe5fcab68b8c9d7db7cc2c30c71c6b3825
Opcode Fuzzy Hash: 52bf61267d8c5c46e6bcbc487db2412ca6a1e92767f63a18dccdb58333a4c9ae
Instruction Fuzzy Hash: 4631AD31A40301AADB14AB64DC5AFEA3765EF48724F24843FF405AB2D2DFB95D82861C

Function 0040B020 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B02A

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvertVbsIPCServer::UnInit], xrefs: 0040B068
[CDocConvertVbsIPCServer::UnInit] is_inited_ is CmmFalse, don't need UnInit!, xrefs: 0040B0D0
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B04B, 0040B0B3, 0040B16B
[CDocConvertVbsIPCServer::UnInit] Delete Message:, xrefs: 0040B18D

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvertVbsIPCServer::UnInit]$[CDocConvertVbsIPCServer::UnInit] Delete Message:$[CDocConvertVbsIPCServer::UnInit] is_inited_ is CmmFalse, don't need UnInit!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 1809373692-2342135638
Opcode ID: b39599eb63ae4a81e3128a8b4f6e4b531e4c273926c53cb63883c52ee9c3c8a1
Instruction ID: aee573a8e460fd3a8d9e1b5fd3a726836f595948baa831e83ee989bba385e238
Opcode Fuzzy Hash: b39599eb63ae4a81e3128a8b4f6e4b531e4c273926c53cb63883c52ee9c3c8a1
Instruction Fuzzy Hash: 2751AD31A40715ABDB149BA0DC6ABDE7B70FF08721F10456EE511BB2D1CB785A81CB9C

Function 00412BD0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041433A: EnterCriticalSection.KERNEL32(0042CA60,0042D2F0,?,?,0040C122,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 00414345
Part of subcall function 0041433A: LeaveCriticalSection.KERNEL32(0042CA60,?,0040C122,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 00414382

GetCurrentProcess.KERNEL32(?,?), ref: 00412C87
IsWow64Process.KERNEL32(00000000), ref: 00412C8E
RegGetValueW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,20010002,00000000,?,00000800), ref: 00412CED

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00412CE3
ProgramFilesDir, xrefs: 00412CDE

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CriticalProcessSection$CurrentEnterLeaveValueWow64
String ID: ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 623438262-1909746267
Opcode ID: 8fc0ced0edc39a80b657f3c0fe8d7c359c6e872b154f47451c3c70d2233b6898
Instruction ID: c3a08843d0d200cdbd3d1b2bcfc247f2eb322f66e650b1e7f1c13803f4fdb81c
Opcode Fuzzy Hash: 8fc0ced0edc39a80b657f3c0fe8d7c359c6e872b154f47451c3c70d2233b6898
Instruction Fuzzy Hash: 1641D070E003489ACB20DF54ED46BEA73B8BB04704F54817AE815D7290DBB85986CF9D

Function 00401FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00401FBA
ExitProcess.KERNEL32 ref: 004020AC

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvert::OnChannelError], ExitProcess!, xrefs: 00402079
[CDocConvert::OnChannelError], xrefs: 00401FF2
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00401FD6, 0040205A

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExitH_prolog3ProcessProtectVirtual
String ID: [CDocConvert::OnChannelError]$[CDocConvert::OnChannelError], ExitProcess!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 4229167784-679568407
Opcode ID: e49edd9864abbb3d87022385eb2d413356123a37627d111662b963a51c2ee4bf
Instruction ID: 38f8ae0ac911da3a7bdad0eb44c8cb60196c5a814a9daa41f359f780c9d3694f
Opcode Fuzzy Hash: e49edd9864abbb3d87022385eb2d413356123a37627d111662b963a51c2ee4bf
Instruction Fuzzy Hash: 1B217C31A40700ABD7149BA0DD6ABDD3B70EB48710F20857EF116AA1E1DFB80D80CA1C

Function 0040CE10 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,LdrUnregisterDllNotification), ref: 0040CE49
GetProcAddress.KERNEL32(00000000), ref: 0040CE50

Strings

LdrUnregisterDllNotification, xrefs: 0040CE3F
ntdll.dll, xrefs: 0040CE44

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: LdrUnregisterDllNotification$ntdll.dll
API String ID: 1646373207-237666150
Opcode ID: 081667f065d189619943f997a0d6da2d81fd1828666de2e48ae92a57e87b70f4
Instruction ID: 536fe45db68da839303e439799dd04e2e917962dd37583a1d3a7b1c71cf5fa9c
Opcode Fuzzy Hash: 081667f065d189619943f997a0d6da2d81fd1828666de2e48ae92a57e87b70f4
Instruction Fuzzy Hash: 4C61C271700503ABD70C9B38D9A9BFAF7A6FF44344F144339E419876D1CB7969A48B88

Function 0040B5C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B5CA

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvertVbsIPCServer::OnMessageReceived] type:, xrefs: 0040B640
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B603
len:, xrefs: 0040B635

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: len:$[CDocConvertVbsIPCServer::OnMessageReceived] type:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 1809373692-2074319829
Opcode ID: 7471e48e2191e7f2eaa4730c6ef17b238e8e97372ab509c97a8fa65b74d9358d
Instruction ID: 806908c14e0dff88c04ca793e9a98def4ac357006f8ff3ba3248fcedc08ac92e
Opcode Fuzzy Hash: 7471e48e2191e7f2eaa4730c6ef17b238e8e97372ab509c97a8fa65b74d9358d
Instruction Fuzzy Hash: C6216271A00305ABCB049FA4D855ADD7775FF48320F14856EE859AB2D0CB789D81CB8C

Function 00402FB5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64sleepCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00402FBF

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Sleep.KERNEL32(00000028), ref: 00403089

Strings

[CDocConvert::DetectThreadFunc], xrefs: 00402FF9
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402FDD

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectSleepVirtual
String ID: [CDocConvert::DetectThreadFunc]$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 4201259014-756957823
Opcode ID: f8e9f0e23968f2bed3d0544a53d068131b256cc9dfe19466c324953f8a7454e9
Instruction ID: 5e14cf88f44ae6e4a5dcb5661d55ffe10a5308fbadb8cd52eea9f61d4dc41f69
Opcode Fuzzy Hash: f8e9f0e23968f2bed3d0544a53d068131b256cc9dfe19466c324953f8a7454e9
Instruction Fuzzy Hash: F4219D30A01305EBDB04DF60CD5ABDCBAB4BB08315F50827EE41AA32E2CB785E45CA18

Function 0040C1F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42threadwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040C1FA
PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0040C26B

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[ConsoleCtrlhandler] CTRL_CLOSE_EVENT, xrefs: 0040C235
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\main.cpp, xrefs: 0040C219

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3MessagePostProtectThreadVirtual
String ID: [ConsoleCtrlhandler] CTRL_CLOSE_EVENT$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\main.cpp
API String ID: 2106445864-3568867012
Opcode ID: 6af0ed5f76dcea0df63856a0bd80fcc9152b90093d9c2031062d343886322e88
Instruction ID: 8af0f1432a38c39ac156a390085beae4290296724a84b2e37cf92d230908f7e1
Opcode Fuzzy Hash: 6af0ed5f76dcea0df63856a0bd80fcc9152b90093d9c2031062d343886322e88
Instruction Fuzzy Hash: 0601AD35A80304AAEB10ABA0CC9BFDA3670FF00705F10457EF501AA1D2CBB81D81CA1C

Function 004025E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004025EA
ExitProcess.KERNEL32 ref: 00402653

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvert::HandleIPC_ImgExitProcessRequest] Recv CSBMBMessage_Doc2ImgExitProcessRequest, ExitProcess!, xrefs: 00402622
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402606

