Edit tour

Windows Analysis Report
MicrosoftOfficeWord.exe

Overview

General Information

Sample name:	MicrosoftOfficeWord.exe
Analysis ID:	1587447
MD5:	2db79d70849a29f5c04cdc4ef1e40674
SHA1:	69104324e2f4c6516ccfaf1ac86012a1376bd2f7
SHA256:	92e52a846763c071696b7a5c01beab41e07b0c9fd66f493617a8940345388aa0
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

IP address seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

MicrosoftOfficeWord.exe (PID: 5348 cmdline: "C:\Users\user\Desktop\MicrosoftOfficeWord.exe" MD5: 2DB79D70849A29F5C04CDC4EF1E40674)

csc.exe (PID: 6224 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3899017253.0000000008252000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3899396330.00000000099F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3898686850.00000000070B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: csc.exe PID: 6224	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.csc.exe.99f0000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.csc.exe.82d6a48.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MicrosoftOfficeWord.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: MicrosoftOfficeWord.exe	ReversingLabs: Detection: 65%
Source: MicrosoftOfficeWord.exe	Virustotal: Detection: 69%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Source: MicrosoftOfficeWord.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MicrosoftOfficeWord.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb@@ source: MicrosoftOfficeWord.exe
Source:	Binary string: Fxjvdwlxzkd.pdb source: csc.exe, 00000003.00000003.2430616893.000000000834C000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899256489.0000000009830000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb source: MicrosoftOfficeWord.exe

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 0_2_0040F130 GetCurrentProcess,GetMappedFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,

0_2_0040F130

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 181.71.216.203:30203

Source: Joe Sandbox View

IP Address: 181.71.216.203 181.71.216.203

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net

Source: csc.exe, 00000003.00000002.3898686850.000000000730D000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3898686850.00000000070B1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3898686850.0000000007147000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: csc.exe, 00000003.00000002.3898686850.00000000070B1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: MicrosoftOfficeWord.exe	String found in binary or memory: https://zoom.us/privacy/Zoom

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 0_2_004300A0	0_2_004300A0
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 0_2_00430BEA	0_2_00430BEA
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 0_2_0040DC50	0_2_0040DC50
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 0_2_004304AC	0_2_004304AC
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 0_2_00403F13	0_2_00403F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_055A42C8	3_2_055A42C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_055A42BE	3_2_055A42BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_055A1B2D	3_2_055A1B2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E95758	3_2_06E95758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E9D5E0	3_2_06E9D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E9E688	3_2_06E9E688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E95749	3_2_06E95749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E94DC0	3_2_06E94DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E94DB1	3_2_06E94DB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E9D917	3_2_06E9D917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09802148	3_2_09802148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09802D60	3_2_09802D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_098074B0	3_2_098074B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09803E08	3_2_09803E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09804640	3_2_09804640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_098049E1	3_2_098049E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09803DF9	3_2_09803DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09802490	3_2_09802490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_098074A1	3_2_098074A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_098078B9	3_2_098078B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09804631	3_2_09804631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09ABFA88	3_2_09ABFA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09ABFA78	3_2_09ABFA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09ABFA50	3_2_09ABFA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09ABE4D0	3_2_09ABE4D0

Source: MicrosoftOfficeWord.exe	Binary or memory string: OriginalFilename vs MicrosoftOfficeWord.exe
Source: MicrosoftOfficeWord.exe, 00000000.00000002.2194040145.000000000455C000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYxttxbmsat.exe" vs MicrosoftOfficeWord.exe
Source: MicrosoftOfficeWord.exe	Binary or memory string: OriginalFilenameZoom* vs MicrosoftOfficeWord.exe

Source: MicrosoftOfficeWord.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 0_2_004113D0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_004113D0

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 0_2_00411A50 CoInitializeEx,CoUninitialize,CoCreateInstance,SysAllocString,SysFreeString,CoSetProxyBlanket,_com_issue_error,

0_2_00411A50

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\mono1234

Source: MicrosoftOfficeWord.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MicrosoftOfficeWord.exe	ReversingLabs: Detection: 65%
Source: MicrosoftOfficeWord.exe	Virustotal: Detection: 69%

Source: unknown	Process created: C:\Users\user\Desktop\MicrosoftOfficeWord.exe "C:\Users\user\Desktop\MicrosoftOfficeWord.exe"
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Section loaded: crowdstrikeceoisextragay.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Section loaded: sentinelisabadedrtrynexttimemaybe.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MicrosoftOfficeWord.exe

Static file information: File size 3567616 > 1048576

Source: MicrosoftOfficeWord.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x33c000

Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MicrosoftOfficeWord.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MicrosoftOfficeWord.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: MicrosoftOfficeWord.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb@@ source: MicrosoftOfficeWord.exe
Source:	Binary string: Fxjvdwlxzkd.pdb source: csc.exe, 00000003.00000003.2430616893.000000000834C000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899256489.0000000009830000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb source: MicrosoftOfficeWord.exe

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 3.2.csc.exe.99f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.csc.exe.82d6a48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3899017253.0000000008252000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3899396330.00000000099F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3898686850.00000000070B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 6224, type: MEMORYSTR

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: MicrosoftOfficeWord.exe

Static PE information: real checksum: 0x6698e should be: 0x36d21b

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 0_2_0040E90C push es; ret	0_2_0040E91C
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 0_2_00414F64 push ecx; ret	0_2_00414F77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E1147D push es; ret	3_2_06E11480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E151F9 push ebx; ret	3_2_06E15203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E9374B push es; retf	3_2_06E93754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E9CC50 push es; ret	3_2_06E9CD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E99D2B push es; iretd	3_2_06E99CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09ABC14E push esp; iretd	3_2_09ABC151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09ABB8A0 push eax; retf	3_2_09ABBA81

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 5260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 70B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 90B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 442000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

API coverage: 0.9 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1816	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 3680	Thread sleep count: 188 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1492	Thread sleep time: -442000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 0_2_0040F130 GetCurrentProcess,GetMappedFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,

0_2_0040F130

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 442000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: csc.exe, 00000003.00000002.3898253017.000000000535A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 3_2_06E9FAC0 LdrInitializeThunk,

3_2_06E9FAC0

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 0_2_00414A32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00414A32

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 0_2_0040D830 GetModuleFileNameW,SHGetSpecialFolderPathW,GetProcessHeap,HeapAlloc,SHGetSpecialFolderPathW,GetWindowsDirectoryW,GetProcessHeap,HeapAlloc,

0_2_0040D830

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 0_2_00414A32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00414A32
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 0_2_00414BA6 SetUnhandledExceptionFilter,	0_2_00414BA6
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Code function: 0_2_004146B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004146B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4B00000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4B00000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4B00000			Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4D6F008			Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 0_2_00411F70 OpenProcessToken,GetLastError,DuplicateTokenEx,GetLastError,AllocateAndInitializeSid,GetLastError,CreateWellKnownSid,GetLastError,GetProcessHeap,HeapAlloc,GetLastError,CreateWellKnownSid,GetLastError,CreateRestrictedToken,GetLastError,AllocateAndInitializeSid,GetLastError,SetTokenInformation,GetLastError,CloseHandle,CloseHandle,FreeSid,GetProcessHeap,HeapFree,FreeSid,CloseHandle,

0_2_00411F70

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 0_2_00414851 cpuid

0_2_00414851

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftOfficeWord.exe

Code function: 0_2_00414C65 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00414C65

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: csc.exe, 00000003.00000002.3898253017.000000000535A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	31 Process Injection	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Process Injection	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	134 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MicrosoftOfficeWord.exe	66%	ReversingLabs	Win32.Trojan.Leonem
MicrosoftOfficeWord.exe	69%	Virustotal		Browse
MicrosoftOfficeWord.exe	100%	Avira	TR/Crypt.XPACK.Gen3

Name	IP	Active	Malicious	Antivirus Detection	Reputation
newstaticfreepoint24.ddns-ip.net	181.71.216.203	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	csc.exe, 00000003.00000002.3898686850.00000000070B1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://zoom.us/privacy/Zoom	MicrosoftOfficeWord.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000003.00000002.3898686850.000000000730D000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3898686850.00000000070B1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3898686850.0000000007147000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	csc.exe, 00000003.00000003.2430616893.0000000008665000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3899423837.0000000009A50000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2430616893.000000000852E000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
181.71.216.203	newstaticfreepoint24.ddns-ip.net	Colombia		27831	ColombiaMovilCO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587447
Start date and time:	2025-01-10 11:47:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MicrosoftOfficeWord.exe
Detection:	MAL
Classification:	mal80.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 94 Number of non-executed functions: 62
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtProtectVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
181.71.216.203	AdobePDF.exe	Get hash	malicious	Unknown	Browse
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse
	AdobePDF.exe	Get hash	malicious	Unknown	Browse
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
newstaticfreepoint24.ddns-ip.net	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	181.71.216.203

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.133380080323117
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MicrosoftOfficeWord.exe
File size:	3'567'616 bytes
MD5:	2db79d70849a29f5c04cdc4ef1e40674
SHA1:	69104324e2f4c6516ccfaf1ac86012a1376bd2f7
SHA256:	92e52a846763c071696b7a5c01beab41e07b0c9fd66f493617a8940345388aa0
SHA512:	f4b7fb079d320bdad76c47a6f61ac7dc61f7c5159df65292645e3046c63bb4e02438bb06eff37a98297163b6c53f1d313c4dd5ec4b1ff1aceae07356831d957e
SSDEEP:	49152:Usxci/uNQrNcXei/uNXQVNcXei/uNQ4NcXei/uNkqO10oh7JDfglOXv:U84N8NtNfqW0udfglOf
TLSH:	46F58CB8E76FEC42D8216A7F1092634E0323DEFE594385975248F764A4B3EC439E8467
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........rt..............k.......f.......f.......f.......f.......{.......{.......f.......f..........=....f.......f...............f.....

File Icon


Icon Hash:	e082c4e4ae8c82e8

Static PE Info

General

Entrypoint:	0x414670
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6743E4D1 [Mon Nov 25 02:45:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	73fea8e21025ec6f368037fae3afc60a

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F825C80CDC2h
jmp 00007F825C80C5EDh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
push dword ptr [esi]
call 00007F825C80CFE3h
push dword ptr [ebp+14h]
mov dword ptr [esi], eax
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push esi
push 00413F30h
push 00429024h
call 00007F825C80CF14h
add esp, 1Ch
pop esi
pop ebp
ret
jmp 00007F825C80BFF6h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041932Ch]
push dword ptr [ebp+08h]
call dword ptr [00419324h]
push C0000409h
call dword ptr [00419270h]
push eax
call dword ptr [00419368h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00419330h]
test eax, eax
je 00007F825C80C787h
push 00000002h
pop ecx
int 29h
mov dword ptr [0042CB80h], eax
mov dword ptr [0042CB7Ch], ecx
mov dword ptr [0042CB78h], edx
mov dword ptr [0042CB74h], ebx
mov dword ptr [0042CB70h], esi
mov dword ptr [0042CB6Ch], edi
mov word ptr [0042CB98h], ss
mov word ptr [0042CB8Ch], cs
mov word ptr [0042CB68h], ds
mov word ptr [0042CB64h], es
mov word ptr [00000000h], fs

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x248e8	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x33becc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x58800	0x5f38	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x59000	0x2acc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x21cd8	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x21e40	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x21d48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x5b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18000	0x17e00	194a7255282fe9d7ae81b72636d3958e	False	0.4041639397905759	data	6.147389640020991	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x10000	0xf400	705b94a546f1abb8fba1e84ce4933d03	False	0.29005507172131145	data	5.0324726546167895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x29000	0x5000	0x3a00	22c50ae1b95257f8c3a44ff7a2de2c94	False	0.10162984913793104	data	2.0443500313558287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e000	0x33becc	0x33c000	4d3fa0f36523000af465d39a2916abf9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x2e72c	0x2ec	data			0.56951871657754
RT_CURSOR	0x2ea18	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"			0.4117647058823529
RT_BITMAP	0x2ed04	0x5428	Device independent bitmap graphic, 224 x 32 x 24, image size 0, resolution 3780 x 3780 px/m			0.1578165614556257
RT_BITMAP	0x3412c	0xbd28	Device independent bitmap graphic, 336 x 48 x 24, image size 0, resolution 3780 x 3780 px/m			0.13666776804890138
RT_BITMAP	0x3fe54	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.5168697022617881
RT_BITMAP	0xb2878	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.6944626655875964
RT_BITMAP	0x12529c	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.701893342420241
RT_BITMAP	0x197cc0	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.7138369467989948
RT_ICON	0x20a6e4	0xc5c0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.6268963337547409
RT_ICON	0x216ca4	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144			0.1756923691451904
RT_ICON	0x258ccc	0x6375f	PC bitmap, Windows 3.x format, 51811 x 2 x 49, image size 407651, cbSize 407391, bits offset 54			0.9921942310949432
RT_ICON	0x2bc42c	0x528	Device independent bitmap graphic, 16 x 32 x 32, image size 1280	English	United States	0.4401515151515151
RT_ICON	0x2bc954	0xb68	Device independent bitmap graphic, 24 x 48 x 32, image size 2880	English	United States	0.29486301369863016
RT_ICON	0x2bd4bc	0x1428	Device independent bitmap graphic, 32 x 64 x 32, image size 5120	English	United States	0.23507751937984497
RT_ICON	0x2be8e4	0x2d28	Device independent bitmap graphic, 48 x 96 x 32, image size 11520	English	United States	0.17439446366782008
RT_ICON	0x2c160c	0x5028	Device independent bitmap graphic, 64 x 128 x 32, image size 20480	English	United States	0.12339181286549708
RT_ICON	0x2c6634	0x14028	Device independent bitmap graphic, 128 x 256 x 32, image size 81920	English	United States	0.0954123962908736
RT_ICON	0x2da65c	0xc16d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0005250721974273
RT_RCDATA	0x2e67cc	0xfd8	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced			1.0027120315581854
RT_RCDATA	0x2e77a4	0x9d36	PNG image data, 98 x 102, 8-bit/color RGBA, non-interlaced			0.33521343736023457
RT_RCDATA	0x2f14dc	0x9d36	PNG image data, 98 x 102, 8-bit/color RGBA, non-interlaced			0.24362669582070268
RT_RCDATA	0x2fb214	0xcbf0	Delphi compiled form 'TfFileProperties'			0.31453034017775056
RT_RCDATA	0x307e04	0x3c248	Delphi compiled form 'TfMain'			0.6290065924073653
RT_GROUP_ICON	0x34404c	0x68	data	English	United States	0.7403846153846154
RT_VERSION	0x3440b4	0x364	data	English	United States	0.43317972350230416
RT_ANIICON	0x344418	0x25932	PC bitmap, Windows 3.x format, 19581 x 2 x 38, image size 154747, cbSize 153906, bits offset 54			0.9913128792899563
RT_MANIFEST	0x369d4c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetCurrentThreadId, QueryDosDeviceW, VirtualProtect, HeapFree, EnterCriticalSection, GetCurrentProcess, ReleaseSemaphore, WriteFile, GetModuleFileNameW, WaitForMultipleObjects, LeaveCriticalSection, InitializeCriticalSection, SetFilePointer, ResumeThread, GetModuleHandleA, OpenProcess, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, CreateEventW, Process32NextW, CreateFileA, SetEvent, Process32FirstW, FreeLibrary, HeapAlloc, GetWindowsDirectoryW, VerSetConditionMask, GetProcessHeap, GetModuleHandleW, CreateSemaphoreW, FlushInstructionCache, VerifyVersionInfoW, CreateDirectoryA, SetDllDirectoryW, VirtualQuery, LoadLibraryExW, FlushFileBuffers, LocalFree, SetErrorMode, GetPrivateProfileStringW, GetTempFileNameW, CreateFileW, OutputDebugStringW, IsWow64Process, MultiByteToWideChar, SetConsoleCtrlHandler, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, CreateThread, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetProcAddress, LoadLibraryW, ExitProcess, DeleteCriticalSection, CloseHandle, DeleteFileW, TerminateThread, GetLastError, GetTickCount64, Sleep, WaitForSingleObject, InitializeCriticalSectionEx, TerminateProcess, CreateDirectoryW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead
USER32.dll	GetMessageW, GetUserObjectInformationA, SetTimer, TranslateMessage, PostThreadMessageW, DispatchMessageW, GetProcessWindowStation, MessageBoxW
ADVAPI32.dll	GetTokenInformation, RegGetValueW, RegOpenKeyExW, OpenProcessToken, RegEnumKeyExW, RegCloseKey, DuplicateTokenEx, FreeSid, CreateRestrictedToken, ImpersonateLoggedOnUser, CreateWellKnownSid, AllocateAndInitializeSid, SetTokenInformation, RevertToSelf
SHELL32.dll	SHGetKnownFolderPath, SHGetSpecialFolderPathW, ShellExecuteExW, SHGetSpecialFolderPathA
ole32.dll	CoInitialize, CoUninitialize, CoTaskMemFree, CoInitializeEx, CoSetProxyBlanket, OleRun, CoCreateInstance
OLEAUT32.dll	VariantClear, SysAllocString, SysFreeString
SHLWAPI.dll	PathAppendW, PathIsRelativeW
PSAPI.DLL	GetModuleInformation, GetModuleFileNameExW, GetMappedFileNameW, EnumProcessModules
WINTRUST.dll	WinVerifyTrust, WTHelperProvDataFromStateData, WTHelperGetProvCertFromChain, WTHelperGetProvSignerFromChain
CRYPT32.dll	CertGetNameStringW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:48:50.511622906 CET	49710	30203	192.168.2.5	181.71.216.203
Jan 10, 2025 11:48:50.516383886 CET	30203	49710	181.71.216.203	192.168.2.5
Jan 10, 2025 11:48:50.516474962 CET	49710	30203	192.168.2.5	181.71.216.203
Jan 10, 2025 11:48:50.546437979 CET	49710	30203	192.168.2.5	181.71.216.203
Jan 10, 2025 11:48:50.551254988 CET	30203	49710	181.71.216.203	192.168.2.5
Jan 10, 2025 11:48:50.551345110 CET	49710	30203	192.168.2.5	181.71.216.203
Jan 10, 2025 11:48:50.556159973 CET	30203	49710	181.71.216.203	192.168.2.5
Jan 10, 2025 11:49:11.876615047 CET	30203	49710	181.71.216.203	192.168.2.5
Jan 10, 2025 11:49:11.876773119 CET	49710	30203	192.168.2.5	181.71.216.203
Jan 10, 2025 11:49:11.880669117 CET	49710	30203	192.168.2.5	181.71.216.203
Jan 10, 2025 11:49:11.885503054 CET	30203	49710	181.71.216.203	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:48:50.494369984 CET	53250	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:48:50.509396076 CET	53	53250	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:48:50.494369984 CET	192.168.2.5	1.1.1.1	0x4ec9	Standard query (0)	newstaticfreepoint24.ddns-ip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:48:50.509396076 CET	1.1.1.1	192.168.2.5	0x4ec9	No error (0)	newstaticfreepoint24.ddns-ip.net		181.71.216.203	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:48:30
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\MicrosoftOfficeWord.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MicrosoftOfficeWord.exe"
Imagebase:	0x400000
File size:	3'567'616 bytes
MD5 hash:	2DB79D70849A29F5C04CDC4EF1E40674
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:48:46
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x430000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3899017253.0000000008252000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3899396330.00000000099F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3898686850.00000000070B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00403F13 Relevance: 83.0, APIs: 2, Strings: 44, Instructions: 2467COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00403F1D