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExitH_prolog3ProcessProtectVirtual
String ID: [CDocConvert::HandleIPC_ImgExitProcessRequest] Recv CSBMBMessage_Doc2ImgExitProcessRequest, ExitProcess!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 4229167784-399022842
Opcode ID: 68303deaeca0f61a469608444ec6b09118350651f39741b9a461f4fb4062dba4
Instruction ID: 558ee970a2adf4e1fc46f8a3af44374caa6ca941988eab47a0cb853e066b6c20
Opcode Fuzzy Hash: 68303deaeca0f61a469608444ec6b09118350651f39741b9a461f4fb4062dba4
Instruction Fuzzy Hash: 2BF04931A80304AAE704AFA4DC6ABDD7670FB04711F10487EF102AA1E1CBB84D80CA1C

Function 004121E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(zCrashReport.dll,0040C2C8,?,000001B0), ref: 004121E5
GetProcAddress.KERNEL32(00000000,crSetCrashCallbackW), ref: 004121F5

Strings

crSetCrashCallbackW, xrefs: 004121EF
zCrashReport.dll, xrefs: 004121E0

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: crSetCrashCallbackW$zCrashReport.dll
API String ID: 1646373207-1811286062
Opcode ID: bb35c2366ebe50ab0f96784bce2b4b31de44ffc2a4ef195703e2f7f4e33b945d
Instruction ID: 788238c6706ea16a2eee1a96d51a96658a6dcae04bbc94478e2843e4b5f40ba0
Opcode Fuzzy Hash: bb35c2366ebe50ab0f96784bce2b4b31de44ffc2a4ef195703e2f7f4e33b945d
Instruction Fuzzy Hash: 52D0123838130225DD1027B26E09FCE26042B40F11F644AA2B831E11D5EBFCC591502D

Function 004111F0 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?), ref: 00411267
GetLastError.KERNEL32 ref: 00411273

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ErrorLastOpenProcess
String ID:
API String ID: 919517065-0
Opcode ID: 180b963629b25771218858fb9be680c45ebcaf4e685314d94568f095a85c1d83
Instruction ID: df430542db87c27eb6bb0a20753aa050ff356964e4e46c6d4fd600331b1f44f8
Opcode Fuzzy Hash: 180b963629b25771218858fb9be680c45ebcaf4e685314d94568f095a85c1d83
Instruction Fuzzy Hash: E031F871E002099BDB14DFA8DC957EEB7B5EF48304F5442AAE905F7290DB749E80CB94

Function 004142F0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0042CA60,?,?,0040C13C,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 004142FA
LeaveCriticalSection.KERNEL32(0042CA60,?,0040C13C,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 0041432D
SetEvent.KERNEL32(?,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 004143AE
ResetEvent.KERNEL32(?,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 004143BA

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 011063dab18d76bc8b03866032b575e26ed5f704ee7c2b09c1e2fe64b6e0426c
Instruction ID: e09fd4ba703b3f4f90ed7c4f0adbe9ef2044be7fde56f23161c9f76c561368eb
Opcode Fuzzy Hash: 011063dab18d76bc8b03866032b575e26ed5f704ee7c2b09c1e2fe64b6e0426c
Instruction Fuzzy Hash: 9001F636B41528EFCB25EF18FC98AD97BA5EB49751B41807AE90297320CB345C029B9C

Function 00410810 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004109E7

Strings

m@, xrefs: 00410825
}A, xrefs: 004109F1, 0041090F, 00410956, 004109F4, 004109F5

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: }A$m@
API String ID: 118556049-736616827
Opcode ID: c679fcf57494bb239db96a3548e4c720a31c8a11289dfd5385f4546d284e78a0
Instruction ID: c3dfcaa805bbc8a51e55aaabc3e4a89111bc7eceac5f2a1566f87b27f93fef33
Opcode Fuzzy Hash: c679fcf57494bb239db96a3548e4c720a31c8a11289dfd5385f4546d284e78a0
Instruction Fuzzy Hash: D051C3B2A001099FDB08DF69C991AEEB7F5EF88300F14812AE506D7351D778AD95CB94

Function 00401C8D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00401C97

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvert::CDocConvert], xrefs: 00401DF8
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00401DDB

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvert::CDocConvert]$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1809373692-1479113695
Opcode ID: d8c234d8f344c7166d2f66105d34b04a422d9a5bfd5bf7b32b886f0fdc852b4e
Instruction ID: a40a2f0a47e0f672c9afa67fb71f5c4737df055ac14e51e82bc3df37677841b0
Opcode Fuzzy Hash: d8c234d8f344c7166d2f66105d34b04a422d9a5bfd5bf7b32b886f0fdc852b4e
Instruction Fuzzy Hash: E85125B0900742EFD704DF25C999789FFF0BF18304F50856ED14AA7292DB78AA94CB99

Function 0040324E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00403258

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvert::CreateConvertThread] bRet: , xrefs: 004032BA
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00403299

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvert::CreateConvertThread] bRet: $c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1809373692-452567957
Opcode ID: 99adcce184ba34fee4a85432692fe05538fd99e2266a5797d6a7ab14f0574b05
Instruction ID: adf8f5ce9188c4b8668094b64460cc229a608b819f9a05dea54ebcbb5ebed4ec
Opcode Fuzzy Hash: 99adcce184ba34fee4a85432692fe05538fd99e2266a5797d6a7ab14f0574b05
Instruction Fuzzy Hash: D4117971A40315ABDB04AFA4DC56AEE7AA8EB04315F50447EF402B72D1CB785E818AAC

Function 00402EEC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00402EF6

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvert::CreateDetectThread] bRet: , xrefs: 00402F58
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402F37

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvert::CreateDetectThread] bRet: $c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1809373692-1270373286
Opcode ID: f36e3a4818fa31f1cf2a13d5cc227d8049b27aa70c011b65117d2f714605032c
Instruction ID: 0d6e37797b63617483badd5a7fd61e6ecb8421c5efb43924a2aa00c28a8240d4
Opcode Fuzzy Hash: f36e3a4818fa31f1cf2a13d5cc227d8049b27aa70c011b65117d2f714605032c
Instruction Fuzzy Hash: B111A9B1A41316ABDB04AF60DD5ABEE76B8EF04311F50447EF402F72D1CAB85D808A6C

Function 0040B217 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B221

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B2AE
[CDocConvertVbsIPCServer::CDocConvertVbsIPCServer], xrefs: 0040B2CB

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvertVbsIPCServer::CDocConvertVbsIPCServer]$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 1809373692-330505927
Opcode ID: 2fd0d4eb773c3e8d501f0b16aa810d208dbfdecc74343adaf8774b261c04853f
Instruction ID: 00befacb907631c9e17a7b3fa5999c24b6eceef9975b5f24643841f7cb668f1b
Opcode Fuzzy Hash: 2fd0d4eb773c3e8d501f0b16aa810d208dbfdecc74343adaf8774b261c04853f
Instruction Fuzzy Hash: 3C1167B0E003109FD7149F65EC5A6A87BB1FB08304FA084BEE005A76A0CBB80991CB0E

Function 0040B6A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B6B3

Part of subcall function 0040B020: __EH_prolog3.LIBCMT ref: 0040B02A

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B6F8
[CDocConvertVbsIPCServer::HandleConnectingTimeout] connecting timeout., xrefs: 0040B714

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3$ProtectVirtual
String ID: [CDocConvertVbsIPCServer::HandleConnectingTimeout] connecting timeout.$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 3007236580-901364601
Opcode ID: e35b6af78b42fc06780ffa3eb587207b71c6ccf129391efccff88d3d12cf072f
Instruction ID: a9d0bb768643340a5ea1168fb03230a697b43f5db5e869853af32c9bcaec17c0
Opcode Fuzzy Hash: e35b6af78b42fc06780ffa3eb587207b71c6ccf129391efccff88d3d12cf072f
Instruction Fuzzy Hash: 4A018871940700AADB28AF61CCA7AEA7260EB44714F50457FE442A76E2DBBC5C81CA5C

Function 00402660 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040266A

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402686
[CDocConvert::OnIPCServerChannelError], xrefs: 004026A2