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
LoadLibraryW, xrefs: 00405081
P, xrefs: 0040882A
l, xrefs: 00406981
i, xrefs: 00408E5A
r, xrefs: 0040698F
c, xrefs: 0040883F
o, xrefs: 00408E3E
x, xrefs: 00408815
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
u, xrefs: 00406973
e, xrefs: 004069A4
s, xrefs: 00408854
e, xrefs: 00408846
GetModuleHandleExW, xrefs: 00405BDF
c, xrefs: 004069AB
gif, xrefs: 00403FC4
P, xrefs: 00406988
t, xrefs: 00408823
r, xrefs: 00408E68
t, xrefs: 0040696C
t, xrefs: 0040699D
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
L, xrefs: 00408E37
], xrefs: 00406159
png, xrefs: 00403F7F
b, xrefs: 00408E61
bmp, xrefs: 00403FAB
jpg, xrefs: 00403F94
a, xrefs: 0040697A
r, xrefs: 00406965
o, xrefs: 00406996
d, xrefs: 00408E4C
V, xrefs: 00406957
i, xrefs: 0040695E
t, xrefs: 004069B2
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_
String ID: E$GetModuleHandleExW$L$L$LoadLibraryW$P$P$V$W$]$a$a$a$b$bmp$c$c$d$e$e$gif$i$i$i$jpg$l$o$o$o$png$r$r$r$r$r$s$s$t$t$t$t$u$x$y
API String ID: 2427045233-3217341300
Opcode ID: 24c789fa4daecbd349568caf682134c91fe02bd9c879d5a9ec86189862ec8d49
Instruction ID: 8772a5d91f2c69b3084cbf90925906af69786a0451df771bb4d847c438c2977d
Opcode Fuzzy Hash: 24c789fa4daecbd349568caf682134c91fe02bd9c879d5a9ec86189862ec8d49
Instruction Fuzzy Hash: 20D208B4A052A8CBDB24CB18C988BDDBBB1AF45314F1081EAE459BB381D7755F81CF19

Function 00403FE4 Relevance: 95.0, APIs: 1, Strings: 53, Instructions: 503COMMON

Download Yara Rule

Strings

E, xrefs: 0040880E
o, xrefs: 00404113
i, xrefs: 00408E5A
e, xrefs: 00404159
c, xrefs: 0040883F
x, xrefs: 00408815
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
H, xrefs: 00404136
e, xrefs: 00408846
L, xrefs: 00404752
t, xrefs: 00408823
r, xrefs: 00408E68
e, xrefs: 0040412F
x, xrefs: 00404167
l, xrefs: 00404152
W, xrefs: 0040416E
d, xrefs: 00404767
b, xrefs: 0040477C
y, xrefs: 00404798
a, xrefs: 0040413D
n, xrefs: 00404144
d, xrefs: 0040414B
i, xrefs: 00404775
r, xrefs: 00404791
a, xrefs: 00408E6F
W, xrefs: 0040479F
d, xrefs: 0040411A
P, xrefs: 0040882A
o, xrefs: 00404759
t, xrefs: 00404105
o, xrefs: 00408E3E
a, xrefs: 00408E45
L, xrefs: 00408E53
u, xrefs: 00404121
s, xrefs: 0040884D
E, xrefs: 00404160
l, xrefs: 00404128
a, xrefs: 0040478A
i, xrefs: 0040881C
W, xrefs: 00408E84
L, xrefs: 0040476E
y, xrefs: 00408E7D
r, xrefs: 00404783
L, xrefs: 00408E37
M, xrefs: 0040410C
b, xrefs: 00408E61
a, xrefs: 00404760
G, xrefs: 004040F7
e, xrefs: 004040FE
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$E$G$H$L$L$L$L$M$P$W$W$W$a$a$a$a$a$b$b$c$d$d$d$d$e$e$e$e$i$i$i$l$l$n$o$o$o$o$r$r$r$r$r$s$s$t$t$u$x$x$y$y
API String ID: 0-1389426690
Opcode ID: 6c52c70809327a56088b94180972d0ec2f26b9a01d5ece6e06692af3203bd157
Instruction ID: 736e9a2ff06c9903231fdc911306428f10f64ae89d11f3f6351f21f0fe3a524d
Opcode Fuzzy Hash: 6c52c70809327a56088b94180972d0ec2f26b9a01d5ece6e06692af3203bd157
Instruction Fuzzy Hash: 90D11D64A086E8CBEB21CB24CC487C9BB75AF55704F0450E9914CAB391D7BA4FC4CF2A

Function 00408801 Relevance: 95.0, APIs: 1, Strings: 53, Instructions: 464COMMON

Download Yara Rule

Strings

E, xrefs: 0040880E
o, xrefs: 00404113
i, xrefs: 00408E5A
e, xrefs: 00404159
c, xrefs: 0040883F
x, xrefs: 00408815
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
H, xrefs: 00404136
e, xrefs: 00408846
L, xrefs: 00404752
t, xrefs: 00408823
r, xrefs: 00408E68
e, xrefs: 0040412F
x, xrefs: 00404167
l, xrefs: 00404152
W, xrefs: 0040416E
d, xrefs: 00404767
b, xrefs: 0040477C
y, xrefs: 00404798
a, xrefs: 0040413D
n, xrefs: 00404144
d, xrefs: 0040414B
i, xrefs: 00404775
r, xrefs: 00404791
a, xrefs: 00408E6F
W, xrefs: 0040479F
d, xrefs: 0040411A
P, xrefs: 0040882A
o, xrefs: 00404759
t, xrefs: 00404105
o, xrefs: 00408E3E
a, xrefs: 00408E45
L, xrefs: 00408E53
u, xrefs: 00404121
s, xrefs: 0040884D
E, xrefs: 00404160
l, xrefs: 00404128
a, xrefs: 0040478A
i, xrefs: 0040881C
W, xrefs: 00408E84
L, xrefs: 0040476E
y, xrefs: 00408E7D
r, xrefs: 00404783
L, xrefs: 00408E37
M, xrefs: 0040410C
b, xrefs: 00408E61
a, xrefs: 00404760
G, xrefs: 004040F7
e, xrefs: 004040FE
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$E$G$H$L$L$L$L$M$P$W$W$W$a$a$a$a$a$b$b$c$d$d$d$d$e$e$e$e$i$i$i$l$l$n$o$o$o$o$r$r$r$r$r$s$s$t$t$u$x$x$y$y
API String ID: 0-1389426690
Opcode ID: 282d2022df174df892bc0fa8082b37abe8beab81664315bf64815537b9bee3b7
Instruction ID: 5a33921d472eb5b1d54932414b158a79c7060a2ea52495a653e6a93cb6c8b944
Opcode Fuzzy Hash: 282d2022df174df892bc0fa8082b37abe8beab81664315bf64815537b9bee3b7
Instruction Fuzzy Hash: 68C1E0749086E8CAEB21CB24CD447D9BAB5AF55708F0441E9914C7B391D7BA4FC4CF2A

Function 004070FD Relevance: 44.6, APIs: 2, Strings: 23, Instructions: 899memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: 6f1aed589faa056a0852ec4fa35efdb10074c7c864bb1c776dfdcc7162dddfda
Instruction ID: 680e258f425ee6c68fe86b2117ead666fda9975553f3b758cf5b8f653f7fc27b
Opcode Fuzzy Hash: 6f1aed589faa056a0852ec4fa35efdb10074c7c864bb1c776dfdcc7162dddfda
Instruction Fuzzy Hash: E6222BB4E042A98BDB24CB14C984BE9BBB1AF44304F1081E9E548BB781D7755FC1CF59

Function 00408170 Relevance: 44.6, APIs: 2, Strings: 23, Instructions: 849memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: f7c28a94e09f94054dd5d783e1d24e2702e967a16eb50db53d6b77a3e3e9e812
Instruction ID: 9b5f17017330220ca9fff1c45d645742c72bd43d93c1bf5158f13f9b32c0fa46
Opcode Fuzzy Hash: f7c28a94e09f94054dd5d783e1d24e2702e967a16eb50db53d6b77a3e3e9e812
Instruction Fuzzy Hash: A81205B4A042A88BDB24CB18C984BEDBBB1AF54314F1045EAE459BB381D7795FC1CF19

Function 00406AE2 Relevance: 44.4, APIs: 2, Strings: 23, Instructions: 604COMMON

Download Yara Rule

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: 331e01e38dd0f510206513c9ea5a78eff6aa6bc09356ec22b1eb7b402da7404d
Instruction ID: 2adf2b18feb625bed8cfcb78b62098ecdcb4c0a0e1b3b05bb58cff684be47f1c
Opcode Fuzzy Hash: 331e01e38dd0f510206513c9ea5a78eff6aa6bc09356ec22b1eb7b402da7404d
Instruction Fuzzy Hash: 7CE104B4A042A88BDB25CB24C948BD9BBB1BF54714F1051EAE04DBB381D7794F85CF1A

Function 00407D5A Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 397COMMON

Download Yara Rule

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: 7f62187aef5625279c27ea7d94b2c2c094b0ce3406f1ae28e1879990c4459e22
Instruction ID: 1df6281eaa33ee93b9c615ee13f399540a00456e0d95a1d980fabfb698b6a851
Opcode Fuzzy Hash: 7f62187aef5625279c27ea7d94b2c2c094b0ce3406f1ae28e1879990c4459e22
Instruction Fuzzy Hash: 27A1C3B4A082A88BDB21CB28CD447D9BBB1AF55704F1041E9E14CBB381D7794F85CF5A

Function 00407DAF Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 378COMMONLIBRARYCODE

Download Yara Rule

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: dcdebe5f72c0ccc379f0a9a28b8152a2cbb9d2d85e5b684ba006bc1f1b1b4051
Instruction ID: dd75d956de814c05ae4584f52afdb768220d78640f5e590803b18e4e1626968d
Opcode Fuzzy Hash: dcdebe5f72c0ccc379f0a9a28b8152a2cbb9d2d85e5b684ba006bc1f1b1b4051
Instruction Fuzzy Hash: 3891C2B4A082A88BDB218B28C9487D9BBB1AF55704F1045E9E14CBB381D7794F85CF5A

Function 00407DD2 Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 372COMMONLIBRARYCODE

Download Yara Rule

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: 3ee205ec0df50246e207656a30364f65ceff2ff80cf25e697aceff67b9a198bf
Instruction ID: 0a7123dfe8a5327e98d8b2165b2be4c7d76cd1d813a51559d9bb141b6610bf7c
Opcode Fuzzy Hash: 3ee205ec0df50246e207656a30364f65ceff2ff80cf25e697aceff67b9a198bf
Instruction Fuzzy Hash: 2E91C3B4A082A8CBDB218B28C9447D9BBB1AF55704F1045E9E14CBB381D77A4F85CF5A

Function 00407BAB Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 353COMMON

Download Yara Rule

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: 80adb4852b0960b0d3162291facd05290ea9be920a23199fe1d5f1715aae6800
Instruction ID: 8002ac30c2fbda6335aa2e2110aad2d2e01338a9879cba067224349d9c433c38
Opcode Fuzzy Hash: 80adb4852b0960b0d3162291facd05290ea9be920a23199fe1d5f1715aae6800
Instruction Fuzzy Hash: 2481C6B4A082A8CBDB21CB24CD447D9BBB5AB55704F0045E9A14CAB381C7B94F85CF5A

Function 00407C40 Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 323COMMON

Download Yara Rule

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-215400123
Opcode ID: e80f974e5b24f2e604f31b36c1f62663b58aceb74e947806e38518b29f20a73d
Instruction ID: 42eea9e0e97cf5b612de837b8b02b13f81132edb7b819d993aa0766d76aa8ddb
Opcode Fuzzy Hash: e80f974e5b24f2e604f31b36c1f62663b58aceb74e947806e38518b29f20a73d
Instruction Fuzzy Hash: 6171C8B49082A8CBEB21CB24CD447D9BAB5AF15704F1045E9E14CBB381C7BA4F85CF5A

Function 00407C9A Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 306
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: d0b0a7fe9d406b5fe98e0eefc5c2cdd973b16e86ce0152bcd6a534d4b6762cda
Instruction ID: ec2d891c00d131031af488a7aeab7433c2fa4461e8dab624ac9fccc522e3d025
Opcode Fuzzy Hash: d0b0a7fe9d406b5fe98e0eefc5c2cdd973b16e86ce0152bcd6a534d4b6762cda
Instruction Fuzzy Hash: 7871C9B49082A8CBEB21CB24CD447D9BAB5AF15704F1045E9D14CBB381C77A4F85CF1A

Function 004085BD Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 266
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: cd97989d0c3b1013a5e7116e7ab31a4db66f0d0539c0911fbc3551e6ae52f1fe
Instruction ID: 625d281dfe30ccee287b8e8f0ea624e1b992baa3afb4f701c74c0ff8d4e14b8f
Opcode Fuzzy Hash: cd97989d0c3b1013a5e7116e7ab31a4db66f0d0539c0911fbc3551e6ae52f1fe
Instruction Fuzzy Hash: 1161C8B49082A8CAEB21CB24CD447D9BAB5AF15704F0445E9D14CBB391C7BA4F85CF2A

Function 004080FE Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 262
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

a, xrefs: 00408E6F
E, xrefs: 0040880E
t, xrefs: 00408823
r, xrefs: 00408E68
P, xrefs: 0040882A
i, xrefs: 0040881C
W, xrefs: 00408E84
y, xrefs: 00408E7D
i, xrefs: 00408E5A
c, xrefs: 0040883F
L, xrefs: 00408E37
x, xrefs: 00408815
o, xrefs: 00408E3E
b, xrefs: 00408E61
a, xrefs: 00408E45
L, xrefs: 00408E53
s, xrefs: 0040884D
r, xrefs: 00408831
r, xrefs: 00408E76
s, xrefs: 00408854
e, xrefs: 00408846
d, xrefs: 00408E4C
o, xrefs: 00408838

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: 26e8d5b9a9d3ffa4bebdb6377f811e48dd6436d8b2e435224c717ff429529648
Instruction ID: 376e2767f3cf7e469c955a49fa83cff2aaf57e068d71da198fb35e287fd87543
Opcode Fuzzy Hash: 26e8d5b9a9d3ffa4bebdb6377f811e48dd6436d8b2e435224c717ff429529648
Instruction Fuzzy Hash: F661DBB49082A8CBEB21CB24CD447D9BAB5AF55704F1445E9914CBB381D7BA4FC4CF2A

Function 00409A07 Relevance: 2.1, APIs: 1, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(DEADBEEF), ref: 0040A477

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 72a79fb50813daf9641634454f6812f554216fd05c69cff620f9039262b24773
Instruction ID: c008a3a88fbbd9c5b9f150bc327e9043af79050cbe7d05808c07bc7f694a12f5
Opcode Fuzzy Hash: 72a79fb50813daf9641634454f6812f554216fd05c69cff620f9039262b24773
Instruction Fuzzy Hash: 20D1F7B4A042A88BCB64CF54C984BEDBBB1BB44315F2086EAE459B7751D7349EC1CF09

Function 004097D3 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df21ca10aed49071c5b6b2f28568336d275df7644821752aeb7a37ebf4f4b97c
Instruction ID: 8814cd1c3c061a6c33971eeb85ef7a85a703eda32cd3c751a69f55dd44878a16
Opcode Fuzzy Hash: df21ca10aed49071c5b6b2f28568336d275df7644821752aeb7a37ebf4f4b97c
Instruction Fuzzy Hash: 1801A9F49046A98FCB248B54CD88BDDBBB4BB05305F1442EAD519B7741D7345E85CF09

Function 00409429 Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(DEADBEEF), ref: 0040A477