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvert::OnIPCServerChannelError]$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1809373692-3070404389
Opcode ID: 4ca598820c89b7f3b870ffea1a173ab30c14d89fcf2580a0d6d755e8ac5f4b0c
Instruction ID: 35197b002a70b5b2eeeaaf07b04524d3dbd07c7745c84826511f01a8e825cf61
Opcode Fuzzy Hash: 4ca598820c89b7f3b870ffea1a173ab30c14d89fcf2580a0d6d755e8ac5f4b0c
Instruction Fuzzy Hash: 6EF01771980345AAE714AB64DD5BBDD3664EB04714F60487EE401AA2E1CBBC5DC18A1C

Function 00413B86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00401B22: InitializeCriticalSectionEx.KERNEL32(0042CA0C,00000000,00000000,0042C9F8,00413BB5,?,?,?,004019CA), ref: 00401B28
Part of subcall function 00401B22: GetLastError.KERNEL32(?,?,?,004019CA), ref: 00401B32

IsDebuggerPresent.KERNEL32(?,?,?,004019CA), ref: 00413BB9
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004019CA), ref: 00413BC8

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00413BC3

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 199956a563438f3586a61a4a6f19ccc57f1881164043d3a7314101558bc9cb29
Instruction ID: 8b65f71d81d517f14160c623eaecbed840306f26d5a6cb6b6d2c6e55611105c0
Opcode Fuzzy Hash: 199956a563438f3586a61a4a6f19ccc57f1881164043d3a7314101558bc9cb29
Instruction Fuzzy Hash: 47E065702047108BC3309F25E9143827AE4AF04709F00887FE456D2291E7B8FA84CB59

Function 0040E640 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040E679
HeapAlloc.KERNEL32(00000000), ref: 0040E680

Part of subcall function 0040F130: GetCurrentProcess.KERNEL32(?,?,?,?,?,?), ref: 0040F17E
Part of subcall function 0040F130: GetMappedFileNameW.PSAPI(00000000,?,?,?), ref: 0040F185
Part of subcall function 0040F130: GetLogicalDriveStringsW.KERNEL32(00000103,?,?,?,?,?,?,?), ref: 0040F1DA
Part of subcall function 0040F130: QueryDosDeviceW.KERNEL32(00000FA0,?,00000103,?,?,?,?,?,?), ref: 0040F214

GetProcessHeap.KERNEL32(00000000,00000FA0,?,?,00000001), ref: 0040E6E4
HeapFree.KERNEL32(00000000), ref: 0040E6EB

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Heap$Process$AllocCurrentDeviceDriveFileFreeLogicalMappedNameQueryStrings
String ID:
API String ID: 1064646199-0
Opcode ID: 0c5f043bf4b246922cf2179a9f600e16eea6433679b903cdfe6c1f12932328f2
Instruction ID: 2668c3dfdd3c3276348bbd43bb132a3e152f58a801efa895f745a1c07ca89cb8
Opcode Fuzzy Hash: 0c5f043bf4b246922cf2179a9f600e16eea6433679b903cdfe6c1f12932328f2
Instruction Fuzzy Hash: C811D034104301EBCB249F62D884BAB77A8AF44755F40CD2EFD55972E0DBB5A824CB5A

Function 0040D7C0 Relevance: 5.0, APIs: 4, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,0040DAF3), ref: 0040D7E0
HeapFree.KERNEL32(00000000), ref: 0040D7E7
GetProcessHeap.KERNEL32(00000000,?,00000000,0040DAF3), ref: 0040D800
HeapFree.KERNEL32(00000000), ref: 0040D807

Memory Dump Source

Source File: 00000004.00000002.1460616324.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1460562436.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460795421.0000000000419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460825244.000000000042B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460894634.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460925585.000000000042E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460948115.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1460982365.0000000000435000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461029107.0000000000436000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461057031.000000000043A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461097335.0000000000465000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461137088.000000000048A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461220451.000000000051D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461250705.0000000000524000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461391005.000000000060E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000615000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000618000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.0000000000657000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461441854.00000000006DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461772858.00000000006EB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.00000000006EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1461798678.000000000071F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 1c561bf052e99d539f3441f41995ab45b4dfc28fc98b83e691970e21491ed14b
Instruction ID: 5d4cdb0425c937855427814b3bc534e629d3b797dcae5c9850f92b4c5cd28c0b
Opcode Fuzzy Hash: 1c561bf052e99d539f3441f41995ab45b4dfc28fc98b83e691970e21491ed14b
Instruction Fuzzy Hash: 4BF054B57002109BD7349F94EE58BDA7778B75C702F418939EC01935A4CB7C881A875A

Analysis Process: csc.exePID: 5932, Parent PID: 8120COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.3%
Total number of Nodes:	76
Total number of Limit Nodes:	3

Executed Functions

Function 09D1FAC0 Relevance: 1.7, APIs: 1, Instructions: 154
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 09D1FB80

Memory Dump Source

Source File: 00000007.00000002.2531320779.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9d10000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49f8c8ea48824fe86e49cdd6b4d050ee7053e548f142f2e61e8a1577b1051737
Instruction ID: 592c212b857f1de1b302300d36d716d548315d00b7e8b10b59416b5ab253c116
Opcode Fuzzy Hash: 49f8c8ea48824fe86e49cdd6b4d050ee7053e548f142f2e61e8a1577b1051737
Instruction Fuzzy Hash: 5B518F32A80604EFDB14CF6CE694BA977F3FB88310F248469E106A7A54DB349885DF45

Function 09E7FA78 Relevance: 1.7, APIs: 1, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 09E7FB2A

Memory Dump Source

Source File: 00000007.00000002.2531770340.0000000009E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e70000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4916cb015012add48b09b4a8590319caec2982a358e028257a9ba638fb85f0be
Instruction ID: 5edd081fd368a8ca785e0be22902af433d446b9805a1801250dc224dd8389aa3
Opcode Fuzzy Hash: 4916cb015012add48b09b4a8590319caec2982a358e028257a9ba638fb85f0be
Instruction Fuzzy Hash: 45518F317045508FC344DB38E6A4F6A37E3EB8C250B1990B9D01ACBB86CE345C09DB59

Function 09E7F188 Relevance: 1.7, APIs: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2531770340.0000000009E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e70000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17b058ff46f081b6669d63bb08e473a35dfc032d6a5884b9079b15ccdcc74cd
Instruction ID: 136d8829475b1e0fef191d36f65eb059af1dd50f46683704445e16e849bf3016
Opcode Fuzzy Hash: f17b058ff46f081b6669d63bb08e473a35dfc032d6a5884b9079b15ccdcc74cd
Instruction Fuzzy Hash: ED5191317445508FC748DB78E6A4FBA33E3EB8C244B5990B9E41ACBB46CE345C08EB59

Function 09E7FA50 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 09E7FB2A

Memory Dump Source

Source File: 00000007.00000002.2531770340.0000000009E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e70000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1dc787081739d6d1ecf788e0ee71058f4899c999e646d8de0c828f8721874646
Instruction ID: 16db2b46a109bb5a3e1962e7d2d2f897ed5a2a6a2a8fb15027b9c50074989626
Opcode Fuzzy Hash: 1dc787081739d6d1ecf788e0ee71058f4899c999e646d8de0c828f8721874646
Instruction Fuzzy Hash: 815180317445508FC344DB78E6A5F7A33E3EB8C250B5990B9D11ACBB46CE345C09EB59

Function 09E7F1D8 Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2531770340.0000000009E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e70000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8859333019c22e722edd007cd2182ac1322179efb10ae3062479e859a46eb24
Instruction ID: 22d7fb43ad90b16a23db5e909f7f8d5677627554ce10ca7bd56c87d46860bcaf
Opcode Fuzzy Hash: d8859333019c22e722edd007cd2182ac1322179efb10ae3062479e859a46eb24
Instruction Fuzzy Hash: 10518F317445508FC748DB68E6A4F7A37E3EB8C250B1A90BDE11ACBB46CE345C09EB59

Function 09E7FA88 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 09E7FB2A

Memory Dump Source

Source File: 00000007.00000002.2531770340.0000000009E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e70000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 563a98b951c260a26ed3ff3cffd5e4f9e397ad29d77e3d47f33448e45c5c1e32
Instruction ID: 6c71075723ee67037405573de3a37cca831f573d024bfa34097fe2c5a867c9e6
Opcode Fuzzy Hash: 563a98b951c260a26ed3ff3cffd5e4f9e397ad29d77e3d47f33448e45c5c1e32
Instruction Fuzzy Hash: 06515C317409508FC748DB68E6A5F7A33E7EB8C240B59A079E11BCBB46CE345C09EB59

Function 09E474A1 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62297144de60f574fa82a1d1738ab3bad2762578e978ed5d0c34ef9fc48a144
Instruction ID: 32fb97fad46430eaf2e3abaeff3ff81e1b6442c0e3470dfce34228196924feae
Opcode Fuzzy Hash: f62297144de60f574fa82a1d1738ab3bad2762578e978ed5d0c34ef9fc48a144
Instruction Fuzzy Hash: 6DE11434A00504CFDB04CF18E998FA977F3FB88315F25A0A8E5069B7A5C776AC85CB95

Function 09E44631 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ae4f83e3136d9166e8ad369952be004fdd351675c08d188a0457cd552113f5
Instruction ID: 630e1e306aae494c990ce9178d15726eafbacbc22a6197fa02bf369c0399f188
Opcode Fuzzy Hash: f9ae4f83e3136d9166e8ad369952be004fdd351675c08d188a0457cd552113f5
Instruction Fuzzy Hash: 0FD19B34B00544CFD704CF64E598BAA77F3FB89344F5490A8D1069B7A5EB34AC86DB89

Function 09E474B0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d126ed173c76d5b18912f86ac622f31cf30313c1951aae7e1f822d66a3dbaa7f
Instruction ID: b82c515becd0ec63d1184d72b979d67b7fed9c533cdd7737c8f3345a9af038a1
Opcode Fuzzy Hash: d126ed173c76d5b18912f86ac622f31cf30313c1951aae7e1f822d66a3dbaa7f
Instruction Fuzzy Hash: C3E11434A00504CFDB04CF18E998FA977F3FB88315F25A0A8E5069B7A5C776AC85CB85

Function 09E44640 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23836b9e53bc60f440bfa4e2bd0278fa8dd858aa539fbcef613b7b36ab42d845
Instruction ID: d8bf645bd6c99b1309910d22ddd720a500b598b33c18dee246229b72dc42d20a
Opcode Fuzzy Hash: 23836b9e53bc60f440bfa4e2bd0278fa8dd858aa539fbcef613b7b36ab42d845
Instruction Fuzzy Hash: 57C17934B00544CFD704DF68E658BAA73F3FB89304F549068D1069B7A5EB34AC86DB99

Function 09E478B9 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579931fe165a0e7c0d9e98fb4206b9e9503ad3d63ab2dd72ca33f785b1bfbded
Instruction ID: f1089eb453cc621e20e01367bb343605f45d75d1aec193fcb9a15dd16dc04ca6
Opcode Fuzzy Hash: 579931fe165a0e7c0d9e98fb4206b9e9503ad3d63ab2dd72ca33f785b1bfbded
Instruction Fuzzy Hash: ECC1F234A00504CFD704CF18E598BA977F3FB88315F29A0A8E5069B7A5C77AAC85CF85

Function 09E42D60 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35c3d0277f5988cff24f46581502c75dbcd8ccff3ec72da813a8bdd88ff9ea8
Instruction ID: dab27baecb6bfec031f4a5ee8f9ea34063408c9df4586b4b53ae60234d842c72
Opcode Fuzzy Hash: a35c3d0277f5988cff24f46581502c75dbcd8ccff3ec72da813a8bdd88ff9ea8
Instruction Fuzzy Hash: B7B14D70E00209CFDB14CFA9E9817AEBBF2BF88354F149529E415A7394EB749885CB81

Function 09E42148 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26af3a9554dd37c2cc8af5b37dbfb4d3ae6a01902e6ce0bdddb8962ba8495b0c
Instruction ID: 6a1702b2a6968610308870c0cea399e5d2203031cc7865ce85d37753e4c5b9ad
Opcode Fuzzy Hash: 26af3a9554dd37c2cc8af5b37dbfb4d3ae6a01902e6ce0bdddb8962ba8495b0c
Instruction Fuzzy Hash: 51915C70E002098FDF14CFA9E88579EBBF2BF88314F149129F925AB354DB749885CB95

Function 09E449E1 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102da83b2c3c8879721304f3fb1325a0256fbfa9b5991638d6c3aae4209340f8
Instruction ID: d65619e01a37d1a0bcadf607c1a061bf6896339834c7a8d0b67e8a743c879f1f
Opcode Fuzzy Hash: 102da83b2c3c8879721304f3fb1325a0256fbfa9b5991638d6c3aae4209340f8
Instruction Fuzzy Hash: F5914934B00644CFD704CF64E588BA9B7F3FB89344F54A068D1069B7A5EB34AC86DB59

Function 09D1FAB0 Relevance: 1.7, APIs: 1, Instructions: 158
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 09D1FB80

Memory Dump Source

Source File: 00000007.00000002.2531320779.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9d10000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2dd8088d3b38c30e85191e06257c7dc267344292ac3334cc60ff1428271265d1
Instruction ID: 28cd67651230a073b6aaf7681f3af60123db837ed9a0c706fe95176b98148771
Opcode Fuzzy Hash: 2dd8088d3b38c30e85191e06257c7dc267344292ac3334cc60ff1428271265d1
Instruction Fuzzy Hash: 0C51B132A80644EFDB14CF6CE6947AD77F3FB89310F248469E005ABA94DB359885DF05

Function 09D1FBB1 Relevance: 1.6, APIs: 1, Instructions: 102
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 09D1FB80

Memory Dump Source

Source File: 00000007.00000002.2531320779.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9d10000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d7ef973d80774902a4fc2d80601cdfb4c2603752ae186d3680641b88616590d
Instruction ID: 7fdc9f4a649ea17927a45f7fefd7bcb44f85fded2c50b2023f92a6073cb6a173
Opcode Fuzzy Hash: 2d7ef973d80774902a4fc2d80601cdfb4c2603752ae186d3680641b88616590d
Instruction Fuzzy Hash: 2C41A332A84505EFDB14CF2CF6A9B697BB3FB84310F24D469D10297A54DB349885DF05

Function 05A1C858 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05A1C8CC

Memory Dump Source

Source File: 00000007.00000002.2527886975.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5a10000_csc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8ec60ec48660b4e776c2840ae82170bdad11be8fcd3cfe35e0ee4b90b75568d6
Instruction ID: c83499bed8cc1ad7cb109d14a926bf9a0231a6612cd26ae0ff0ce19aba6d6bf7
Opcode Fuzzy Hash: 8ec60ec48660b4e776c2840ae82170bdad11be8fcd3cfe35e0ee4b90b75568d6
Instruction Fuzzy Hash: 3A11E5B1D003099FDB20DFAAC884BDEFBF5EF48220F14842AD419A7250C7759945CFA4

Function 09E452D0 Relevance: 1.4, Strings: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K^, xrefs: 09E45654

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID: K^
API String ID: 0-2070904481
Opcode ID: a12340d48ab5b5be8657dd2854410f75f6a8f9c4d84d432c10adb38d628d66e3
Instruction ID: 3ae3c38fa25a6d4a8f2b7139c639cf8eb89898f097fdcfda4a1138c92967add9
Opcode Fuzzy Hash: a12340d48ab5b5be8657dd2854410f75f6a8f9c4d84d432c10adb38d628d66e3
Instruction Fuzzy Hash: 0F615B34A01208DFDB14DBA4E558BADBBB3EB84700F209528F8066B799DF749D45CF85