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 65f52e8dd54f9a268cfcf699dfda5c29f93e292edebcae2cc65d72117e3ed62b
Instruction ID: 83806e5cf736b1ee28465a3577a62dddcaab2ffde1162d51884bde53348236b6
Opcode Fuzzy Hash: 65f52e8dd54f9a268cfcf699dfda5c29f93e292edebcae2cc65d72117e3ed62b
Instruction Fuzzy Hash: 3FF0B2F8A042A88FCB248F14CC88BD9BB74BB04309F0445EAE11AB7381D7349E85CF09

Non-executed Functions

Function 00411F70 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 205
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(00000000,00000002,00000000,00000000), ref: 00411FDA
GetLastError.KERNEL32 ref: 00411FE4
DuplicateTokenEx.ADVAPI32(00000000,02000000,00000000,00000002,00000002,00000000), ref: 00412001
GetLastError.KERNEL32 ref: 0041200B
CloseHandle.KERNEL32(00000000), ref: 00412173
CloseHandle.KERNEL32(00000000), ref: 00412181
FreeSid.ADVAPI32(00000000), ref: 0041218F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041219C
HeapFree.KERNEL32(00000000), ref: 004121A3
FreeSid.ADVAPI32(?), ref: 004121B1
CloseHandle.KERNEL32(00000000), ref: 004121C3

Strings

, xrefs: 0041214D

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CloseFreeHandle$ErrorHeapLastProcessToken$DuplicateOpen
String ID:
API String ID: 1790262672-3916222277
Opcode ID: 3f1a59d8f73edaad4b434cf73b553cf54cd56f2ab1023acbd563036531d9d7d6
Instruction ID: a903014ab0d868ded00178ac02ce73e7f8232d77ebbf52772378c1a350528e59
Opcode Fuzzy Hash: 3f1a59d8f73edaad4b434cf73b553cf54cd56f2ab1023acbd563036531d9d7d6
Instruction Fuzzy Hash: 1761D170A40208BBEB14DFA1DD59BEE7B78AB08B01F144125FA01F6290D7B89E558B69

Function 0040D830 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 214memoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00429070,000007CF,00000000,00000000), ref: 0040D852
SHGetSpecialFolderPathW.SHELL32(00000000,0042A010,0000001A,00000000,00429070,0042906E,00429070,0042906E), ref: 0040D946
GetProcessHeap.KERNEL32(00000000,00000004), ref: 0040D9CD
HeapAlloc.KERNEL32(00000000), ref: 0040D9D4
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000024,00000000), ref: 0040DA19
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040DA38
GetProcessHeap.KERNEL32(00000000,00000026), ref: 0040DA7C
HeapAlloc.KERNEL32(00000000), ref: 0040DA83

Strings

$, xrefs: 0040D9C3
\, xrefs: 0040DA5F

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Heap$AllocFolderPathProcessSpecial$DirectoryFileModuleNameWindows
String ID: $$\
API String ID: 2560937269-1395706711
Opcode ID: c2cb07e2c611a4aaa378541a72539b26cc0aaaf703b57eb2e97274b412ec1d77
Instruction ID: 06cb1b4999db3c3cde009c85b0b3182518ded17d7e086e67de86218526070a2f
Opcode Fuzzy Hash: c2cb07e2c611a4aaa378541a72539b26cc0aaaf703b57eb2e97274b412ec1d77
Instruction Fuzzy Hash: FE713371B002049BDB20AFA8DD45BAA7365EB48704F8445BBE906EB2D0D77C9E49CB4D

Function 00411A50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,?), ref: 00411A8F
CoUninitialize.OLE32 ref: 00411ACF

Strings

ROOT\CIMV2, xrefs: 00411B41

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: InitializeUninitialize
String ID: ROOT\CIMV2
API String ID: 3442037557-2786109267
Opcode ID: 7154ad24f0ce045c8ebfdc6c4ce43aeb2f04787b459809e6e5fcd4b27f8df5be
Instruction ID: 6ab19ea00e4a884013ecfa3ee51ab5763124654a81a6a4930a193ff57cc8d813
Opcode Fuzzy Hash: 7154ad24f0ce045c8ebfdc6c4ce43aeb2f04787b459809e6e5fcd4b27f8df5be
Instruction Fuzzy Hash: E451C671B41205ABEB21DF64CC55F9ABBB4EF04744F10415AE909AB3D0DB79AD80CB98

Function 0040F130 Relevance: 6.2, APIs: 4, Instructions: 190COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?), ref: 0040F17E
GetMappedFileNameW.PSAPI(00000000,?,?,?), ref: 0040F185
GetLogicalDriveStringsW.KERNEL32(00000103,?,?,?,?,?,?,?), ref: 0040F1DA
QueryDosDeviceW.KERNEL32(00000FA0,?,00000103,?,?,?,?,?,?), ref: 0040F214

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CurrentDeviceDriveFileLogicalMappedNameProcessQueryStrings
String ID:
API String ID: 1028133890-0
Opcode ID: 8032052f7ecf8c49a705a95394094d809a3f8ada2613e8f619425ca6245f0eb5
Instruction ID: 48b8bba606bf70ced818c55d0dde4bd3379a05982e34b3b01aafbcf70260f82a
Opcode Fuzzy Hash: 8032052f7ecf8c49a705a95394094d809a3f8ada2613e8f619425ca6245f0eb5
Instruction Fuzzy Hash: 9B51D479A002099BDB249F64DC557EA73B8FF44704F4440BEEC0AE7681EB359E45CB68

Function 004113D0 Relevance: 6.1, APIs: 4, Instructions: 78processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000001C,00000000), ref: 004113F6
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0041142F
Process32NextW.KERNEL32(00000000,0000022C), ref: 00411478
CloseHandle.KERNEL32(00000000), ref: 00411483

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e5b8cd542245b9e5d170e6a0bb264918fa009bff68f2b0f059f730a2013b970c
Instruction ID: ed6ce81f11c814b95676c3b144244a8704dff2a5250c1b87c862d7b63bcea838
Opcode Fuzzy Hash: e5b8cd542245b9e5d170e6a0bb264918fa009bff68f2b0f059f730a2013b970c
Instruction Fuzzy Hash: 0721B735601219ABCB20DF75DC98FEE73B8AF48704F0441AAF90997290DB389E85CA59

Function 00414A32 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00414A3E
IsDebuggerPresent.KERNEL32 ref: 00414B0A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00414B2A
UnhandledExceptionFilter.KERNEL32(?), ref: 00414B34

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: eb54633653b1e7136daff6d8c49d900db8813ee08b08b0927fb5eae355787c96
Instruction ID: e027bf533add66c97cff3441150d370cccecafee1f68af7ea3ec92b8e2f9eeb7
Opcode Fuzzy Hash: eb54633653b1e7136daff6d8c49d900db8813ee08b08b0927fb5eae355787c96
Instruction Fuzzy Hash: A3311A75D4521CDBDB10DFA4D949BCDBBB8BF08704F1041AAE50DA7250EB749A848F49

Function 0040DC50 Relevance: 5.3, APIs: 4, Instructions: 336memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,00000000), ref: 0040DCB6
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DC12,?), ref: 0040DCBD

Part of subcall function 00412BD0: GetCurrentProcess.KERNEL32(?,?), ref: 00412C87
Part of subcall function 00412BD0: IsWow64Process.KERNEL32(00000000), ref: 00412C8E
Part of subcall function 00412BD0: RegGetValueW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,20010002,00000000,?,00000800), ref: 00412CED

Part of subcall function 00412A50: SHGetKnownFolderPath.SHELL32(00419BA0,00000000,00000000,?), ref: 00412B08
Part of subcall function 00412A50: CoTaskMemFree.OLE32(?), ref: 00412B43

GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEE1
HeapFree.KERNEL32(00000000), ref: 0040DEE8

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: HeapProcess$Free$AllocCurrentFolderKnownPathTaskValueWow64
String ID:
API String ID: 296583963-0
Opcode ID: 72626ed7ebf942f3da3b4ff624644a62b2db256d44a538c0bd3af436bd098ac9
Instruction ID: 00c302652f448dc867151c1637c7350e428b9fb300c2f3923f77f2eb57857071
Opcode Fuzzy Hash: 72626ed7ebf942f3da3b4ff624644a62b2db256d44a538c0bd3af436bd098ac9
Instruction Fuzzy Hash: 86C1A071E002169BCF14DFA5D984BEEB7B5AF94304F04813AE812B73D1DB389958CB99

Function 00414851 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00414867

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 85a69eae14f70fac69dded71679b64cec421971be0a92efe753145918f18106b
Instruction ID: 1fa32a7a9fe8101fc44ca39a3572bb05595d9e056a4a196d7830266f7ff49f08
Opcode Fuzzy Hash: 85a69eae14f70fac69dded71679b64cec421971be0a92efe753145918f18106b
Instruction Fuzzy Hash: 4A5128B1E102198FDB28CF65E9856ABBBF4FB88350F54847AD406EB350D378A941CB58

Function 00414BA6 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00414BC0,004144D5), ref: 00414BAB

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 440e09a70d4185e5134bd87ad335f7482d09bb33f6763d4479a60e5079aa7941
Instruction ID: 190a85c4e36117c4851cde842c683295131adae64d9cec044f87a4c0bc670d8d
Opcode Fuzzy Hash: 440e09a70d4185e5134bd87ad335f7482d09bb33f6763d4479a60e5079aa7941
Instruction Fuzzy Hash:

Function 004300A0 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68eadc18075bdc65311dabbbd5e33a507b9c8c5ec6331530920b369572d2fcb4
Instruction ID: 856b991f6e70e0fb9ef2f4d066a2f33dcaea3df2205236e27f0407f8aebd5464
Opcode Fuzzy Hash: 68eadc18075bdc65311dabbbd5e33a507b9c8c5ec6331530920b369572d2fcb4
Instruction Fuzzy Hash: 0E52FE31E00249CECB2CDEBDC6E96DDFFB5AB84350F10E25B9089A7598C7315A469F60

Function 00430BEA Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7c172fee57f1ed6548c406c90953512d452ac45c9f20a0457aeeb3b1aa6324
Instruction ID: 82ae146b6ef45b9bf12d15841689aaa0a6ce40555f9a682480e8bc04d299ba44
Opcode Fuzzy Hash: 3d7c172fee57f1ed6548c406c90953512d452ac45c9f20a0457aeeb3b1aa6324
Instruction Fuzzy Hash: 7A71D231A01219CEDB2CDF78C7E9ADDFF75AB94210F10E19B9089A7598C7316F429E60

Function 004304AC Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bafcd4f452923c6dd5c3b503312fcff292afa5b617bf38974f011cb8c44b16
Instruction ID: b7484dc350ae4b698d06df24e6f54f8242ce954ef6036649c6e2d9891a72fd00
Opcode Fuzzy Hash: 54bafcd4f452923c6dd5c3b503312fcff292afa5b617bf38974f011cb8c44b16
Instruction Fuzzy Hash: 6A710A32E00209CECB2CDEB9C6E99DDFF76BB94600F10E25F9095A7598C7356A429E50

Function 0040D0B0 Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 308
registrylibraryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDllDirectoryW.KERNEL32(00419D44), ref: 0040D0D1
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 0040D107
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 0040D113
VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 0040D11F
VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D12B
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 0040D13A
GetLastError.KERNEL32(?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D144
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D190
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D19C
VerifyVersionInfoW.KERNEL32(?,00000003,00000000), ref: 0040D1AB
LoadLibraryExW.KERNEL32(cryptnet.dll,00000000,00000800,SOFTWARE\Microsoft\Cryptography\Defaults\Provider,Image Path,SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv,Dll,?,?,00000001,00000001,?,?,00000010,00000003), ref: 0040D1ED
GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D200
OpenProcessToken.ADVAPI32(00000000,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D207
GetTokenInformation.ADVAPI32(0000011C,00000014(TokenIntegrityLevel),?,00000004,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003), ref: 0040D22B
CloseHandle.KERNEL32(?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D241
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Policies\Zoom\Zoom Meetings\General,00000000,00020019,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003), ref: 0040D267
RegGetValueW.ADVAPI32(?,00000000,Disable3rdModuleVerify,0000FFFF,00000006,?,?,?,?,00000001,00000001,?,?,00000010,00000003), ref: 0040D2A0
RegCloseKey.ADVAPI32(?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D2AC
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?,?,00000118), ref: 0040D315
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000118), ref: 0040D376
CreateFileA.KERNEL32(?,10000000,00000003,00000000,00000002,00000080,00000000), ref: 0040D3AB
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000118), ref: 0040D3BC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 0040D3E3
CreateSemaphoreW.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 0040D3FE
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040D411
CreateThread.KERNEL32(00000000,00000000,0040EA50,00429068,00000004,00000000), ref: 0040D43A
ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000118), ref: 0040D454
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D477
GetProcAddress.KERNEL32(00000000,LdrRegisterDllNotification), ref: 0040D489
GetProcAddress.KERNEL32(00000000,LdrUnregisterDllNotification), ref: 0040D497

Strings

ZoomVDI, xrefs: 0040D33B, 0040D35B
Image Path, xrefs: 0040D1D2
SOFTWARE\Policies\Zoom\Zoom Meetings\General, xrefs: 0040D259
SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv, xrefs: 0040D1C8
ntdll.dll, xrefs: 0040D472
\appsafecheck.txt, xrefs: 0040D37C
SOFTWARE\Microsoft\Cryptography\Defaults\Provider, xrefs: 0040D1D7
LdrUnregisterDllNotification, xrefs: 0040D48F
cryptnet.dll, xrefs: 0040D1E8
Disable3rdModuleVerify, xrefs: 0040D295
LdrRegisterDllNotification, xrefs: 0040D483
Dll, xrefs: 0040D1C3

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ConditionCreateMask$CloseHandle$AddressDirectoryFileInfoOpenProcProcessThreadTokenVerifyVersion$CurrentErrorEventFolderInformationLastLibraryLoadModulePathResumeSemaphoreSpecialValue
String ID: Disable3rdModuleVerify$Dll$Image Path$LdrRegisterDllNotification$LdrUnregisterDllNotification$SOFTWARE\Microsoft\Cryptography\Defaults\Provider$SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv$SOFTWARE\Policies\Zoom\Zoom Meetings\General$ZoomVDI$\appsafecheck.txt$cryptnet.dll$ntdll.dll
API String ID: 695945955-2430632280
Opcode ID: e1f959e6f971e7319ddb763f41403bf31d78c8abb299f65c2b581fd2ccc26623
Instruction ID: e3f8eedf6af3ffbc4967407a62473a63f14479d3ec8d4df312e392e0d987a7e2
Opcode Fuzzy Hash: e1f959e6f971e7319ddb763f41403bf31d78c8abb299f65c2b581fd2ccc26623
Instruction Fuzzy Hash: F1B1B370B40301BBE7209F60DC4AF9B77A8EB44B05F40893AF655E61E0D7B89909CB5E

Function 00412270 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 222
filelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 0041229A
GetPrivateProfileStringW.KERNEL32(ZoomChat,com.zoom.test.disable_crash_handler,00000000,?,00000008,?), ref: 00412309
SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00412340
PathAppendW.SHLWAPI(?,ZoomVDI), ref: 00412357
PathAppendW.SHLWAPI(?,logs), ref: 0041236A
GetCurrentProcessId.KERNEL32 ref: 00412375
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00412388
GetLastError.KERNEL32 ref: 00412396
ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 004123C1
GetLastError.KERNEL32 ref: 004123CD
CloseHandle.KERNEL32(?), ref: 004123D7
CreateDirectoryW.KERNEL32(?,00000000), ref: 004123EB
GetTempFileNameW.KERNEL32(?,zoomtest,00000000,?), ref: 0041241F
DeleteFileW.KERNEL32(?), ref: 00412431
RevertToSelf.ADVAPI32 ref: 0041243C
CloseHandle.KERNEL32(00000000), ref: 00412447
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 004124F5
VerSetConditionMask.KERNEL32(00000000), ref: 004124FD
VerSetConditionMask.KERNEL32(00000000), ref: 00412505
VerifyVersionInfoW.KERNEL32(?), ref: 0041253A
GetModuleHandleW.KERNEL32(zCrashReport.dll), ref: 0041257E
GetProcAddress.KERNEL32(00000000,crSetZoomHome), ref: 0041258E

Strings

logs, xrefs: 0041235D
ZoomVDI, xrefs: 0041234A, 0041259A
yes, xrefs: 0041231A
zCrashReport.dll, xrefs: 00412579
crSetZoomHome, xrefs: 00412588
com.zoom.test.disable_crash_handler, xrefs: 004122FF
ZoomChat, xrefs: 00412304
zoomtest, xrefs: 00412412
\Zoom\data\Zoom.us.ini, xrefs: 004122A8

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Path$ConditionHandleMask$AppendCloseErrorFileFolderLastProcessSpecial$AddressCreateCurrentDeleteDirectoryImpersonateInfoLoggedModuleNameOpenPrivateProcProfileRevertSelfStringTempUserVerifyVersion
String ID: ZoomChat$ZoomVDI$\Zoom\data\Zoom.us.ini$com.zoom.test.disable_crash_handler$crSetZoomHome$logs$yes$zCrashReport.dll$zoomtest
API String ID: 1294346636-1563055977
Opcode ID: 6d4db1bb0bed33e30413c97dc72b642164295202b736abbae61969f2f0ffef42
Instruction ID: 12433930e13e6caf05908e59b317de0784475af6ab8e2ec7126003c472830eac
Opcode Fuzzy Hash: 6d4db1bb0bed33e30413c97dc72b642164295202b736abbae61969f2f0ffef42
Instruction Fuzzy Hash: FA81A271645344ABE720DFA0ED09FDB77ECAF84B01F40492AF948D61D0DBB89948CB5A