Function 05A1CA08 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 05A1CA6A

Memory Dump Source

Source File: 00000007.00000002.2527886975.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5a10000_csc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d978afc8e5ae0de98b1a15c9e65d8d9c51a28671a4fd3e16905edc52854f71f4
Instruction ID: 24f871bdafb9ebcb27e4e56646109de94c8184e33f540a54699e3c119d4fdcf1
Opcode Fuzzy Hash: d978afc8e5ae0de98b1a15c9e65d8d9c51a28671a4fd3e16905edc52854f71f4
Instruction Fuzzy Hash: 50113AB1D003488FDB24DFAAD4457DEFBF5EF88224F24841AD419A7240C7756944CBA4

Function 09D00078 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531285013.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9d00000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f8bcaea52f5ce0841f08d5bf1ed2a7386fddbcec2af993c9cf111a403ab9df
Instruction ID: 242f517fb8d94c65d13c19065a4ec7137f81cc99f0bc23ec7597d289c2c8ceac
Opcode Fuzzy Hash: a8f8bcaea52f5ce0841f08d5bf1ed2a7386fddbcec2af993c9cf111a403ab9df
Instruction Fuzzy Hash: 15022620FC0310ABCA352A75947D73E25A79BD5BA0B85403AE547D7BC4EE68CC42E792

Function 09D00810 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531285013.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9d00000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e2dd45ca284caa69405a7536ab98fcf346f46d2b68d4f49c798fa4b7d0445e
Instruction ID: 2c72df3454ed55a5b3a4dd7e698a106a6231417f754a5645a611d476e5a5556d
Opcode Fuzzy Hash: a5e2dd45ca284caa69405a7536ab98fcf346f46d2b68d4f49c798fa4b7d0445e
Instruction Fuzzy Hash: 23C13E34B81204AB8F296B64E06E77D7AB3FBD5761729842AE807D3780DF398C42D745

Function 09E46328 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e2dd0c3bd3bfd1b2bc52d9dcf6bcbc12327a841f0d0bbc200ae8fcb204d30b
Instruction ID: 4982d74b8d9b593338cd6920a3da518b492167e17f559209634e4782eb443f7a
Opcode Fuzzy Hash: a0e2dd0c3bd3bfd1b2bc52d9dcf6bcbc12327a841f0d0bbc200ae8fcb204d30b
Instruction Fuzzy Hash: 46A188713043506FDB269B78E85066E7BA2EFC6710B1484AAD545CF392DE38DC06C7A1

Function 09E42D55 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3456566962c9148cdd101c1f4a7eb682b6c8e48fa78957ba3dd87fde7a79f8ea
Instruction ID: a47b925ed30eea2703366f5d1ae5173bd11fe55fb0101ae5efbdbd5edb27ce1d
Opcode Fuzzy Hash: 3456566962c9148cdd101c1f4a7eb682b6c8e48fa78957ba3dd87fde7a79f8ea
Instruction Fuzzy Hash: 2BA16D70E00209CFDB10CFA9E98579DBBF2BF48354F14A629E425E7394EB749885CB91

Function 09E4213C Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f890d0fa5381fa17bedef0a545a8768925b4c81e032c4b3c128eade237d06517
Instruction ID: 452072a66a60da00761b72ffc01a88493bfdf2dbfe1d05a89c53d24701b1e467
Opcode Fuzzy Hash: f890d0fa5381fa17bedef0a545a8768925b4c81e032c4b3c128eade237d06517
Instruction Fuzzy Hash: 01914A70E002098FDF10CFA9E88579DBBF2BF88314F149129F925AB354DB749886CB95

Function 09E46970 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac619331794634ef2282654408c3ab03472eaaa0586f5436fa4d67160fdd237d
Instruction ID: b703721d0a1b5d7c75870bb6f807ce3b06cc202ecba97770653fb2a14054bd28
Opcode Fuzzy Hash: ac619331794634ef2282654408c3ab03472eaaa0586f5436fa4d67160fdd237d
Instruction Fuzzy Hash: 7C61E030B00B549FDB24DF28D558A6ABBF6FF89710B148969D48ACB741DB34EC02CB85

Function 09D00CC8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531285013.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9d00000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d486d2bd1c58e8c1f567819da59248fa7871bd7537ac26a840133a1fee6cc77
Instruction ID: 47748f2725446f787a661a3e598f612ef05ebc1b6f34a46ac08ee892cbc963b7
Opcode Fuzzy Hash: 0d486d2bd1c58e8c1f567819da59248fa7871bd7537ac26a840133a1fee6cc77
Instruction Fuzzy Hash: A25183203802415BE3081AD9D4B876BBAFF9BD5701F94803DA246CB6D5DFE5CC4697A1

Function 09E47A20 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec89b7214c3740cfab3aa423856078761ed5703fc69e8de1b10aa58d650ce41
Instruction ID: 896e034e56412e9af3bb41ba342c047e01219d80b27934c207e832ccbd483c41
Opcode Fuzzy Hash: 6ec89b7214c3740cfab3aa423856078761ed5703fc69e8de1b10aa58d650ce41
Instruction Fuzzy Hash: E5418D70B00502CFD714CF15E548BAAB3E3EB84344F18E8A9E41A8B695D73ADE45EBC4

Function 09E45F60 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd00224c2e0509616c4fc489dd969738e58ecfcfda9c4788969e28ad39687989
Instruction ID: 66f7411a4c31fe3f1bd571d938f5519732db03d6b6db0de3c7d28c9f49df9e7a
Opcode Fuzzy Hash: fd00224c2e0509616c4fc489dd969738e58ecfcfda9c4788969e28ad39687989
Instruction Fuzzy Hash: F5419E31A01600CFD714CF65E988BAAB7B3FB88310FA4D168E11A5B795CB75AC46CB45

Function 09E45F70 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bebcbfc958d4951d9f36b5bf92bcab62da152e65b43e6463801190eff5d2ef2
Instruction ID: 69ee8c37722b42364972e3b5a8c49e191052380d62009452b2b888d304b5be26
Opcode Fuzzy Hash: 6bebcbfc958d4951d9f36b5bf92bcab62da152e65b43e6463801190eff5d2ef2
Instruction Fuzzy Hash: FA419D30A00600CFDB14CF65E988BAAB7B3FB89310FA4D178E11A5B795CB75AC45CB45

Function 09E47A10 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf829f4d22f0049e940f3a02f8b072adc1193cb246f37135be5f9c1c23e2288
Instruction ID: 1bed04b977da02aaf86da4ccce6dd37b2f3eaa26f4b5a566d8bf07438b81aac9
Opcode Fuzzy Hash: 7cf829f4d22f0049e940f3a02f8b072adc1193cb246f37135be5f9c1c23e2288
Instruction Fuzzy Hash: 5841B670A00142CFD714CF15E548BAAB7E3EB84304F08E5A9E416CB695E3369E46DFC4

Function 09E452BF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a62c1aff1f056bb50be957506d0101da58049da7b21d8d29a96b28d30c7ba7
Instruction ID: 39bc475e897724e1f974fe20d37c7575d205a8ce740a52b4118604141fca473d
Opcode Fuzzy Hash: 06a62c1aff1f056bb50be957506d0101da58049da7b21d8d29a96b28d30c7ba7
Instruction Fuzzy Hash: D831C230B01308DBDB149A64F1587BEBBA3EB80B00F209129F5079B78DDEB49D469F85

Function 09E4059F Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8347e6a1e896d06c28474ca4db153bcdffed7ff624cac849ff2279cb33940756
Instruction ID: 71576ecedd8d8540f002584da097549a68fc60bbace7a2804a8b83916456936e
Opcode Fuzzy Hash: 8347e6a1e896d06c28474ca4db153bcdffed7ff624cac849ff2279cb33940756
Instruction Fuzzy Hash: D541F2B1D00348DFDB20CFA9D884ADEBBF5EF48314F148029E41AAB254DB75A985CB90

Function 09E45F40 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69deceb4150ff64aa8fdf8812a9e7b02d81f83cc2126818e2eb11eb3534fcd3f
Instruction ID: 3caae9f370c9d2a52277fdac2f8560675c77d8d32fec9819886721096be1128e
Opcode Fuzzy Hash: 69deceb4150ff64aa8fdf8812a9e7b02d81f83cc2126818e2eb11eb3534fcd3f
Instruction Fuzzy Hash: 4431EE31604600CFD720CB60E958B69B7A3FB89315FA4D1A9F11A8B6D5CB75EC85CB06