Function 004125C0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 129
memoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WTHelperProvDataFromStateData.WINTRUST(?,00000000,00000000,00000000,?,?,?,?,?,00412868), ref: 004125CF
WTHelperGetProvSignerFromChain.WINTRUST(00000000,00000000,00000000,00000000,?,?,?,?,?,00412868), ref: 004125F7
WTHelperGetProvCertFromChain.WINTRUST(00000000,00000000,?,?,?,?,?,00412868), ref: 00412618
CertGetNameStringW.CRYPT32(?,00000004,00000000,00000000,00000000,00000000,?,?,?,?,?,00412868), ref: 0041263C
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,00412868), ref: 004126C8
HeapFree.KERNEL32(00000000,?,?,?,?,?,00412868), ref: 004126CF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,00412868), ref: 00412704
HeapFree.KERNEL32(00000000,?,?,?,?,?,00412868), ref: 0041270B

Strings

h(A, xrefs: 004126A1
Zoom Video Communications, Inc., xrefs: 004126A7

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Heap$FromHelperProv$CertChainDataFreeProcess$NameSignerStateString
String ID: Zoom Video Communications, Inc.$h(A
API String ID: 1193424130-546350467
Opcode ID: f5d44680248929655a779e8b52e6a80615bd4f95dfae2ca292d3e3ad0e7b2e22
Instruction ID: b50a9664b00a001a61916bde13f5431a76f3f421a5cc4ad1fd8f560c47aafd93
Opcode Fuzzy Hash: f5d44680248929655a779e8b52e6a80615bd4f95dfae2ca292d3e3ad0e7b2e22
Instruction Fuzzy Hash: 2241C330A40310BFDB209FA59D88BDFBB78FF48711F1044AAE905E72D0C6B499908A6C

Function 00402820 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 421
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0040282A

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

Part of subcall function 00402E6C: __EH_prolog3.LIBCMT ref: 00402E73

Strings

, strPageImgName:, xrefs: 00402888
, strEncryptedFilePath:, xrefs: 00402B01, 00402C1A
[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] fn.IsExists is false! strImageFilePath:, xrefs: 00402D34
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 0040286C, 00402914, 00402AE8, 00402C04, 00402D14, 00402DD2
[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] EncryptImgFile bEncrypt:, xrefs: 00402B19
[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] m_ipcSender is NULL!, xrefs: 00402934
, m_nPPTSliderShowNum:, xrefs: 00402C35
[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] SendImgConvertProgressMessage strTaskID:, xrefs: 00402C3A
, strImageFilePath:, xrefs: 00402B06
[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] strTaskID:, xrefs: 00402893
, m_nVbsSucessNum:, xrefs: 00402DF7
, uPageIndexFinished:, xrefs: 0040288E, 00402C20
[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] SendImgConvertFinishMessage strTaskID:, xrefs: 00402DFC

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$H_prolog3ProtectVirtual
String ID: , m_nPPTSliderShowNum:$, m_nVbsSucessNum:$, strEncryptedFilePath:$, strImageFilePath:$, strPageImgName:$, uPageIndexFinished:$[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] EncryptImgFile bEncrypt:$[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] SendImgConvertFinishMessage strTaskID:$[CDocConvert::HandleIPC_VBSIPCConvertProgressMessage] SendImgConvertProgressMessage strTaskID:$[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] fn.IsExists is false! strImageFilePath:$[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] m_ipcSender is NULL!$[CDocConvertVbsIPCServer::HandleIPC_VBSIPCConvertProgressMessage] strTaskID:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 2383558652-3366109944
Opcode ID: bd2a8017478969f8550b368d860d8566346eaa83fdf1b42b377f117a52fa0dba
Instruction ID: 7ac1cac9bd74252e321e61f593a8f3a43cd74f212c4c8407b1e11f1666e8ce68
Opcode Fuzzy Hash: bd2a8017478969f8550b368d860d8566346eaa83fdf1b42b377f117a52fa0dba
Instruction Fuzzy Hash: 96F15C31944308ABDB14DB64DD5ABDD7BB4AF08314F1085AEE44AB71E1DF786E84CB18

Function 0040385C Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 0040394D
GetLastError.KERNEL32(00419E1C), ref: 00403998
__EH_prolog3_GS.LIBCMT ref: 00403866

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

GetLastError:, xrefs: 0040399F, 00403BB4
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00403889, 004038F0, 00403970, 00403A12, 00403ABB, 00403B2F, 00403B8B, 00403C28
[CDocConvert::InitPPTApp], xrefs: 004038A5
[CDocConvert::InitPPTApp] bRet: , xrefs: 00403C49
[CDocConvert::::InitPPTApp] m_appPPT.CreateInstance Begin!, xrefs: 00403A35
[CDocConvert::InitPPTApp] m_appPPT.CreateInstance failed! hr:, xrefs: 00403BBF
[CDocConvert::InitPPTApp] Success, xrefs: 00403B4C
[CDocConvert::InitPPTApp] already init success, don't need init twice!, xrefs: 00403913
[CDocConvert::InitPPTApp] CoInitialize failed! hr:, xrefs: 004039AA
[CDocConvert::::InitPPTApp] m_appPPT.CreateInstance End!, xrefs: 00403AD8

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ErrorH_prolog3_InitializeLastProtectVirtual
String ID: GetLastError:$[CDocConvert::::InitPPTApp] m_appPPT.CreateInstance Begin!$[CDocConvert::::InitPPTApp] m_appPPT.CreateInstance End!$[CDocConvert::InitPPTApp]$[CDocConvert::InitPPTApp] CoInitialize failed! hr:$[CDocConvert::InitPPTApp] Success$[CDocConvert::InitPPTApp] already init success, don't need init twice!$[CDocConvert::InitPPTApp] bRet: $[CDocConvert::InitPPTApp] m_appPPT.CreateInstance failed! hr:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 81410529-2550331507
Opcode ID: a1d979d50b407f588d9ae7c930a741d1c243bb16bd1f797c0998d9925e67fd5d
Instruction ID: 57b23c03f83f004b13c8609271ebef5c86295075e4918dc55f590b15d17cc4e0
Opcode Fuzzy Hash: a1d979d50b407f588d9ae7c930a741d1c243bb16bd1f797c0998d9925e67fd5d
Instruction Fuzzy Hash: 09B17F71A40304AFDB049FA4EC9ABDD7B74EB08721F20856EF552B61E1DB785E81CA1C

Function 0040E290 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 276
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(004270B0,00000000,00000000,00000000,-00000002,?), ref: 0040E42C
LeaveCriticalSection.KERNEL32(004270B0,?,?), ref: 0040E46E
GetProcessWindowStation.USER32 ref: 0040E50C
GetUserObjectInformationA.USER32(00000000,00000001,?,0000000C,00000000), ref: 0040E534
MessageBoxW.USER32(00000000,00000000,Zoom VDI Workspace,00000134), ref: 0040E56A
GetCurrentProcess.KERNEL32(00000000), ref: 0040E5BC
TerminateProcess.KERNEL32(00000000), ref: 0040E5C3

Strings

is using , xrefs: 0040E37F
Are you sure you want to run this software?, xrefs: 0040E3A0
from an unknown publisher., xrefs: 0040E394
Zoom VDI Workspace, xrefs: 0040E562
\, xrefs: 0040E313
/, xrefs: 0040E31A

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Process$CriticalSection$CurrentEnterInformationLeaveMessageObjectStationTerminateUserWindow
String ID: Are you sure you want to run this software?$ from an unknown publisher.$ is using $/$Zoom VDI Workspace$\
API String ID: 2420998183-416803619
Opcode ID: 2bf8120df42d5ae13eb7732456e3f9a56e850d34b8fa7da0e23844d81cef106c
Instruction ID: 267653b6ebe412005e2447c441a6f636b24535a257520f429c62a23f51abf88a
Opcode Fuzzy Hash: 2bf8120df42d5ae13eb7732456e3f9a56e850d34b8fa7da0e23844d81cef106c
Instruction Fuzzy Hash: 8BB1D131A00209DBCB14DFA5C995BEEB7B1EF44304F14893EE802A72D1DB78AD95CB58

Function 00414227 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0042CA60,00000FA0,?,?,00414205), ref: 00414233
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00414205), ref: 0041423E
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00414205), ref: 0041424F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00414261
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041426F
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00414205), ref: 00414292
DeleteCriticalSection.KERNEL32(0042CA60,00000007,?,?,00414205), ref: 004142B5
CloseHandle.KERNEL32(00000000,?,?,00414205), ref: 004142C5

Strings

kernel32.dll, xrefs: 0041424A
WakeAllConditionVariable, xrefs: 00414267
SleepConditionVariableCS, xrefs: 0041425B
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00414239

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 7be4f200a74566f98bae5b6bf37b9bf44712cfd1cf6637fc1aae46b7f6747bf0
Instruction ID: eadbdf53527f21697c7c976fa47b2d8f361e7f744fd41d0908bb9d316aa554bb
Opcode Fuzzy Hash: 7be4f200a74566f98bae5b6bf37b9bf44712cfd1cf6637fc1aae46b7f6747bf0
Instruction Fuzzy Hash: 7901D231B807156BDB209B70BD5DBDF3A98AF84B907144472FC01D2290EA788CC08A9D

Function 00411550 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00411609
SysFreeString.OLEAUT32(-00000001), ref: 0041168E
SysFreeString.OLEAUT32(-00000001), ref: 004116D1
VariantClear.OLEAUT32(00000000), ref: 00411798
VariantClear.OLEAUT32(00000001), ref: 00411807
CoUninitialize.OLE32(?,?,?), ref: 0041183C
_com_issue_error.COMSUPP ref: 00411862

Strings

ProcessId, xrefs: 0041177C
SELECT * FROM Win32_Process where name='%s', xrefs: 004115BE
POWERPNT.exe, xrefs: 004115B9
WQL, xrefs: 0041163C

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: String$ClearFreeVariant$AllocUninitialize_com_issue_error
String ID: POWERPNT.exe$ProcessId$SELECT * FROM Win32_Process where name='%s'$WQL
API String ID: 4015948099-2835684465
Opcode ID: 4cae6ba28725c6cddbb5ed1f9e0ff0da51b4a2f84b92ba040e82ed207b66b41a
Instruction ID: a58cffc29cf6f6dc8c416da25baa1a5b74b5660a5db0f35f5bfc5b23c7ff9db2
Opcode Fuzzy Hash: 4cae6ba28725c6cddbb5ed1f9e0ff0da51b4a2f84b92ba040e82ed207b66b41a
Instruction Fuzzy Hash: EC9191706043019FD310DF24C855F9BB7E8AF88708F14851EF559DB2A0EB79E985CB9A

Function 004035BE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 191threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004035C8
TerminateThread.KERNEL32(00000000,00000000), ref: 00403737
CloseHandle.KERNEL32(00000000), ref: 00403740

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

TerminateThread.KERNEL32(00000000,00000000), ref: 00403840
CloseHandle.KERNEL32(00000000), ref: 00403849

Strings

[CDocConvert::CleanThread] TerminateThread m_hThreadDetect!, xrefs: 0040380F
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 004035E7, 0040366A, 004036E0, 0040377D, 004037EF
[CDocConvert::CleanThread] m_eventExitConvertThreadRsp.Lock lockRet:, xrefs: 0040368B
[CDocConvert::CleanThread] TerminateThread m_hThreadConvert!, xrefs: 004036FC
[CDocConvert::CleanThread] m_eventExitDetectThreadRsp.Lock lockRet:, xrefs: 0040379E
CDocConvert CleanThread , xrefs: 00403603

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CloseHandleTerminateThread$H_prolog3ProtectVirtual
String ID: CDocConvert CleanThread $[CDocConvert::CleanThread] TerminateThread m_hThreadConvert!$[CDocConvert::CleanThread] TerminateThread m_hThreadDetect!$[CDocConvert::CleanThread] m_eventExitConvertThreadRsp.Lock lockRet:$[CDocConvert::CleanThread] m_eventExitDetectThreadRsp.Lock lockRet:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 3327035812-490934195
Opcode ID: ee8d1510abf3b5228d5ff3d454226bc46edae28d685278d321626e8e0c5e821f
Instruction ID: c58c28c889137a41e0bcbd66b77d7563fd19abb7d98ff48b9d8d5a56de94fa08
Opcode Fuzzy Hash: ee8d1510abf3b5228d5ff3d454226bc46edae28d685278d321626e8e0c5e821f
Instruction Fuzzy Hash: 6E61A471950700ABD7249F60DC5ABDE7BB4FF08721F244A6EF452A61E1DBB85E80CA0C

Function 0040AB56 Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 377COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0040AC75
__EH_prolog3_GS.LIBCMT ref: 0040AC85

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

com.zoom.ipc.doccovtvbsapp_, xrefs: 0040AD73
[CDocConvertVbsIPCServer::Init], xrefs: 0040ACA2
[CDocConvertVbsIPCServer::CDocConvertVbsIPCServer] chanel_name_:, xrefs: 0040ADD1
, start_succ:, xrefs: 0040AF91
[CDocConvertVbsIPCServer::Init] is_good:, xrefs: 0040AFA3
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040ACE5, 0040ADB1, 0040AEDD, 0040AF7A
[CDocConvertVbsIPCServer::Init] ipc_server_:, xrefs: 0040AF00
[CDocConvertVbsIPCServer::Init] is already inited. UnInit first., xrefs: 0040AD04

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Concurrency::cancel_current_taskH_prolog3_ProtectVirtual
String ID: , start_succ:$[CDocConvertVbsIPCServer::CDocConvertVbsIPCServer] chanel_name_:$[CDocConvertVbsIPCServer::Init]$[CDocConvertVbsIPCServer::Init] ipc_server_:$[CDocConvertVbsIPCServer::Init] is already inited. UnInit first.$[CDocConvertVbsIPCServer::Init] is_good:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp$com.zoom.ipc.doccovtvbsapp_
API String ID: 2490808664-150838044
Opcode ID: 53ac09ad68d1f9039d5a559351e08a01484ee2d6fa628184f6c129e6662fa568
Instruction ID: 149bc477d0c5e852371e299875de303a08aa14c6ab15b4b396115825e528068c
Opcode Fuzzy Hash: 53ac09ad68d1f9039d5a559351e08a01484ee2d6fa628184f6c129e6662fa568
Instruction Fuzzy Hash: 22E1BC71900314ABDB149F64DD9ABDEBBB1FF48304F14806EE40AA72D1DB785E81CB19

Function 0040A48F Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0040A687
GetProcAddress.KERNEL32 ref: 0040A497

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvertIPCAgent::LoadWebService] bRet:, xrefs: 0040A6DC
[CDocConvertIPCAgent::LoadWebService] Error, pSBWebService is NULL!, xrefs: 0040A5D6
zoomus.class.ISBWebServiceAPI, xrefs: 0040A583
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertIPCAgent.cpp, xrefs: 0040A4B9, 0040A531, 0040A5B4, 0040A61B, 0040A6B7
[CDocConvertIPCAgent::LoadWebService] Error, pfInitModule is NULL!, xrefs: 0040A4DC
[CDocConvertIPCAgent::LoadWebService] Error, pMQClientWebService is NULL!, xrefs: 0040A554
[CDocConvertIPCAgent::LoadWebService] bRet is false, will unload!, xrefs: 0040A63B

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: AddressFreeLibraryProcProtectVirtual
String ID: [CDocConvertIPCAgent::LoadWebService] Error, pMQClientWebService is NULL!$[CDocConvertIPCAgent::LoadWebService] Error, pSBWebService is NULL!$[CDocConvertIPCAgent::LoadWebService] Error, pfInitModule is NULL!$[CDocConvertIPCAgent::LoadWebService] bRet is false, will unload!$[CDocConvertIPCAgent::LoadWebService] bRet:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertIPCAgent.cpp$zoomus.class.ISBWebServiceAPI
API String ID: 534670035-2533332826
Opcode ID: 3290f3a2f0dd1c719ba24301017fcf22caaa84da7f66635076d447e772284814
Instruction ID: af3e93a29a9dffe31318a46e62a52793d8324cc7d565a543d3ddef1080db9eef
Opcode Fuzzy Hash: 3290f3a2f0dd1c719ba24301017fcf22caaa84da7f66635076d447e772284814
Instruction Fuzzy Hash: D061CF72A40304ABE7149B64DC5ABEE77B0EF04720F24496EE512F62E1DBB84D81CA0D

Function 00412720 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 138memoryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000), ref: 0041275C
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,?), ref: 004127F3
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00412814
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00412832
GetProcessHeap.KERNEL32(00000000,?), ref: 00412881
HeapFree.KERNEL32(00000000), ref: 00412888
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 0041289F

Strings

4, xrefs: 004127BB

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: TrustVerify$Heap$CreateFileFreeProcess
String ID: 4
API String ID: 844456146-4088798008
Opcode ID: 9e3167213d219f8f1cf1ea40f5b04b6ce5d237ab1975849d844118587953a85b
Instruction ID: 30a4058f0173cd2fa46ea9dbc6a0dfddb02297b452ecc5d162b3dce015d20828
Opcode Fuzzy Hash: 9e3167213d219f8f1cf1ea40f5b04b6ce5d237ab1975849d844118587953a85b
Instruction Fuzzy Hash: A65121B1D002499BDF10DFD9C984BEEBBB8BF48314F108229E815B7290D7B45999CF65

Function 0040A716 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,TermModule), ref: 0040A7E8
FreeLibrary.KERNEL32(00000000), ref: 0040A874
__EH_prolog3.LIBCMT ref: 0040A720

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

TermModule, xrefs: 0040A7E0
[CDocConvertIPCAgent::UnLoadWebService], xrefs: 0040A75B
[CDocConvertIPCAgent::UnLoadWebService] return CmmTrue!, xrefs: 0040A8B4
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertIPCAgent.cpp, xrefs: 0040A732, 0040A743, 0040A7A4, 0040A806, 0040A894
[CDocConvertIPCAgent::UnLoadWebService] Error, m_hModuleWebservice is NULL!, xrefs: 0040A7C0
[CDocConvertIPCAgent::UnLoadWebService] Error, pfTermModule is NULL!, xrefs: 0040A826

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: AddressFreeH_prolog3LibraryProcProtectVirtual
String ID: TermModule$[CDocConvertIPCAgent::UnLoadWebService]$[CDocConvertIPCAgent::UnLoadWebService] Error, m_hModuleWebservice is NULL!$[CDocConvertIPCAgent::UnLoadWebService] Error, pfTermModule is NULL!$[CDocConvertIPCAgent::UnLoadWebService] return CmmTrue!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertIPCAgent.cpp
API String ID: 3777936632-3443123305
Opcode ID: ceb88864714ad80e6b653e614704c2039d078bb7c436caedcb3683162fbccc4e
Instruction ID: ba2ad7c8cb7d965e1e82bf5b0aabdcc5086ac0a5988c5af8798d1d52c742b88f
Opcode Fuzzy Hash: ceb88864714ad80e6b653e614704c2039d078bb7c436caedcb3683162fbccc4e
Instruction Fuzzy Hash: 3B41A172940300AFE714AB64DC5ABDE37B0FB04325F20897EE042A61E1DBBC9D91CA1D

Function 004128E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 118memoryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,00429068,?,?), ref: 0041293A
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,?), ref: 004129A5
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 004129C6
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 004129E4
GetProcessHeap.KERNEL32(00000000,?), ref: 004129FE
HeapFree.KERNEL32(00000000), ref: 00412A05
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00412A1C
CloseHandle.KERNEL32(00000000), ref: 00412A35

Strings

4, xrefs: 00412979

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: TrustVerify$Heap$CloseCreateFileFreeHandleProcess
String ID: 4
API String ID: 2170017040-4088798008
Opcode ID: 8770e014fbd8c3404b5246c69a0cf5acd8f86c54a6182c4c019deb2d28d51030
Instruction ID: 4e2db92958abd06cf54a71d5c530e8a3d2865fa8e82589dd7844bb842cae8d26
Opcode Fuzzy Hash: 8770e014fbd8c3404b5246c69a0cf5acd8f86c54a6182c4c019deb2d28d51030
Instruction Fuzzy Hash: 8C4130B1D00218ABDB10CFD9DD84BDEBBB8EF04324F10422AE825B72D0D7B459458F64

Function 0040C292 Relevance: 15.1, APIs: 10, Instructions: 76windowthreadtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040C29C

Part of subcall function 0040D0B0: SetDllDirectoryW.KERNEL32(00419D44), ref: 0040D0D1
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 0040D107
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 0040D113
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 0040D11F
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D12B
Part of subcall function 0040D0B0: VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 0040D13A
Part of subcall function 0040D0B0: GetLastError.KERNEL32(?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D144
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D190
Part of subcall function 0040D0B0: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D19C
Part of subcall function 0040D0B0: VerifyVersionInfoW.KERNEL32(?,00000003,00000000), ref: 0040D1AB
Part of subcall function 0040D0B0: LoadLibraryExW.KERNEL32(cryptnet.dll,00000000,00000800,SOFTWARE\Microsoft\Cryptography\Defaults\Provider,Image Path,SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv,Dll,?,?,00000001,00000001,?,?,00000010,00000003), ref: 0040D1ED
Part of subcall function 0040D0B0: GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D200
Part of subcall function 0040D0B0: OpenProcessToken.ADVAPI32(00000000,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0040D207

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 0041229A
Part of subcall function 00412270: GetPrivateProfileStringW.KERNEL32(ZoomChat,com.zoom.test.disable_crash_handler,00000000,?,00000008,?), ref: 00412309
Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00412340
Part of subcall function 00412270: PathAppendW.SHLWAPI(?,ZoomVDI), ref: 00412357
Part of subcall function 00412270: PathAppendW.SHLWAPI(?,logs), ref: 0041236A
Part of subcall function 00412270: GetCurrentProcessId.KERNEL32 ref: 00412375
Part of subcall function 00412270: OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00412388
Part of subcall function 00412270: GetLastError.KERNEL32 ref: 00412396

SetErrorMode.KERNEL32(00000002,?,000001B0), ref: 0040C2BD

Part of subcall function 004121E0: GetModuleHandleW.KERNEL32(zCrashReport.dll,0040C2C8,?,000001B0), ref: 004121E5
Part of subcall function 004121E0: GetProcAddress.KERNEL32(00000000,crSetCrashCallbackW), ref: 004121F5

GetCurrentThreadId.KERNEL32 ref: 0040C31F
SetConsoleCtrlHandler.KERNEL32(Function_0000C1F0,00000001), ref: 0040C331
SetTimer.USER32(00000000,00000001,00000032,Function_0000C280), ref: 0040C340
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040C352
TranslateMessage.USER32(?), ref: 0040C364
DispatchMessageW.USER32(?), ref: 0040C371
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040C381
SetConsoleCtrlHandler.KERNEL32(Function_0000C1F0,00000000), ref: 0040C38D

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ConditionMask$MessagePathProcess$CurrentError$AppendConsoleCtrlFolderHandlerInfoLastOpenSpecialVerifyVersion$AddressDirectoryDispatchH_prolog3_HandleLibraryLoadModeModulePrivateProcProfileStringThreadTimerTokenTranslate
String ID:
API String ID: 3343810788-0
Opcode ID: 8dadc06e9dbc00c87a32a17101f0fe4498e6a079432756071ec74662e6223704
Instruction ID: 0df3743305b4662a0f30d548fb76cd88d12e2cbeb7f902348f3e3a882e6e6513
Opcode Fuzzy Hash: 8dadc06e9dbc00c87a32a17101f0fe4498e6a079432756071ec74662e6223704
Instruction Fuzzy Hash: 332151B1900219DBDB209B61DC98ADE7778BF46705F4086BAF506A21A0D7388E45CF59

Function 0040BA63 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 254COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040BA6D

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

Strings

, nPageShowCount:, xrefs: 0040BC86
[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] strTaskID:, xrefs: 0040BC91
[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] m_MessageHandler is NULL!, xrefs: 0040BB2B
, nPageCount:, xrefs: 0040BC8C
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040BA97, 0040BB0B, 0040BC60, 0040BD10
[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] strIPCMessage:, xrefs: 0040BAB4
[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] call HandleIPC_VBSIPCConvertProgressMessage., xrefs: 0040BD2D

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$ProtectVirtual
String ID: , nPageCount:$, nPageShowCount:$[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] call HandleIPC_VBSIPCConvertProgressMessage.$[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] m_MessageHandler is NULL!$[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] strIPCMessage:$[CDocConvertVbsIPCServer::Handle_VBSIPCGetSliderCountMessage] strTaskID:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 624373510-3212152969
Opcode ID: 33cc2ba9570ac06e666546046795ba742bea2b67b153925532d20454076ccba8
Instruction ID: 4651389eddfd64d4942431231ff233d34f5cc01462db626f5184f5cb9502775e
Opcode Fuzzy Hash: 33cc2ba9570ac06e666546046795ba742bea2b67b153925532d20454076ccba8
Instruction Fuzzy Hash: 5A916B32904309ABDB159BA4DC99ADDBBB4EF18311F20802EE406B72D1DF785E85CB5C

Function 0040BD99 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 243COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040BDA3

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

Strings

[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] m_MessageHandler is NULL!, xrefs: 0040BE76
[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] strIPCMessage:, xrefs: 0040BDF6
, strImgName:, xrefs: 0040BFC4
[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] call HandleIPC_VBSIPCConvertProgressMessage., xrefs: 0040C07E
, nPageFinishIndex:, xrefs: 0040BFD6
[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] strTaskID:, xrefs: 0040BFDB
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040BDD9, 0040BE56, 0040BFAE, 0040C061

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$ProtectVirtual
String ID: , nPageFinishIndex:$, strImgName:$[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] call HandleIPC_VBSIPCConvertProgressMessage.$[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] m_MessageHandler is NULL!$[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] strIPCMessage:$[CDocConvertVbsIPCServer::Handle_VBSIPCConvertProgressMessage] strTaskID:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 624373510-647356355
Opcode ID: 6eb867db84de515e8873a264e4678672b7ceeaedb205744788f40ebcfedc3da4
Instruction ID: 469fe8e027f0674d6574de2f878ccbdcf436e3ac4ee0606df8ab73521b966ea5
Opcode Fuzzy Hash: 6eb867db84de515e8873a264e4678672b7ceeaedb205744788f40ebcfedc3da4
Instruction Fuzzy Hash: 1F918C7190020ADBDB149B64DD9ABDDBBB4EF04314F1080AEE50AB71E1DF385E85CB58

Function 00403C87 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00403C91
CoUninitialize.OLE32 ref: 00403E2C

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

_com_issue_error.COMSUPP ref: 00403E99

Strings

[CDocConvert::ExitPPTApp] m_appPPT->Quit() , xrefs: 00403D72
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00403CB0, 00403D4F, 00403DD8, 00403E42
[CDocConvert::ExitPPTApp] m_appPPT->Release() , xrefs: 00403DF4
[CDocConvert::ExitPPTApp] m_bInitApp: , xrefs: 00403CD6
[CDocConvert::ExitPPTApp] End, xrefs: 00403E62

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectUninitializeVirtual_com_issue_error
String ID: [CDocConvert::ExitPPTApp] End$[CDocConvert::ExitPPTApp] m_appPPT->Quit() $[CDocConvert::ExitPPTApp] m_appPPT->Release() $[CDocConvert::ExitPPTApp] m_bInitApp: $c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 2656218265-3493313017
Opcode ID: 68727294244794ec20b2fcd33cccc9c7da88c9a4e79c3c41485c4c0f148f8f61
Instruction ID: 18cc4debb24305264030b38cec7edcd4e448e4ec5132a04508bf7c38e9d3671c
Opcode Fuzzy Hash: 68727294244794ec20b2fcd33cccc9c7da88c9a4e79c3c41485c4c0f148f8f61
Instruction Fuzzy Hash: C8519A32940714ABDB15DF60EC9ABDE7B74FF08321F24466EE411AA1E1CB785E81CA4C

Function 004030A4 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 132COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004030AE
GetTickCount64.KERNEL32 ref: 004030C1

Strings

u32TimeoutMS:, xrefs: 00403165
u64CurTicket:, xrefs: 0040315D
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00403124
[CDocConvert::ConvertDetectTimeout]! strDetectGUID: , xrefs: 00403172
> u64Timestamp:, xrefs: 00403152
enumDetectFunc: , xrefs: 0040316D

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Count64H_prolog3_Tick
String ID: > u64Timestamp:$ enumDetectFunc: $ u32TimeoutMS:$ u64CurTicket:$[CDocConvert::ConvertDetectTimeout]! strDetectGUID: $c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 2049389690-960057003
Opcode ID: aeb70f4b85a6121d81040206a75301ce84ee70978a23e64459917e3ece7cfb56
Instruction ID: 5c79b996fac3b27d7f1accdab238eb015067ee496fef3d9631b613940f5ef827
Opcode Fuzzy Hash: aeb70f4b85a6121d81040206a75301ce84ee70978a23e64459917e3ece7cfb56
Instruction Fuzzy Hash: 45413B72D04208AFDF05EFE4E8599DDBBB5AF08311F20842EF401B72E1DB7869818B58

Function 0040D500 Relevance: 13.7, APIs: 9, Instructions: 201registrylibraryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?,?,?,?,00000118), ref: 0040D599
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000C7,00000000,00000000,00000000,00000000), ref: 0040D5D6
RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,?), ref: 0040D651
RegGetValueW.ADVAPI32(00000000,00000000,?,0000FFFF,?,?,00000F9E), ref: 0040D6B4
RegCloseKey.ADVAPI32(?), ref: 0040D6C2
PathIsRelativeW.SHLWAPI(?), ref: 0040D706
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0040D722
RegEnumKeyExW.ADVAPI32(?,00000001,?,?,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00000118), ref: 0040D766
RegCloseKey.ADVAPI32(?,?,?,?,00000118), ref: 0040D780

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CloseEnumOpen$LibraryLoadPathRelativeValue
String ID:
API String ID: 1037566479-0
Opcode ID: e0210c049c3d1df363a3a1cebf10b4b002481ffbb24948399b8ebf1762638dab
Instruction ID: 192eedeed3cfc7c9a8b2c8425a5b0a1a089aeacab8846db5a4ff0d926e04e858
Opcode Fuzzy Hash: e0210c049c3d1df363a3a1cebf10b4b002481ffbb24948399b8ebf1762638dab
Instruction Fuzzy Hash: D261B435E00218ABDB349F94CC55FEB7378EB48744F0405AAFA09B7280D775AF89CA58

Function 00413C50 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00411653,00411655,00000000,00000000,?,00000000,00000008,?,00414680,00424798,000000FE,?,00411653,WQL), ref: 00413CD9
MultiByteToWideChar.KERNEL32(00000000,00000000,00411653,?,00000000,00000000,?,00414680,00424798,000000FE,?,00411653), ref: 00413D54
SysAllocString.OLEAUT32(00000000), ref: 00413D5F
_com_issue_error.COMSUPP ref: 00413D88
_com_issue_error.COMSUPP ref: 00413D92
GetLastError.KERNEL32(80070057,?,00000000,00000008,?,00414680,00424798,000000FE,?,00411653,WQL), ref: 00413D97
_com_issue_error.COMSUPP ref: 00413DAA
GetLastError.KERNEL32(00000000,?,00414680,00424798,000000FE,?,00411653,WQL,?,?,?,?,?,?,?,00000000), ref: 00413DC0
_com_issue_error.COMSUPP ref: 00413DD3

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: f41af25578efc29595986d2abd5c4557e3d975c5f5e72a05fad108283b35a71f
Instruction ID: 91591ea8f3ca65aa41be0f87e43bea3bc54f9acd7f89503e693b53a03cfc1328
Opcode Fuzzy Hash: f41af25578efc29595986d2abd5c4557e3d975c5f5e72a05fad108283b35a71f
Instruction Fuzzy Hash: 1C41F672A00219ABCB109F65D845BEFBBA8AB48715F14422FF515E7380D7389A8087E8

Function 0040B7C5 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 193COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B7CF

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

Part of subcall function 0040BD99: __EH_prolog3_GS.LIBCMT ref: 0040BDA3

Strings

[CDocConvertVbsIPCServer::Handle_VBSIPCMessage] strVBSIPCInfo find_first_of STR_VBS_IPC_PARAMETER_DIVIDER failed! strVBSIPCInfo:, xrefs: 0040B916
[CDocConvertVbsIPCServer::Handle_VBSIPCMessage] strVBSIPCInfo:, xrefs: 0040B897, 0040B9AA
VBSConvertProgress, xrefs: 0040BA1F
, strCmd:, xrefs: 0040B99E
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B86F, 0040B87E, 0040B8FD, 0040B98C
VBSGetSliderCount, xrefs: 0040B9FC

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$ProtectVirtual
String ID: , strCmd:$VBSConvertProgress$VBSGetSliderCount$[CDocConvertVbsIPCServer::Handle_VBSIPCMessage] strVBSIPCInfo find_first_of STR_VBS_IPC_PARAMETER_DIVIDER failed! strVBSIPCInfo:$[CDocConvertVbsIPCServer::Handle_VBSIPCMessage] strVBSIPCInfo:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 624373510-2640463817
Opcode ID: 4c79963274a99e6e87e80073ed61d85432a18d6ec956ebc9e7b6fdb969bcb2dc
Instruction ID: 95473a93403c734b4744852b84c608a8a78e287613164ef3d788b91043617ffc
Opcode Fuzzy Hash: 4c79963274a99e6e87e80073ed61d85432a18d6ec956ebc9e7b6fdb969bcb2dc
Instruction Fuzzy Hash: 50716B72A00208AFDB05EB65DC69ADD7B75EF08314F1480AEE506A72E1DF385E85CB5C

Function 00402330 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 199COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040233A

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

TerminateProcess.KERNEL32(00000000,00000000), ref: 00402569

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 0040235B, 004024E0
, hProcess:, xrefs: 00402503
[CDocConvert::::HandleIPC_ImgCancelConvertRequest] strTaskID:, xrefs: 00402377
[CDocConvert::HandleIPC_ImgCancelConvertRequest] strTaskID:, xrefs: 00402508

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3H_prolog3_ProcessProtectTerminateVirtual
String ID: , hProcess:$[CDocConvert::::HandleIPC_ImgCancelConvertRequest] strTaskID:$[CDocConvert::HandleIPC_ImgCancelConvertRequest] strTaskID:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1443114193-3907194096
Opcode ID: 62c1d0d3a1d2aa6c8f8c39956a4fa7234f39c7e915bfc192421f75184da31638
Instruction ID: df8e3d83f7ba511f450b37bb38ee689344465493e2f3a48e0635173aeccd5823
Opcode Fuzzy Hash: 62c1d0d3a1d2aa6c8f8c39956a4fa7234f39c7e915bfc192421f75184da31638
Instruction Fuzzy Hash: 85814B70A00305AFCB04DFA4D999BEEBBB4BF08314F10816EE515A72D1DB78AA45CB59