Function 09E405A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e61de4098c1b77a14570f6dd2a5d52253bc3395f700f577eacb34e85759ea9f
Instruction ID: 930a82a85f1c6ea3862f5818cb33dc0ffabae03bf329cb471ebc10858388f5ff
Opcode Fuzzy Hash: 1e61de4098c1b77a14570f6dd2a5d52253bc3395f700f577eacb34e85759ea9f
Instruction Fuzzy Hash: FC41E1B1D00349DFDB10DFA9D484ADEBBF5FF48314F148029E81AAB254DB75A985CB90

Function 09E47B67 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd576d18abb5073d2eea5286244b6e6ccb51ea794d4034735dc850a52bb2399
Instruction ID: 9a43b7a87a8559f5a3454e11790de14cd0269cd50979e076c6b8297b5f9cbdc6
Opcode Fuzzy Hash: ebd576d18abb5073d2eea5286244b6e6ccb51ea794d4034735dc850a52bb2399
Instruction Fuzzy Hash: E331A130B04542CFD724CF16E548BB6B3A3EB80344F19E4A9E41A8B696D7369E45EFC4

Function 09E4559D Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42319966580fb2d1734305c5e5f3a52096c487fe050794444d37d04cd7ecba50
Instruction ID: e0e656badddea491fac3bb76ef743637ef83afe74c18dbcedab002a0c3a263ea
Opcode Fuzzy Hash: 42319966580fb2d1734305c5e5f3a52096c487fe050794444d37d04cd7ecba50
Instruction Fuzzy Hash: A4313C34701308CFDB149A64F1587ADB7A3AB84B00F249525E8079B78EDFB89D46DF85

Function 09E454D1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99283845cfdf5b5f3efe7027c6bbd3d99cd38d00e6744b70c0100cdb5e0e6582
Instruction ID: 7bbd0d560242f0d22a9390175c11337602d313eb5b19072cc7df88ed7c4a1223
Opcode Fuzzy Hash: 99283845cfdf5b5f3efe7027c6bbd3d99cd38d00e6744b70c0100cdb5e0e6582
Instruction Fuzzy Hash: 6F316B34701308CFDB14DA14E2587ADB7A3AB80B00F219524E9069B78EDFB8AD45DF89

Function 09E4545B Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903adef8d178ee48418076cb410e216fa4ab27932592291c8aa7fda460bfebf1
Instruction ID: 4ccfc3e151b9fc9162c3c3d6e8de0cd309eefe5e17099fd70798a9ee7da5ee1a
Opcode Fuzzy Hash: 903adef8d178ee48418076cb410e216fa4ab27932592291c8aa7fda460bfebf1
Instruction Fuzzy Hash: 1A317C34701308CFDB14DA54E158BAEB7A3AB84B00F209124F4069B78EDEB99D46DF85

Function 09E45562 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef46998bc080080d48ab95f159f38ea7becb84fe92753205ed84fe47bdb4cb07
Instruction ID: 71127af3a2ace9e666831d1a131574e1613f75f53e39b8b3db58474c5fc4fad7
Opcode Fuzzy Hash: ef46998bc080080d48ab95f159f38ea7becb84fe92753205ed84fe47bdb4cb07
Instruction Fuzzy Hash: 41314934701308CFDB149A64F1587ADBBA3AB84B00F249528E4079B78EDFB89D46DF85

Function 09E45733 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65aa4f36296fb3c79299b23933cb2eebd46ecb9a9f2d0d66642892a19b6ac509
Instruction ID: 988a84fd30f04c3f99c59acee7ca3b1c2cef7936c58f7ac776cac42cc3d4f0b8
Opcode Fuzzy Hash: 65aa4f36296fb3c79299b23933cb2eebd46ecb9a9f2d0d66642892a19b6ac509
Instruction Fuzzy Hash: 60318C34701308CFD714DA64E1587ADB7A3AB84B00F209124F4069B78EDFB89C46DF49

Function 09E45377 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921f4795cf3323cc4bdc2b547b09033f82af85539849004d54bcb1586f6dd1d5
Instruction ID: 8eecc3d029195a751c70ea79d6901041b57410c2eec024bb983de41be9833a8d
Opcode Fuzzy Hash: 921f4795cf3323cc4bdc2b547b09033f82af85539849004d54bcb1586f6dd1d5
Instruction Fuzzy Hash: A6212E34701308CFDB149A54F1587AEB7A3AB80B00F21A524E5079B78EDFB99D45DF85

Function 09E45535 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1410021bf2ad0dbd139163a181ee9abc968e2fcb5c4257d564a6311a64f9e59
Instruction ID: a34d90e4fb2add9d02fafeef822add68168cc3b711db97d5501145f138a03695
Opcode Fuzzy Hash: e1410021bf2ad0dbd139163a181ee9abc968e2fcb5c4257d564a6311a64f9e59
Instruction Fuzzy Hash: B5213D34701308CFD7149A54F1587AEB7A3AB84B00F249524E5079B78EDFB8AD46DF89

Function 09E453C7 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427a27e3f9af70ee05c4fb8de1d399257ecefbb9242438b94d014246bb062860
Instruction ID: 9dd3d07aee7f1da387bf3ed2a0111d3038cc159a645e6069aaa907b28da34976
Opcode Fuzzy Hash: 427a27e3f9af70ee05c4fb8de1d399257ecefbb9242438b94d014246bb062860
Instruction Fuzzy Hash: 0F214B34701308CBD714DA54E1587ADB7A3AB84B00F259524E4069B78EDFB89D45DF89

Function 09E45602 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caade73bfd116847af58443175de43879acdaa632768604ac0d6e8d3810cb886
Instruction ID: a93208ae332859961d8c8eb4e30e0268327ac2d5ca8eca639b8fb9954f8d0ca3
Opcode Fuzzy Hash: caade73bfd116847af58443175de43879acdaa632768604ac0d6e8d3810cb886
Instruction Fuzzy Hash: AE216030702308CBDB149654F1187BEA7A3AB84B00F25A525F8075B78EDEB89D469F89

Function 09E453A1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0a49f50d7d85879646c13caedbe653e68ad758222baca0190042fd8b059353
Instruction ID: 07436c3fc347d922625ca6220817d3550d713ebf1d3d7d56cc8b22b897b008ba
Opcode Fuzzy Hash: 5c0a49f50d7d85879646c13caedbe653e68ad758222baca0190042fd8b059353
Instruction Fuzzy Hash: 05212834701308CBD7149A54F1587AEB7A3AB84B00F219524E4079B78EDFB8AD4ADF89

Function 09E45781 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059491cab9dc1726937a7ff02f26e0a164511e8f9664035e8059d60cdce2f58f
Instruction ID: b9de053876cf2072085e56c9f0f906bf85aeb1398fabb04087eed1ea1c4a832c
Opcode Fuzzy Hash: 059491cab9dc1726937a7ff02f26e0a164511e8f9664035e8059d60cdce2f58f
Instruction Fuzzy Hash: A5212834701308CBDB149A54F1587AEB7A3AB84B00F219524E4079B78EDFB8AD469F89

Function 09E45434 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ae14c8390b41f81903bb4b470ef54b3faa55996b2870c272005c32d8c1627d
Instruction ID: f89dc735d71ece975dc7d4eaf1444f07b8d4ea542a2482998a9e977b20339ad2
Opcode Fuzzy Hash: 54ae14c8390b41f81903bb4b470ef54b3faa55996b2870c272005c32d8c1627d
Instruction Fuzzy Hash: BC213B30B01308CFDB14DA54F1587AEB7A3AB84B00F259524E4079B78EDEB89D469F49