Function 0040EA70 Relevance: 10.7, APIs: 7, Instructions: 177fileCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 0040EABC
EnterCriticalSection.KERNEL32(?), ref: 0040EAF6
LeaveCriticalSection.KERNEL32(?), ref: 0040EB32
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040EB66
WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 0040EB8D
FlushFileBuffers.KERNEL32(?), ref: 0040EB9C
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0040EC65

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: File$CriticalMultipleObjectsSectionWait$BuffersEnterFlushLeavePointerWrite
String ID:
API String ID: 212290116-0
Opcode ID: 0c28ca6caadaf3cd7fd16936cff9f9c79cba6f6055e8f539de9031ddcb989b14
Instruction ID: e57b76790d50655fa2c6df5fcb4680fefcc05084cd1c1b2089238f56aaf1b74d
Opcode Fuzzy Hash: 0c28ca6caadaf3cd7fd16936cff9f9c79cba6f6055e8f539de9031ddcb989b14
Instruction Fuzzy Hash: CE615A71A00208AFDB14CFA9DD95BEEBBF4FB48310F14453AE916EB290D77469408B54

Function 004020C0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 163COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004020CA

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Part of subcall function 00401B8F: __EH_prolog3_GS.LIBCMT ref: 00401B96

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402160
strImgFolderPath:, xrefs: 00402188
strDocFilePath:, xrefs: 0040218D
[CDocConvert::::HandleIPC_ImgStartConvertRequest] strTaskID:, xrefs: 00402192
strImgFormat:, xrefs: 00402183

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$ProtectVirtual
String ID: strImgFolderPath:$ strDocFilePath:$ strImgFormat:$[CDocConvert::::HandleIPC_ImgStartConvertRequest] strTaskID:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 624373510-391708754
Opcode ID: b347c1ec5e03e1f920b73b53c7eff73245ed50fb2dbedb36dde4246b0f2a28a8
Instruction ID: 4298c3ca66f6c55349da1e56c2f7dc802e2da2487d28eea6cf766b38ea9a3579
Opcode Fuzzy Hash: b347c1ec5e03e1f920b73b53c7eff73245ed50fb2dbedb36dde4246b0f2a28a8
Instruction Fuzzy Hash: BC61793194021A9FCB24DF64D895BEDB7B1EF48314F1040AEE54AA3291DB74AE85CF08

Function 00403315 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154sleepCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040331F

Part of subcall function 0040385C: __EH_prolog3_GS.LIBCMT ref: 00403866

Sleep.KERNEL32(00000028), ref: 004034AE

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00403347, 004033BC, 004034FB
[CDocConvert::ConvertDocThreadFunc] bInit: , xrefs: 00403364
[CDocConvert::::ConvertDocThreadFunc] End! Exit thread!, xrefs: 00403521
[CDocConvert::::ConvertDocThreadFunc] InitPPTApp failed ! exit thread!, xrefs: 004033DC

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3_$ProtectSleepVirtual
String ID: [CDocConvert::::ConvertDocThreadFunc] End! Exit thread!$[CDocConvert::::ConvertDocThreadFunc] InitPPTApp failed ! exit thread!$[CDocConvert::ConvertDocThreadFunc] bInit: $c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 2544358551-2000447865
Opcode ID: 0cf408eb4a5164c052d667c61260c2e33cb84e120fbb79ec39a0b8052d1349c6
Instruction ID: fc12af958fceb45b22afabc9c8cc1d154353b66f118d34e3f76e0e89f02dc691
Opcode Fuzzy Hash: 0cf408eb4a5164c052d667c61260c2e33cb84e120fbb79ec39a0b8052d1349c6
Instruction Fuzzy Hash: 2D518F31904704AFEB14EF61CC9ABD9BBB5EB04315F1084AEE40AA61E1DB785E84CF19

Function 0040B3BA Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B3C4

Part of subcall function 0040B6A9: __EH_prolog3.LIBCMT ref: 0040B6B3

Strings

[CDocConvertVbsIPCServer::PumpMessage] msg._message is NULL! return!, xrefs: 0040B56C
[CDocConvertVbsIPCServer::PumpMessage] m_SaftyMessageVector is NULL! return!, xrefs: 0040B4F3
, message size = , xrefs: 0040B463
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B43D, 0040B4D3, 0040B54B
[CDocConvertVbsIPCServer::PumpMessage] i = , xrefs: 0040B471

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3
String ID: , message size = $[CDocConvertVbsIPCServer::PumpMessage] i = $[CDocConvertVbsIPCServer::PumpMessage] m_SaftyMessageVector is NULL! return!$[CDocConvertVbsIPCServer::PumpMessage] msg._message is NULL! return!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 431132790-2754882026
Opcode ID: 89dec19caac37b4c8b580c3a910641b03a2b4ef723a527013792012bb428126b
Instruction ID: 180f00dd34122d70fab5881e58e1ba8803f1677b7fbebd3ec06e2c8a7cebe460
Opcode Fuzzy Hash: 89dec19caac37b4c8b580c3a910641b03a2b4ef723a527013792012bb428126b
Instruction Fuzzy Hash: 1D51AD71A41304ABDB149BA0DD5ABAD77B0EF44324F64457EE406B62E1CF7C5E818A4C

Function 0040E060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,004270B0), ref: 0040E0FC
EnterCriticalSection.KERNEL32(?), ref: 0040E165
LeaveCriticalSection.KERNEL32(?,?,?), ref: 0040E199
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 0040E1A9

Strings

didn't pass the verification, error code , xrefs: 0040E128
loaded by , xrefs: 0040E0C6

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveProcessReleaseSemaphore
String ID: didn't pass the verification, error code $ loaded by
API String ID: 61496330-2439791217
Opcode ID: 3c26809dd974048e095aac905a104eef7292435528225e789fd9183ae77c5755
Instruction ID: b52a9aa818815cb245682506643f326b322c2aa792aca06c5a04712bf6ea24bb
Opcode Fuzzy Hash: 3c26809dd974048e095aac905a104eef7292435528225e789fd9183ae77c5755
Instruction Fuzzy Hash: 3D519271A00209EBCB14DB75DC59BEEB7B5FB44304F00867AF41AA7291DB386D94CB98

Function 004026E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004026EA

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvertVbsIPCServer::HandleIPC_VBSIPCPageNumberMessage] m_ipcSender is NULL!, xrefs: 0040272C
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402710, 00402790
, m_strImgFolderPath:, xrefs: 004027A9
, uPageShowNumTotal:, xrefs: 004027AF
[CDocConvert::HandleIPC_VBSIPCPageNumberMessage] SendImgStartConvertResponse strTaskID:, xrefs: 004027BE

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: , m_strImgFolderPath:$, uPageShowNumTotal:$[CDocConvert::HandleIPC_VBSIPCPageNumberMessage] SendImgStartConvertResponse strTaskID:$[CDocConvertVbsIPCServer::HandleIPC_VBSIPCPageNumberMessage] m_ipcSender is NULL!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1809373692-2569159283
Opcode ID: 52bf61267d8c5c46e6bcbc487db2412ca6a1e92767f63a18dccdb58333a4c9ae
Instruction ID: 0ca3b86902d35b3fc8ab79bdec02e4fe5fcab68b8c9d7db7cc2c30c71c6b3825
Opcode Fuzzy Hash: 52bf61267d8c5c46e6bcbc487db2412ca6a1e92767f63a18dccdb58333a4c9ae
Instruction Fuzzy Hash: 4631AD31A40301AADB14AB64DC5AFEA3765EF48724F24843FF405AB2D2DFB95D82861C

Function 0040B020 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B02A

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvertVbsIPCServer::UnInit] is_inited_ is CmmFalse, don't need UnInit!, xrefs: 0040B0D0
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B04B, 0040B0B3, 0040B16B
[CDocConvertVbsIPCServer::UnInit] Delete Message:, xrefs: 0040B18D
[CDocConvertVbsIPCServer::UnInit], xrefs: 0040B068

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvertVbsIPCServer::UnInit]$[CDocConvertVbsIPCServer::UnInit] Delete Message:$[CDocConvertVbsIPCServer::UnInit] is_inited_ is CmmFalse, don't need UnInit!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 1809373692-2342135638
Opcode ID: b39599eb63ae4a81e3128a8b4f6e4b531e4c273926c53cb63883c52ee9c3c8a1
Instruction ID: aee573a8e460fd3a8d9e1b5fd3a726836f595948baa831e83ee989bba385e238
Opcode Fuzzy Hash: b39599eb63ae4a81e3128a8b4f6e4b531e4c273926c53cb63883c52ee9c3c8a1
Instruction Fuzzy Hash: 2751AD31A40715ABDB149BA0DC6ABDE7B70FF08721F10456EE511BB2D1CB785A81CB9C

Function 00412BD0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041433A: EnterCriticalSection.KERNEL32(0042CA60,0042D2F0,?,?,0040C122,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 00414345
Part of subcall function 0041433A: LeaveCriticalSection.KERNEL32(0042CA60,?,0040C122,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 00414382

GetCurrentProcess.KERNEL32(?,?), ref: 00412C87
IsWow64Process.KERNEL32(00000000), ref: 00412C8E
RegGetValueW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,20010002,00000000,?,00000800), ref: 00412CED

Strings

ProgramFilesDir, xrefs: 00412CDE
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00412CE3

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CriticalProcessSection$CurrentEnterLeaveValueWow64
String ID: ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 623438262-1909746267
Opcode ID: 8fc0ced0edc39a80b657f3c0fe8d7c359c6e872b154f47451c3c70d2233b6898
Instruction ID: c3a08843d0d200cdbd3d1b2bcfc247f2eb322f66e650b1e7f1c13803f4fdb81c
Opcode Fuzzy Hash: 8fc0ced0edc39a80b657f3c0fe8d7c359c6e872b154f47451c3c70d2233b6898
Instruction Fuzzy Hash: 1641D070E003489ACB20DF54ED46BEA73B8BB04704F54817AE815D7290DBB85986CF9D

Function 00401FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00401FBA
ExitProcess.KERNEL32 ref: 004020AC

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvert::OnChannelError], xrefs: 00401FF2
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00401FD6, 0040205A
[CDocConvert::OnChannelError], ExitProcess!, xrefs: 00402079

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExitH_prolog3ProcessProtectVirtual
String ID: [CDocConvert::OnChannelError]$[CDocConvert::OnChannelError], ExitProcess!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 4229167784-679568407
Opcode ID: e49edd9864abbb3d87022385eb2d413356123a37627d111662b963a51c2ee4bf
Instruction ID: 38f8ae0ac911da3a7bdad0eb44c8cb60196c5a814a9daa41f359f780c9d3694f
Opcode Fuzzy Hash: e49edd9864abbb3d87022385eb2d413356123a37627d111662b963a51c2ee4bf
Instruction Fuzzy Hash: 1B217C31A40700ABD7149BA0DD6ABDD3B70EB48710F20857EF116AA1E1DFB80D80CA1C

Function 0040CE10 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,LdrUnregisterDllNotification), ref: 0040CE49
GetProcAddress.KERNEL32(00000000), ref: 0040CE50

Strings

LdrUnregisterDllNotification, xrefs: 0040CE3F
ntdll.dll, xrefs: 0040CE44

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: LdrUnregisterDllNotification$ntdll.dll
API String ID: 1646373207-237666150
Opcode ID: 081667f065d189619943f997a0d6da2d81fd1828666de2e48ae92a57e87b70f4
Instruction ID: 536fe45db68da839303e439799dd04e2e917962dd37583a1d3a7b1c71cf5fa9c
Opcode Fuzzy Hash: 081667f065d189619943f997a0d6da2d81fd1828666de2e48ae92a57e87b70f4
Instruction Fuzzy Hash: 4C61C271700503ABD70C9B38D9A9BFAF7A6FF44344F144339E419876D1CB7969A48B88

Function 0040B5C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B5CA

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

len:, xrefs: 0040B635
[CDocConvertVbsIPCServer::OnMessageReceived] type:, xrefs: 0040B640
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B603

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: len:$[CDocConvertVbsIPCServer::OnMessageReceived] type:$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 1809373692-2074319829
Opcode ID: 7471e48e2191e7f2eaa4730c6ef17b238e8e97372ab509c97a8fa65b74d9358d
Instruction ID: 806908c14e0dff88c04ca793e9a98def4ac357006f8ff3ba3248fcedc08ac92e
Opcode Fuzzy Hash: 7471e48e2191e7f2eaa4730c6ef17b238e8e97372ab509c97a8fa65b74d9358d
Instruction Fuzzy Hash: C6216271A00305ABCB049FA4D855ADD7775FF48320F14856EE859AB2D0CB789D81CB8C

Function 00402FB5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64sleepCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00402FBF

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Sleep.KERNEL32(00000028), ref: 00403089

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402FDD
[CDocConvert::DetectThreadFunc], xrefs: 00402FF9

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectSleepVirtual
String ID: [CDocConvert::DetectThreadFunc]$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 4201259014-756957823
Opcode ID: f8e9f0e23968f2bed3d0544a53d068131b256cc9dfe19466c324953f8a7454e9
Instruction ID: 5e14cf88f44ae6e4a5dcb5661d55ffe10a5308fbadb8cd52eea9f61d4dc41f69
Opcode Fuzzy Hash: f8e9f0e23968f2bed3d0544a53d068131b256cc9dfe19466c324953f8a7454e9
Instruction Fuzzy Hash: F4219D30A01305EBDB04DF60CD5ABDCBAB4BB08315F50827EE41AA32E2CB785E45CA18

Function 0040C1F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42threadwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040C1FA
PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0040C26B

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[ConsoleCtrlhandler] CTRL_CLOSE_EVENT, xrefs: 0040C235
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\main.cpp, xrefs: 0040C219

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3MessagePostProtectThreadVirtual
String ID: [ConsoleCtrlhandler] CTRL_CLOSE_EVENT$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\main.cpp
API String ID: 2106445864-3568867012
Opcode ID: 6af0ed5f76dcea0df63856a0bd80fcc9152b90093d9c2031062d343886322e88
Instruction ID: 8af0f1432a38c39ac156a390085beae4290296724a84b2e37cf92d230908f7e1
Opcode Fuzzy Hash: 6af0ed5f76dcea0df63856a0bd80fcc9152b90093d9c2031062d343886322e88
Instruction Fuzzy Hash: 0601AD35A80304AAEB10ABA0CC9BFDA3670FF00705F10457EF501AA1D2CBB81D81CA1C

Function 004025E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004025EA
ExitProcess.KERNEL32 ref: 00402653

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402606
[CDocConvert::HandleIPC_ImgExitProcessRequest] Recv CSBMBMessage_Doc2ImgExitProcessRequest, ExitProcess!, xrefs: 00402622

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ExitH_prolog3ProcessProtectVirtual
String ID: [CDocConvert::HandleIPC_ImgExitProcessRequest] Recv CSBMBMessage_Doc2ImgExitProcessRequest, ExitProcess!$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 4229167784-399022842
Opcode ID: 68303deaeca0f61a469608444ec6b09118350651f39741b9a461f4fb4062dba4
Instruction ID: 558ee970a2adf4e1fc46f8a3af44374caa6ca941988eab47a0cb853e066b6c20
Opcode Fuzzy Hash: 68303deaeca0f61a469608444ec6b09118350651f39741b9a461f4fb4062dba4
Instruction Fuzzy Hash: 2BF04931A80304AAE704AFA4DC6ABDD7670FB04711F10487EF102AA1E1CBB84D80CA1C

Function 004121E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(zCrashReport.dll,0040C2C8,?,000001B0), ref: 004121E5
GetProcAddress.KERNEL32(00000000,crSetCrashCallbackW), ref: 004121F5

Strings

crSetCrashCallbackW, xrefs: 004121EF
zCrashReport.dll, xrefs: 004121E0

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: crSetCrashCallbackW$zCrashReport.dll
API String ID: 1646373207-1811286062
Opcode ID: bb35c2366ebe50ab0f96784bce2b4b31de44ffc2a4ef195703e2f7f4e33b945d
Instruction ID: 788238c6706ea16a2eee1a96d51a96658a6dcae04bbc94478e2843e4b5f40ba0
Opcode Fuzzy Hash: bb35c2366ebe50ab0f96784bce2b4b31de44ffc2a4ef195703e2f7f4e33b945d
Instruction Fuzzy Hash: 52D0123838130225DD1027B26E09FCE26042B40F11F644AA2B831E11D5EBFCC591502D

Function 004111F0 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?), ref: 00411267
GetLastError.KERNEL32 ref: 00411273

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: ErrorLastOpenProcess
String ID:
API String ID: 919517065-0
Opcode ID: 180b963629b25771218858fb9be680c45ebcaf4e685314d94568f095a85c1d83
Instruction ID: df430542db87c27eb6bb0a20753aa050ff356964e4e46c6d4fd600331b1f44f8
Opcode Fuzzy Hash: 180b963629b25771218858fb9be680c45ebcaf4e685314d94568f095a85c1d83
Instruction Fuzzy Hash: E031F871E002099BDB14DFA8DC957EEB7B5EF48304F5442AAE905F7290DB749E80CB94

Function 004142F0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0042CA60,?,?,0040C13C,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 004142FA
LeaveCriticalSection.KERNEL32(0042CA60,?,0040C13C,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 0041432D
SetEvent.KERNEL32(?,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 004143AE
ResetEvent.KERNEL32(?,0042D2F0,?,?,0040B6D2,?,000000B4,0040B3DE,0000016C), ref: 004143BA