Function 09E45491 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e371ec52490239e3e09a5a822a3bfde2c0fb5826465a6383a04df37e0b32f81e
Instruction ID: 818fb18d6e5f2fd90aa08fe4d00a92757718650baf951367491c6965a80277c5
Opcode Fuzzy Hash: e371ec52490239e3e09a5a822a3bfde2c0fb5826465a6383a04df37e0b32f81e
Instruction Fuzzy Hash: A9218030701308CBDB149654F1187AEA7A3AB80B00F209524F8079B78EDFB89D469F85

Function 09E453BD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ffd33a26fdcb170ee42c8878bd02ed0747580c88ac13040abc4fa64536ce00
Instruction ID: bfe7c909e394a3ffda639563427b7ecb7bce2085a61aeb605219857fae30acfe
Opcode Fuzzy Hash: d0ffd33a26fdcb170ee42c8878bd02ed0747580c88ac13040abc4fa64536ce00
Instruction Fuzzy Hash: AC215E34701308CBDB149A54F1587AEB7A3ABC4B00F219524E5079B78EDFB8AD46DF89

Function 09E455E5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd8b56a82f161142d982e0ca5cee739030275fb13e6f34bc203d352f9a8dc0b
Instruction ID: fe77132a0c39223d06cc64da491fff4d3b96d1f0e0c728aedf82b7a2c9f1cd43
Opcode Fuzzy Hash: cdd8b56a82f161142d982e0ca5cee739030275fb13e6f34bc203d352f9a8dc0b
Instruction Fuzzy Hash: 44218B34701308CBDB149A50F1187AEB7A3AB84B00F209524E5079B78EDFB8AD469F89

Function 09E4530A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9180888dcdf89d2ebd7133b7ad52e8a3f410107f3d33a639ef5b8c58e7e49060
Instruction ID: 6ad8e552456b3823f2a1a05b6ba36de772d31873f650d6247a0e04f78a21f8cf
Opcode Fuzzy Hash: 9180888dcdf89d2ebd7133b7ad52e8a3f410107f3d33a639ef5b8c58e7e49060
Instruction Fuzzy Hash: 71216D34701308CFDB149A64F1587AEB7A3AB84B00F209524E5079B78EDFB89D469F89

Function 09E451A8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb594aef208b413d18f3bc145c4f5609e863a77f12561b9cc02b817d2638b598
Instruction ID: 0735ec013c9dc8f8fd8d425e0cf88fa2e34c4994f9f4b7d9c601d3e6792e4649
Opcode Fuzzy Hash: fb594aef208b413d18f3bc145c4f5609e863a77f12561b9cc02b817d2638b598
Instruction Fuzzy Hash: 3E11E1B1B4A3906FCB163774542136D3FA26F86201B1608AFD18ACF282ED3988878385

Function 09E47C90 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bc60ce8766aa8225c2c3e1bc10c30eac6204485ab72119d719634136ec3482
Instruction ID: 456225d7068c7684a3028645289c0f9b7349f77252b9c04dbad6373cfbc82e69
Opcode Fuzzy Hash: 12bc60ce8766aa8225c2c3e1bc10c30eac6204485ab72119d719634136ec3482
Instruction Fuzzy Hash: 6311C170A40105CFCB20DB25E558BAE77F7FB88314F54A479D00A97200E77A9D86DBC4

Function 09E47CA0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b22c2b588cfbe60c3727c3e8a3cfb58bd70132f4a6e20986d0fdea0d474c36
Instruction ID: e01e8c45752b5740ea7c71466ba39f85f9dc1fe0cdb46adc0b4e0a111fdb250e
Opcode Fuzzy Hash: d1b22c2b588cfbe60c3727c3e8a3cfb58bd70132f4a6e20986d0fdea0d474c36
Instruction Fuzzy Hash: 4A11E170A00105CFCB20DB25E558BAE77F3FB88314F54A079D0099B240EB769D45DBC4

Function 09E46282 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3533c74abb080c6a8984da37faef12b14f645680fa9c4aca4710c0e596aa517
Instruction ID: 1d0675a4a164d10062f453560b570793bd9c44dd477e3d564530d78fab82943f
Opcode Fuzzy Hash: b3533c74abb080c6a8984da37faef12b14f645680fa9c4aca4710c0e596aa517
Instruction Fuzzy Hash: 2901AD31A00248ABDB149B64E4599DEBBB6EB89B10F104029E402A7381CF7A4E02CF94

Function 09D0005C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531285013.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9d00000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1b2da4ad29a89b68674ff9c399c9717de0141ed50201e0b7fb2d397d27c76d
Instruction ID: 09234e40ccb9119ce5c155f6601bf3a4d04505e6d9fabd23347b1efdf2794875
Opcode Fuzzy Hash: 9a1b2da4ad29a89b68674ff9c399c9717de0141ed50201e0b7fb2d397d27c76d
Instruction Fuzzy Hash: DE014E34B89350AFCB170624E8367753F76AFC627031500A7D445C7A81E6284C4AD7A1

Function 09E43250 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75bd86cdb5d15e570045d5d65ba480776e155a0cde64af1a602620b0a0d0ce4e
Instruction ID: aceed7f1e2cb88ea9900bbccb694ba05fbeb716c772f17e595bc62c5a624fe70
Opcode Fuzzy Hash: 75bd86cdb5d15e570045d5d65ba480776e155a0cde64af1a602620b0a0d0ce4e
Instruction Fuzzy Hash: D501D232A093858FEB429B28DB4676A7FF49F06324F0914DAD8458B153C7391505CB4A

Function 09E451B8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1c78cad0904246583aea364e28a8f145f13362c28de31e6737ef84cb5b5a40
Instruction ID: 578be710e73a45890e59b8e9a1cd177674b4c4b120d6a27f4687b7f9d5c444fb
Opcode Fuzzy Hash: 4e1c78cad0904246583aea364e28a8f145f13362c28de31e6737ef84cb5b5a40
Instruction Fuzzy Hash: 84F0F6707463606FDB263B38841472E3AD26FC9212B24487DD687CB381EE3ACC8683C4

Function 09E46290 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e17fb1c1950a7f576065a610feab9749d90ed06fc969ac8d56633009b82fe04
Instruction ID: 81eac94204dfb6a5f7760a493912c7dbbb0dfe291b807f29cc60d221b8524fd7
Opcode Fuzzy Hash: 8e17fb1c1950a7f576065a610feab9749d90ed06fc969ac8d56633009b82fe04
Instruction Fuzzy Hash: 57017131A00208EBDF149F64E91DAAEBFB6EB8D711F104429E402A7351CF765D05DF91

Function 07380BA1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2528524176.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7380000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd92fdda1228c2fdf388fe4189700a4c6660c78df7f146cfbb508d4e6c0e98b7
Instruction ID: 45b0e3ef7e16c7813f525cfa32edfb667592745c915cf4ed1fca096dde0a31ab
Opcode Fuzzy Hash: cd92fdda1228c2fdf388fe4189700a4c6660c78df7f146cfbb508d4e6c0e98b7
Instruction Fuzzy Hash: 28F02172E093106BEB55EFB6A40975EBBA9EB4D314F05C077D44DD7202D638C8458B86

Function 09E45279 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf2ebe333fb28889c644c08004e3fb0d0d10765dd00e97d48775590f8ab4a50
Instruction ID: 82c83cce87272d395c372af7ab28286adea2bd1a06f4b8ba9ddee5b1e8ac30a0
Opcode Fuzzy Hash: 9cf2ebe333fb28889c644c08004e3fb0d0d10765dd00e97d48775590f8ab4a50
Instruction Fuzzy Hash: 7CF027313043515FD7169F6DF514F9A7BAAAB86624F0000ABF204CB192CF69EC4AC7E9

Function 09E44340 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f787fde19366acf2d9ce6df7bb8bc606bd293223efc8d05d4829c655b856360
Instruction ID: 48978f8598e872c8db2df7d0b90756763a0b7138eee860e54451ae05da6e9a45
Opcode Fuzzy Hash: 2f787fde19366acf2d9ce6df7bb8bc606bd293223efc8d05d4829c655b856360
Instruction Fuzzy Hash: 62F06271B405189FCB04EAACE848ADD77E2FF89714F110464D105AB361DB35AD168B95