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 011063dab18d76bc8b03866032b575e26ed5f704ee7c2b09c1e2fe64b6e0426c
Instruction ID: e09fd4ba703b3f4f90ed7c4f0adbe9ef2044be7fde56f23161c9f76c561368eb
Opcode Fuzzy Hash: 011063dab18d76bc8b03866032b575e26ed5f704ee7c2b09c1e2fe64b6e0426c
Instruction Fuzzy Hash: 9001F636B41528EFCB25EF18FC98AD97BA5EB49751B41807AE90297320CB345C029B9C

Function 00410810 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004109E7

Strings

m@, xrefs: 00410825
}A, xrefs: 004109F1, 0041090F, 00410956, 004109F4, 004109F5

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: }A$m@
API String ID: 118556049-736616827
Opcode ID: c679fcf57494bb239db96a3548e4c720a31c8a11289dfd5385f4546d284e78a0
Instruction ID: c3dfcaa805bbc8a51e55aaabc3e4a89111bc7eceac5f2a1566f87b27f93fef33
Opcode Fuzzy Hash: c679fcf57494bb239db96a3548e4c720a31c8a11289dfd5385f4546d284e78a0
Instruction Fuzzy Hash: D051C3B2A001099FDB08DF69C991AEEB7F5EF88300F14812AE506D7351D778AD95CB94

Function 00401C8D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00401C97

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvert::CDocConvert], xrefs: 00401DF8
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00401DDB

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvert::CDocConvert]$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1809373692-1479113695
Opcode ID: d8c234d8f344c7166d2f66105d34b04a422d9a5bfd5bf7b32b886f0fdc852b4e
Instruction ID: a40a2f0a47e0f672c9afa67fb71f5c4737df055ac14e51e82bc3df37677841b0
Opcode Fuzzy Hash: d8c234d8f344c7166d2f66105d34b04a422d9a5bfd5bf7b32b886f0fdc852b4e
Instruction Fuzzy Hash: E85125B0900742EFD704DF25C999789FFF0BF18304F50856ED14AA7292DB78AA94CB99

Function 0040324E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00403258

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00403299
[CDocConvert::CreateConvertThread] bRet: , xrefs: 004032BA

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvert::CreateConvertThread] bRet: $c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1809373692-452567957
Opcode ID: 99adcce184ba34fee4a85432692fe05538fd99e2266a5797d6a7ab14f0574b05
Instruction ID: adf8f5ce9188c4b8668094b64460cc229a608b819f9a05dea54ebcbb5ebed4ec
Opcode Fuzzy Hash: 99adcce184ba34fee4a85432692fe05538fd99e2266a5797d6a7ab14f0574b05
Instruction Fuzzy Hash: D4117971A40315ABDB04AFA4DC56AEE7AA8EB04315F50447EF402B72D1CB785E818AAC

Function 00402EEC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00402EF6

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402F37
[CDocConvert::CreateDetectThread] bRet: , xrefs: 00402F58

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvert::CreateDetectThread] bRet: $c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1809373692-1270373286
Opcode ID: f36e3a4818fa31f1cf2a13d5cc227d8049b27aa70c011b65117d2f714605032c
Instruction ID: 0d6e37797b63617483badd5a7fd61e6ecb8421c5efb43924a2aa00c28a8240d4
Opcode Fuzzy Hash: f36e3a4818fa31f1cf2a13d5cc227d8049b27aa70c011b65117d2f714605032c
Instruction Fuzzy Hash: B111A9B1A41316ABDB04AF60DD5ABEE76B8EF04311F50447EF402F72D1CAB85D808A6C

Function 0040B217 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B221

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvertVbsIPCServer::CDocConvertVbsIPCServer], xrefs: 0040B2CB
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B2AE

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvertVbsIPCServer::CDocConvertVbsIPCServer]$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 1809373692-330505927
Opcode ID: 2fd0d4eb773c3e8d501f0b16aa810d208dbfdecc74343adaf8774b261c04853f
Instruction ID: 00befacb907631c9e17a7b3fa5999c24b6eceef9975b5f24643841f7cb668f1b
Opcode Fuzzy Hash: 2fd0d4eb773c3e8d501f0b16aa810d208dbfdecc74343adaf8774b261c04853f
Instruction Fuzzy Hash: 3C1167B0E003109FD7149F65EC5A6A87BB1FB08304FA084BEE005A76A0CBB80991CB0E

Function 0040B6A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B6B3

Part of subcall function 0040B020: __EH_prolog3.LIBCMT ref: 0040B02A

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

[CDocConvertVbsIPCServer::HandleConnectingTimeout] connecting timeout., xrefs: 0040B714
c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp, xrefs: 0040B6F8

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3$ProtectVirtual
String ID: [CDocConvertVbsIPCServer::HandleConnectingTimeout] connecting timeout.$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvertVbsIPCServer.cpp
API String ID: 3007236580-901364601
Opcode ID: e35b6af78b42fc06780ffa3eb587207b71c6ccf129391efccff88d3d12cf072f
Instruction ID: a9d0bb768643340a5ea1168fb03230a697b43f5db5e869853af32c9bcaec17c0
Opcode Fuzzy Hash: e35b6af78b42fc06780ffa3eb587207b71c6ccf129391efccff88d3d12cf072f
Instruction Fuzzy Hash: 4A018871940700AADB28AF61CCA7AEA7260EB44714F50457FE442A76E2DBBC5C81CA5C

Function 00402660 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040266A

Part of subcall function 00408170: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00408645

Strings

c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp, xrefs: 00402686
[CDocConvert::OnIPCServerChannelError], xrefs: 004026A2

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: H_prolog3ProtectVirtual
String ID: [CDocConvert::OnIPCServerChannelError]$c:\jenkins\workspace\Client\Client\Windows_VDI\release\client-app-video\zDocConvert\DocConvert.cpp
API String ID: 1809373692-3070404389
Opcode ID: 4ca598820c89b7f3b870ffea1a173ab30c14d89fcf2580a0d6d755e8ac5f4b0c
Instruction ID: 35197b002a70b5b2eeeaaf07b04524d3dbd07c7745c84826511f01a8e825cf61
Opcode Fuzzy Hash: 4ca598820c89b7f3b870ffea1a173ab30c14d89fcf2580a0d6d755e8ac5f4b0c
Instruction Fuzzy Hash: 6EF01771980345AAE714AB64DD5BBDD3664EB04714F60487EE401AA2E1CBBC5DC18A1C

Function 00413B86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00401B22: InitializeCriticalSectionEx.KERNEL32(0042CA0C,00000000,00000000,0042C9F8,00413BB5,?,?,?,004019CA), ref: 00401B28
Part of subcall function 00401B22: GetLastError.KERNEL32(?,?,?,004019CA), ref: 00401B32

IsDebuggerPresent.KERNEL32(?,?,?,004019CA), ref: 00413BB9
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004019CA), ref: 00413BC8

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00413BC3

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 199956a563438f3586a61a4a6f19ccc57f1881164043d3a7314101558bc9cb29
Instruction ID: 8b65f71d81d517f14160c623eaecbed840306f26d5a6cb6b6d2c6e55611105c0
Opcode Fuzzy Hash: 199956a563438f3586a61a4a6f19ccc57f1881164043d3a7314101558bc9cb29
Instruction Fuzzy Hash: 47E065702047108BC3309F25E9143827AE4AF04709F00887FE456D2291E7B8FA84CB59

Function 0040E640 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040E679
HeapAlloc.KERNEL32(00000000), ref: 0040E680

Part of subcall function 0040F130: GetCurrentProcess.KERNEL32(?,?,?,?,?,?), ref: 0040F17E
Part of subcall function 0040F130: GetMappedFileNameW.PSAPI(00000000,?,?,?), ref: 0040F185
Part of subcall function 0040F130: GetLogicalDriveStringsW.KERNEL32(00000103,?,?,?,?,?,?,?), ref: 0040F1DA
Part of subcall function 0040F130: QueryDosDeviceW.KERNEL32(00000FA0,?,00000103,?,?,?,?,?,?), ref: 0040F214

GetProcessHeap.KERNEL32(00000000,00000FA0,?,?,00000001), ref: 0040E6E4
HeapFree.KERNEL32(00000000), ref: 0040E6EB

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Heap$Process$AllocCurrentDeviceDriveFileFreeLogicalMappedNameQueryStrings
String ID:
API String ID: 1064646199-0
Opcode ID: 0c5f043bf4b246922cf2179a9f600e16eea6433679b903cdfe6c1f12932328f2
Instruction ID: 2668c3dfdd3c3276348bbd43bb132a3e152f58a801efa895f745a1c07ca89cb8
Opcode Fuzzy Hash: 0c5f043bf4b246922cf2179a9f600e16eea6433679b903cdfe6c1f12932328f2
Instruction Fuzzy Hash: C811D034104301EBCB249F62D884BAB77A8AF44755F40CD2EFD55972E0DBB5A824CB5A

Function 0040D7C0 Relevance: 5.0, APIs: 4, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,0040DAF3), ref: 0040D7E0
HeapFree.KERNEL32(00000000), ref: 0040D7E7
GetProcessHeap.KERNEL32(00000000,?,00000000,0040DAF3), ref: 0040D800
HeapFree.KERNEL32(00000000), ref: 0040D807

Memory Dump Source

Source File: 00000000.00000002.2191935852.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191805478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192361425.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192581691.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192655196.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192669313.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192731013.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192783114.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192824126.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192844518.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192881622.0000000000465000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909532.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193047505.000000000051D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193064528.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193153676.000000000060E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000618000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193168174.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193575077.00000000006EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193600596.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MicrosoftOfficeWord.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 1c561bf052e99d539f3441f41995ab45b4dfc28fc98b83e691970e21491ed14b
Instruction ID: 5d4cdb0425c937855427814b3bc534e629d3b797dcae5c9850f92b4c5cd28c0b
Opcode Fuzzy Hash: 1c561bf052e99d539f3441f41995ab45b4dfc28fc98b83e691970e21491ed14b
Instruction Fuzzy Hash: 4BF054B57002109BD7349F94EE58BDA7778B75C702F418939EC01935A4CB7C881A875A

Analysis Process: csc.exePID: 6224, Parent PID: 5348COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8%
Total number of Nodes:	50
Total number of Limit Nodes:	5

Executed Functions

Function 09ABFA50 Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899453490.0000000009AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ab0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c6032e4a93caeba1de2818149ef4f8af3f9cc03c387c5a8e8385386c14fc3d
Instruction ID: b803ca3a8d1d558b43bac348e8fe29370195aedc6ad60b2e3b108f5c7d9bade6
Opcode Fuzzy Hash: 39c6032e4a93caeba1de2818149ef4f8af3f9cc03c387c5a8e8385386c14fc3d
Instruction Fuzzy Hash: 30515E707002118FD788EB68DA59BBA37EAEF9C250B095079E01ACB787CE385809C759

Function 06E9FAC0 Relevance: 1.7, APIs: 1, Instructions: 154libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06E9FB80

Memory Dump Source

Source File: 00000003.00000002.3898640961.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e90000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d2d33dae2a092fe4d85e8eaabaa8a68e6b4a63180a28775bb312048f96b7758d
Instruction ID: 8aabf860ce28cd8840a58bb3f4076833a9a408bc9c22b0df1fd60f49f63d3ba6
Opcode Fuzzy Hash: d2d33dae2a092fe4d85e8eaabaa8a68e6b4a63180a28775bb312048f96b7758d
Instruction Fuzzy Hash: 10517A30A01304CFEF94CF25D6597E977B3EF88314F24A46AD005EB295EB349985CB69

Function 09ABFA78 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 09ABFB2A

Memory Dump Source

Source File: 00000003.00000002.3899453490.0000000009AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ab0000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 446ee54e1c32564e37b116f93d5eedba0c92f189f606c6959ab6b61770df3f83
Instruction ID: 26a32fe558c67ffe80908a228e300598bf9afe11a5e502e010d64f5b31160a0b
Opcode Fuzzy Hash: 446ee54e1c32564e37b116f93d5eedba0c92f189f606c6959ab6b61770df3f83
Instruction Fuzzy Hash: 2D514E347005118FD788EB68DA99BFA37EAEF9C250B09507DE01ACB787DE385809C759

Function 09ABFA88 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 09ABFB2A

Memory Dump Source

Source File: 00000003.00000002.3899453490.0000000009AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ab0000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ea39eef30ff09388d56a028f53fa7e3cefbeaa9326e656547c4733bea3942a21
Instruction ID: e4ef6f338d83534ec6975d848566f07b37c9593fa7e1ff57d8f08823b570082b
Opcode Fuzzy Hash: ea39eef30ff09388d56a028f53fa7e3cefbeaa9326e656547c4733bea3942a21
Instruction Fuzzy Hash: BF513E347005118FD784EB68DA99BBA37EAEF9C250B49507DE01ACB787CE385C09C759

Function 09802148 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vkm, xrefs: 09802393

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID: \Vkm
API String ID: 0-2107937421
Opcode ID: 000918c47df3f84058f141fea3893989d272b8133d1d343a14b5b073f1cb8062
Instruction ID: 8a44997cbbb33327578af5acc4055d3377e36e6231defe59b2af0e9e75f2027b
Opcode Fuzzy Hash: 000918c47df3f84058f141fea3893989d272b8133d1d343a14b5b073f1cb8062
Instruction Fuzzy Hash: C4912A70E002099FDF54CFA9C99979DBBF2AF88314F14812DE429E7394EBB49845CB91

Function 098074A1 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc58d00b6e1c92dd8bbe2c983d572dea103d06f9a1719c958fb337ca96a42c23
Instruction ID: 27d20767f8ed80e5b8089595185d2b2c3614f479178508e1e9dc7d37f3224fd7
Opcode Fuzzy Hash: bc58d00b6e1c92dd8bbe2c983d572dea103d06f9a1719c958fb337ca96a42c23
Instruction Fuzzy Hash: 69E13834A00104CFE784CF18DDA9BA977F2FB88314F2580A9E516DB7A2C778AD85CB55

Function 098074B0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7e51c94ec8a2f3ecf3baf027399014f6db3f370fbf28476d490daa35477c96
Instruction ID: 0112f1bb8f1a130d5bc54ffc5187fde40375013423d341b5d43cd89f8917649a
Opcode Fuzzy Hash: 8a7e51c94ec8a2f3ecf3baf027399014f6db3f370fbf28476d490daa35477c96
Instruction Fuzzy Hash: B1E13634A00104CFE784CF18DDA9BA977F2FB88314F2580A8E516DB7A2C778AD85CB55

Function 09804631 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdae35cd7fd378ecdcde6cd67eb704f3edcae33feaccde7efa9dfee3f0363991
Instruction ID: 59f7de122c9a1b5d3d7b3fa06e401ac374bb060e61f238b01e92a2dcf602faa3
Opcode Fuzzy Hash: bdae35cd7fd378ecdcde6cd67eb704f3edcae33feaccde7efa9dfee3f0363991
Instruction Fuzzy Hash: DEC15F34A41218CFDB84DB74C954BA973F3FF89304F54806DD2169B3A6EB389845CB95

Function 09804640 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facc49c04995479ad4644fff5dcf0aa1000e873b964017e83aa8a3dc0d82c57c
Instruction ID: 1f8e684bf2c89a9e099d836780c804bf7ce6194c90e18b2633dc36d314b0eb61
Opcode Fuzzy Hash: facc49c04995479ad4644fff5dcf0aa1000e873b964017e83aa8a3dc0d82c57c
Instruction Fuzzy Hash: 9DC15E34A41218CFDB84DB74C964BA973F3FF89304F54806CD2169B7A6EB38A845CB95

Function 098078B9 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e93b1bb7922722ac21446528cf60eb8c96eacce218a82b73a7abdf6d9a4ac9f
Instruction ID: 69d3017d19243464a17db453f954fcac6003f984c52b2ffb8b50cb40b0a4baaa
Opcode Fuzzy Hash: 1e93b1bb7922722ac21446528cf60eb8c96eacce218a82b73a7abdf6d9a4ac9f
Instruction Fuzzy Hash: D5C11434A00104CFE784CF18DDA9BA977F2FB88314F2580A8E516DB7A2C779AD85CB54

Function 09802D60 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d69b5bba2bdfaedeee053eda0b667611268a7454291f6a386586db806bdad9
Instruction ID: c00962b31c9a624135bc9693e85a53d05b17e4f58cc36908839a4d094933ba09
Opcode Fuzzy Hash: 13d69b5bba2bdfaedeee053eda0b667611268a7454291f6a386586db806bdad9
Instruction Fuzzy Hash: EBB14B71E002098FDB50CFA9C8957AEBBF2AF88354F14812DE419E7394EB749895CB81

Function 098049E1 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f4241bb3325bd0b21a77417964ce86620777d3c938d5d1b450a8d3ff6c229a
Instruction ID: 40e7413a7cc0e48756511703905a733531cab2d081428402acf9d71415a7c68f
Opcode Fuzzy Hash: f3f4241bb3325bd0b21a77417964ce86620777d3c938d5d1b450a8d3ff6c229a
Instruction Fuzzy Hash: EB913D34A41208CFEB94CF74C9A4BA977F3FB85304F54816DD2069B3A5EB389885CB95

Function 09803DF9 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be05e032e143206ddd01866d588a76f7dd019181ad0adaf708e1f1e45941d29
Instruction ID: b4f28808a72954f9df6468774904ada4d6d64eb8f003211fc5c9a4966eef8bcf
Opcode Fuzzy Hash: 0be05e032e143206ddd01866d588a76f7dd019181ad0adaf708e1f1e45941d29
Instruction Fuzzy Hash: A2919C30A04115CFEB94CB28DD69BA973F6EBD8304F14806DD106EB7E2DB789946CB49