Function 07380BB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2528524176.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7380000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b951f61c0cee9462eca5b9c569d9c82bc67a741d7557aaa1d64fe1456c3e71a0
Instruction ID: 5c80d775d8d45fdfa848b9012f4e378cf3930fdbe8c767fc6fc8288c3e8b8a51
Opcode Fuzzy Hash: b951f61c0cee9462eca5b9c569d9c82bc67a741d7557aaa1d64fe1456c3e71a0
Instruction Fuzzy Hash: 6FF0E972E0522067EB59DFAAA40975EB7A9EB89710F01C076D80DD3202D634C8058A81

Function 09E44350 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d2874522d299b28dd18bbaa0024605129cd033b7ef18846476dca7afb97f59
Instruction ID: 54cc497435136aa0ed746553af7b2d684e4de1bdf827ee2bf9eefaae50a1edd8
Opcode Fuzzy Hash: 92d2874522d299b28dd18bbaa0024605129cd033b7ef18846476dca7afb97f59
Instruction Fuzzy Hash: FFF05E317005189FCF00EAACE918ADE7BE6EF89701F500464D105AB3A1DB75AD158B95

Function 09E457A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11de9ff65c003a30851c927de98256e3428390591eafe5fa83b65ec4e8904cdd
Instruction ID: 14d7972436aaaaf89a8bf3f095fe17d648af3c1ce665a10f0abef34ba1157b61
Opcode Fuzzy Hash: 11de9ff65c003a30851c927de98256e3428390591eafe5fa83b65ec4e8904cdd
Instruction Fuzzy Hash: 07E09A38A01004CFEB44CA16FE48BA8B363FBC4319F14E071F50682945CF345E6ADE09

Function 07385DFD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2528524176.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7380000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffda3afa39f2ad530097257fe4057e440db834132640c349f9f2e40225446f4
Instruction ID: f1c166e3ebf5f2dec09a6388a2e87ff36e54e40dec44f0dee3607665818de465
Opcode Fuzzy Hash: 8ffda3afa39f2ad530097257fe4057e440db834132640c349f9f2e40225446f4
Instruction Fuzzy Hash: CBF0F8B4A45658CFC760CF28C948A88BBF1BF4A314F1981D9D54E9B761D730AD41CF40

Function 073841E2 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2528524176.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7380000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a932875aabba0c9f11d90c4528567d2ef940e1f7f1e19674448520ee591f889
Instruction ID: d8fb9f6f96de79e05a4ceb3d8ca6d1a40279b77a34da15b27929c164d0f99d73
Opcode Fuzzy Hash: 7a932875aabba0c9f11d90c4528567d2ef940e1f7f1e19674448520ee591f889
Instruction Fuzzy Hash: AFF0F2B4A04258CFC750CF28CA54A88BBB1FF4A309F1505D8E54EAB721C770AE80CF40

Function 09E45288 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9df815de608327934913544bc0b75755c683bc6b547d7a1e18a91c5ab96330
Instruction ID: 62f0ee309f170fe0872d526c9a0b3b186e194a71eba63547b7bdace3c4fc06d7
Opcode Fuzzy Hash: bd9df815de608327934913544bc0b75755c683bc6b547d7a1e18a91c5ab96330
Instruction Fuzzy Hash: ADD02B313003044BC715AE2EE608F4A739FEBC5610F400036E1188B200CFB4DC49CBE9

Function 09E43260 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d8ed24f537032915aa05466b254ed82dc1323ff91030a5dd722932720ba6d
Instruction ID: 9cf2f97010b9146fa6f94c1b21b62fde914950ff3ca458454b9065eb8f55841b
Opcode Fuzzy Hash: 779d8ed24f537032915aa05466b254ed82dc1323ff91030a5dd722932720ba6d
Instruction Fuzzy Hash: EFE08C31A00149DFCB00DE99DA08BEBB3F5EB88312F005075E91597240D778691ADF8A

Function 07380CB9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2528524176.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7380000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9f9f7245a34e44c1bae6928c22fe8253acb01bac633818c9dd67563abeef48
Instruction ID: 25ee086a5d776dc0e3c21cdb7e7a0d2169ae22bfa06d325259b12a98315ab1f0
Opcode Fuzzy Hash: 1c9f9f7245a34e44c1bae6928c22fe8253acb01bac633818c9dd67563abeef48
Instruction Fuzzy Hash: 80E086F1E01315EFFB58AF98D88C6583B74BB45701F41046CD94B9B602C734D80A9E45

Function 09E43925 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545631547af74ea9cbd7e6d46873d89d6a18d81f2f00025ebdb191c20635ae31
Instruction ID: 84a05ae59e7177d9f9772af9a0b028e71eed16342659ab6c13342bf77ad23428
Opcode Fuzzy Hash: 545631547af74ea9cbd7e6d46873d89d6a18d81f2f00025ebdb191c20635ae31
Instruction Fuzzy Hash: 73E01A306004109FC708DF28E6A4BA533E2EB48344F1961A990069BA92CB245C08DB99

Function 09E46251 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476a82636d258b30f0cad7aeef824dd563c08ff085e7a77364ca91fd3a1ea963
Instruction ID: a21a7460a95556e31e45881382a43dd09a179209ebc526839d98146923dba5ed
Opcode Fuzzy Hash: 476a82636d258b30f0cad7aeef824dd563c08ff085e7a77364ca91fd3a1ea963
Instruction Fuzzy Hash: 61D017A560A3C26FD30786347420A923F32ABA7514F6A819AE0504E193DA190E97C319

Function 09E44528 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92208858757be20df1ec6d87c876dff2b3a19a31c81f845cadedcc1a02f54d40
Instruction ID: f7b6d9f51c6553f53fdaeb580b920b5c6b1019d03eb7689b144eff6099811221
Opcode Fuzzy Hash: 92208858757be20df1ec6d87c876dff2b3a19a31c81f845cadedcc1a02f54d40
Instruction Fuzzy Hash: 47D01235E0410D97CF00D599D9056EFB3B8D784311F404471DA1567280FB39AA264A92

Function 09E46698 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2531602059.0000000009E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9e40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b10124155699d4aa1f84f3b1a074058c4bf78fefe7466e4f7e1f53ceda60ca
Instruction ID: 5d3d95b76b6935538dd41a7879d897c901ce76e1a95b47f5a7b582e144fa0a97
Opcode Fuzzy Hash: f0b10124155699d4aa1f84f3b1a074058c4bf78fefe7466e4f7e1f53ceda60ca
Instruction Fuzzy Hash: 32D09EB6519380AFC7169B20D4A0850BB71EF7A204B19C4DAD4488A152D6369E57D716

Function 07381995 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2528524176.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7380000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8082ecb012b451d4aec9c5f106f7eaff6c7d7b39fe5167478fb8168520ce2ad
Instruction ID: cd7a00f1ad93b42953bc0d6bd893ed9b8a250ffa921037f8704aae1d2552134a
Opcode Fuzzy Hash: d8082ecb012b451d4aec9c5f106f7eaff6c7d7b39fe5167478fb8168520ce2ad
Instruction Fuzzy Hash: 41B012B146C10EC7F2485B25D80E3C1FE26BB00301F0D43B28C0FC5922C735CC868640

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MicrosoftOfficeWord.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
MicrosoftOfficeWord.exe

Function 00407C9A Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 306
memoryCOMMON

Function 004085BD Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 266
memoryCOMMONLIBRARYCODE

Function 004080FE Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 262
memoryCOMMON

Function 00409A07 Relevance: 2.1, APIs: 1, Instructions: 551
COMMON

Function 004097D3 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 00409429 Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Function 00411F70 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 205
memoryCOMMON

Function 0040D0B0 Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 308
registrylibraryfileCOMMON

Function 00412270 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 222
filelibraryloaderCOMMON

Function 004125C0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 129
memoryencryptionCOMMON

Function 00402820 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 421
COMMON

Function 0040385C Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 315
COMMON

Function 0040E290 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 276
windowCOMMON