Function 09803E08 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e29a711a8a033f7b176b1517a6e9fb601415adfe1aaa616c91148c59a321aa4
Instruction ID: a06e55650c8a9563f30238d469de542e844700f197c7f2d37182db4007b9d256
Opcode Fuzzy Hash: 5e29a711a8a033f7b176b1517a6e9fb601415adfe1aaa616c91148c59a321aa4
Instruction Fuzzy Hash: D081BC30A00115CFEB84CB28DE69BA973F6EBD8304F14806DD106EB7E2DB399945CB49

Function 09806328 Relevance: 5.3, Strings: 4, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 098063D7
(aq, xrefs: 0980650B
(aq, xrefs: 09806610
Haq, xrefs: 09806403

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID: (aq$(aq$(aq$Haq
API String ID: 0-3649692834
Opcode ID: 4610f1b2d66e0f05be8d1d541503fd4fe808476f03d44fcdbb6b00d66b599466
Instruction ID: f46b28fc6bef9d312e3966157d2965ffbf16e91cc46331eb98382625ec530fc6
Opcode Fuzzy Hash: 4610f1b2d66e0f05be8d1d541503fd4fe808476f03d44fcdbb6b00d66b599466
Instruction Fuzzy Hash: C48113317082514FC7569B3898A0AAE7FE6EFC5310B5585AEE509CB3D6EE34DC06C3A1

Function 06E80078 Relevance: 3.1, Strings: 2, Instructions: 597COMMON

Download Yara Rule

Strings

4']q, xrefs: 06E807D4
4']q, xrefs: 06E807E0

Memory Dump Source

Source File: 00000003.00000002.3898625887.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: ca1536a00cba9fd1e7a53a7a4567e8876b877634aa65ba8ba77f3b2bf4108e4a
Instruction ID: b792bf26dfe88f1c6262b067b64fb1129be0201abdec014f41d4ff9c8ab8b720
Opcode Fuzzy Hash: ca1536a00cba9fd1e7a53a7a4567e8876b877634aa65ba8ba77f3b2bf4108e4a
Instruction Fuzzy Hash: 9102F330F503188F9BB63668066C63E2EAA9FD4658F50546DD90FE7394DF2A8C0DC792

Function 06E80810 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 06E80C89
4']q, xrefs: 06E80C95

Memory Dump Source

Source File: 00000003.00000002.3898625887.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: e41adf7ee97ac68e4d11cfb99e2cc85e2e909d24c9b624bc62746b37e5061960
Instruction ID: de84232ed7fd85722bcf7708d9e51f3929c89e64254c7e4ad2bf1464344a1ba8
Opcode Fuzzy Hash: e41adf7ee97ac68e4d11cfb99e2cc85e2e909d24c9b624bc62746b37e5061960
Instruction Fuzzy Hash: 71C18C34B203148F9F9A6B64905A17EBEB7BFC5608714542DE80FD7391DF36888AC752

Function 09806970 Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

(aq, xrefs: 09806C70
(aq, xrefs: 09806A98

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID: (aq$(aq
API String ID: 0-3916115647
Opcode ID: 37692956f782d2e1e7aa516df5a8052c2c74b0b2625d4cdc82dfe41fc54c1ad8
Instruction ID: a1a44e894974a4e98c57247d7dbd1a25fc5d6c746613ed4bc1bf32d7bd1ad165
Opcode Fuzzy Hash: 37692956f782d2e1e7aa516df5a8052c2c74b0b2625d4cdc82dfe41fc54c1ad8
Instruction Fuzzy Hash: 5971EF307016558FC764DF28C894A6EBBE2FFC9310B55896DE54ACB781EE34E802CB91

Function 06E9FAB0 Relevance: 1.7, APIs: 1, Instructions: 157libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06E9FB80

Memory Dump Source

Source File: 00000003.00000002.3898640961.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e90000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46dc47ac8a9871ef009978296cd0cc1512c47a3606884587802d8542f045d187
Instruction ID: 8e6c0e526713618590593a9c8cc77c3f9c2cc52d5d9c980c03dd1bbb3395e380
Opcode Fuzzy Hash: 46dc47ac8a9871ef009978296cd0cc1512c47a3606884587802d8542f045d187
Instruction Fuzzy Hash: C5519C30A01304CFEF84CF25D6547E973B3EF88315F24A46AD006EB295EB349981CB68

Function 06E9FBB1 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06E9FB80

Memory Dump Source

Source File: 00000003.00000002.3898640961.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e90000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a29af3eb25a091f5d5d789ca6e0b0b1b194fc25fab4a8378bb071a327dfb13f
Instruction ID: e6e0385da3c26b42e6024221f6db1b9592903de7ccd7eb4c44ccb7c589d4324e
Opcode Fuzzy Hash: 5a29af3eb25a091f5d5d789ca6e0b0b1b194fc25fab4a8378bb071a327dfb13f
Instruction Fuzzy Hash: 4D418B30A01305CFEF94CF25D6597A977B3EF88319F24E469D001DB2A5EB388985CB68

Function 055AC858 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 055AC8CC

Memory Dump Source

Source File: 00000003.00000002.3898404037.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55a0000_csc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6086c87247c4201dd1fc54c5c9ba8c327b3541401573ff69e5ee9efac56c0ad0
Instruction ID: 3808a76910716e1280af9be3913f0cf785bda96db2dbdf2fa54c40fe64e71110
Opcode Fuzzy Hash: 6086c87247c4201dd1fc54c5c9ba8c327b3541401573ff69e5ee9efac56c0ad0
Instruction Fuzzy Hash: E511EAB5D002499FDB10DFAAC484AEEFBF5FF48310F148429E519A7250C7799945CFA1

Function 0980213C Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

\Vkm, xrefs: 09802393

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID: \Vkm
API String ID: 0-2107937421
Opcode ID: 321004bd78e13655c9dea0e22aa271423b29f8f251ad1e1a6b65a3dd0ffefc3d
Instruction ID: 57a503faf003b0ba83a4e12cb9c81c513d1d49bac1324e2f382ead59cb9e50a9
Opcode Fuzzy Hash: 321004bd78e13655c9dea0e22aa271423b29f8f251ad1e1a6b65a3dd0ffefc3d
Instruction Fuzzy Hash: 64914B70E002099FDF50CFA9C99979DBBF1AF88314F14812DE429E7394D7749846CB91

Function 098052D0 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

a]q, xrefs: 098056A8

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID: a]q
API String ID: 0-3765744518
Opcode ID: 2d21b5c1fddaa3894f01ac07ce792c7067ad2c9744c32260dd11d31d1da88748
Instruction ID: bb39d41248e44f7034927553174a7f96e5f61c3234d567c3377ddd177eb62c8b
Opcode Fuzzy Hash: 2d21b5c1fddaa3894f01ac07ce792c7067ad2c9744c32260dd11d31d1da88748
Instruction Fuzzy Hash: 62618D30A0020CCBDB44DAA5E9647ADBBB2EBC5304F11A22CE4029B7D5CBB49D45CB95

Function 06E8005C Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

4']q, xrefs: 06E807D4

Memory Dump Source

Source File: 00000003.00000002.3898625887.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: baa5d2e1d4ff5adffaebf8292c2cd7422236690a136d47444c0379b943caaf6d
Instruction ID: 9ee581b856a78f73e581a038dcde25005a72fdf1b08a54ff19cfb223e8311525
Opcode Fuzzy Hash: baa5d2e1d4ff5adffaebf8292c2cd7422236690a136d47444c0379b943caaf6d
Instruction Fuzzy Hash: 61014E31B193518FD7A73A3558296663F76EFC2160724047BE44ED7241EA264C4DC7D2

Function 055ACA08 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 055ACA6A

Memory Dump Source

Source File: 00000003.00000002.3898404037.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55a0000_csc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9a6fb3b24360f8680fee67fbf1fbd90239dc8ab157bccec7ac4eeab139b15c7a
Instruction ID: 9d770a61877b0a4c0723a761468979a346439bd3d03128f9cc75b961100812d6
Opcode Fuzzy Hash: 9a6fb3b24360f8680fee67fbf1fbd90239dc8ab157bccec7ac4eeab139b15c7a
Instruction Fuzzy Hash: 171125B1D002498BCB20DFAAC4457AEFBF5FF88724F208419D51AA7240CB79A944CBA5

Function 09802D55 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbeb7c28d5feb24e20afdcf91445a838ad4d32f075fdb0efdbb9f0b5860b578e
Instruction ID: b01e459f5aee12c79b3ed82035efb673a85f4bd4be25f774403d0e394b4f7d54
Opcode Fuzzy Hash: cbeb7c28d5feb24e20afdcf91445a838ad4d32f075fdb0efdbb9f0b5860b578e
Instruction Fuzzy Hash: 0DA15B70E00209CFDB50CFA8D99579DBBF1AF88354F14812DE429E7394EB749895CB81

Function 06E80CC8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3898625887.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b32078887a54871d6a5460d81ecf7aa96ee445f1349d111af7a1f2f1f408ca
Instruction ID: 8db97cba2f1aaf78ae854ba3625a32a7b896c1d2ca9c7cca6d834f9dcfeb2e0e
Opcode Fuzzy Hash: a8b32078887a54871d6a5460d81ecf7aa96ee445f1349d111af7a1f2f1f408ca
Instruction Fuzzy Hash: 7D5153207003468FD7156AAEC49C76BA6FFAFE4605F54803D630AC72D8DFA58C09C795

Function 09805936 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0b78f5e827acd103c2636a0b58b0430c24ba9ec93084681b02934b164ed842
Instruction ID: 782f5cb908c669eb2b066f9860df3e3f183fa30eb55d0a82f2698c933cc1e18f
Opcode Fuzzy Hash: ce0b78f5e827acd103c2636a0b58b0430c24ba9ec93084681b02934b164ed842
Instruction Fuzzy Hash: C5614E30504209CFE760CF56D9A5BAD7BB2FB85314F24806DE001EB396D778A986CF21

Function 09805B22 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5137fd1c4c19a9a68d4567e885c81d3bad1f162d9dfcf2416810b3d8bda7fd
Instruction ID: ea5e631dd5fd7d1d41e5e853b893cc6b6f372524f87d12bf57dbec0a3716f8e2
Opcode Fuzzy Hash: 3f5137fd1c4c19a9a68d4567e885c81d3bad1f162d9dfcf2416810b3d8bda7fd
Instruction Fuzzy Hash: CE513C30500509CFEB60CF52DAA5B6DBBB2FB84314F64806DE005EB796D778A985CF25

Function 09807A20 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebf1abf4ddab3fec1a926ae3c848c3c2f5c8a4fb52a7a66393013ca73accd3a
Instruction ID: 2c88e48e07cff348519bad2877cee958e427d868f2115b916c17c8fe14450fa1
Opcode Fuzzy Hash: 5ebf1abf4ddab3fec1a926ae3c848c3c2f5c8a4fb52a7a66393013ca73accd3a
Instruction Fuzzy Hash: 73410730A01106CFE794CF15CD69BAA73A2FBD4344F18C0A9E51ACB7D6D738AA45CB45

Function 09805F40 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71d4f4a4073a3fc1f4541a25661cb31f3804fd52eb0db92bacdafef73ad5256
Instruction ID: 3c4c784e3dd7e410fecd509d4cc06ffe405b1dce3ccdb215e5d352a4e7adcd8c
Opcode Fuzzy Hash: a71d4f4a4073a3fc1f4541a25661cb31f3804fd52eb0db92bacdafef73ad5256
Instruction Fuzzy Hash: 2441BF32A00204CFE754CF65DD99B59BBA2FBC8340F64816DE1099B3D5CB79A845CF50

Function 09805F60 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf4fff5185577fa5fd3868f4b17246e2b22ea7c0f882004c84d449e2bcb2203
Instruction ID: fbda44518d0a299dbf6a2ff4d2c54701f3139de8981a8e3e35963c3a54933f88
Opcode Fuzzy Hash: ddf4fff5185577fa5fd3868f4b17246e2b22ea7c0f882004c84d449e2bcb2203
Instruction Fuzzy Hash: 8F41CD31A01204CFE750CF65C999BAABBA2FBC8310F64826CE1099B3D5CB79A841CF54

Function 0980403F Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb56d173a4b4d18801d47cfb921daa3ce7ecd966bfb520a9a748c5f25edc392
Instruction ID: ee2fcb2fd577f398f027cae46fe8330f1e8d88650d4ef5a03606f053565fe1e8
Opcode Fuzzy Hash: ecb56d173a4b4d18801d47cfb921daa3ce7ecd966bfb520a9a748c5f25edc392
Instruction Fuzzy Hash: 38417A30645115CFEB94CB24DE697A933B3EBD4304F14806DD216DB7B2EB789989CB09

Function 0980059D Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9844fea988c9b2104e8fcbbe5b42d24c5f626ad70f05bbd0fd2d3ff548f854
Instruction ID: 95755e6a096dae6dc85e332bed1cfdd9884b3759c879f0af3b583a89d86921de
Opcode Fuzzy Hash: 2e9844fea988c9b2104e8fcbbe5b42d24c5f626ad70f05bbd0fd2d3ff548f854
Instruction Fuzzy Hash: 9D4113B1D00308DFCB10DFA9C890ADEBFB5FF88314F108129E419AB250DB759945CB90

Function 098052BF Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597b3d8bea7169749afea0b59edbf0c4c8a475413164db29f457938552df9312
Instruction ID: d888b8615ee2a126ddea44383bfccc1b952794daedcdea3f961f34bf43cf35ac
Opcode Fuzzy Hash: 597b3d8bea7169749afea0b59edbf0c4c8a475413164db29f457938552df9312
Instruction Fuzzy Hash: 8131F73070020CCBE7449AA5D57879EBBA3EBC1700F12622DF402DBBC5CBB49D468BA5

Function 09807A10 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc737cbd6b260d18434d4bbe6f32739e9d3b578e2faca832c7576a090d80fcb
Instruction ID: 6946fcf82792ee245ab48842602aa4c483b956a08a76da42d1b379674e4f9dfb
Opcode Fuzzy Hash: 1fc737cbd6b260d18434d4bbe6f32739e9d3b578e2faca832c7576a090d80fcb
Instruction Fuzzy Hash: 46412B30A01106CFD794CF29CD69BAAB7A6BBC4344F08C0ADE519CB7D5E738AA45CA44

Function 098005A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427980a5ceadea529ca6ba3582dca466f6d29eb0d81dc6618c293fca4b4f294c
Instruction ID: 1595f691ad036a4cb1c41f679404acd63a4dfd39a2e3892433e0f8fbdee93225
Opcode Fuzzy Hash: 427980a5ceadea529ca6ba3582dca466f6d29eb0d81dc6618c293fca4b4f294c
Instruction Fuzzy Hash: 4541EEB0D003499FDB10DF99C994ADEBFB5FF88314F248029E419AB254DB75A985CB90

Function 09807B70 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46f812a2f3388454f57c742a06ca26a4ff4d3a1c2f6b98b4a3c4717c3bfb7e8
Instruction ID: 251882a53580a6896e2e654efc25f64a2fcd745fbf27d34520ac0145698753a1
Opcode Fuzzy Hash: c46f812a2f3388454f57c742a06ca26a4ff4d3a1c2f6b98b4a3c4717c3bfb7e8
Instruction Fuzzy Hash: 16312830701106CBE794CE15DD69BA6B3A6BBD0344F08C0ADE41ACB7D6E738BA45CA44

Function 0980559D Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5d86007a01aaba2d2770ddfe2d7f4725b7cf6eb258aa2faeaae935851a5da1
Instruction ID: e803ea4c045ece4ac6fd04d5491f7ff9fa4f03c74fc02f3f68b4b387e2f5dc89
Opcode Fuzzy Hash: 6f5d86007a01aaba2d2770ddfe2d7f4725b7cf6eb258aa2faeaae935851a5da1
Instruction Fuzzy Hash: D731723070020CCBD7849AA5D5787ADBBA3ABC5304F11A62CE406CBBC5DBB99D45CBA5

Function 098054D1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e380c3de1e07d7806be02cb71358294b50dd391d334403820cb81c2d4763a7
Instruction ID: 8d814f3ebddca26abe67fdf3898e5dc596b089ee6bb7e08054e258f2ced9f3d0
Opcode Fuzzy Hash: 74e380c3de1e07d7806be02cb71358294b50dd391d334403820cb81c2d4763a7
Instruction Fuzzy Hash: AB31A13070020CCBD784CA95D6747ADB7A3ABC5304F52A66CE406CBBC5CBB89D458FA9

Function 0980545B Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17bdcb06d8e571e07ce18d7c78a879a75158399997a76548c312a3f4f585773
Instruction ID: e03f6643a4ca7e102d04b6f2ccfa643777cfedb64601a51dc1cd8f615c851bbd
Opcode Fuzzy Hash: a17bdcb06d8e571e07ce18d7c78a879a75158399997a76548c312a3f4f585773
Instruction Fuzzy Hash: 2331933070020CCBD7448A95D5747ADB7E3ABC5304F22A56CF4068BBC5CBB99D458F65

Function 09805562 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467d97e5981cb064612666125abbbba6fb843f3e762673b75722cac8d4c79ff1
Instruction ID: 56f3db8a1dab64acdf7e7c64bf4e9a28106180c39b4d149320e5c68724f214c7
Opcode Fuzzy Hash: 467d97e5981cb064612666125abbbba6fb843f3e762673b75722cac8d4c79ff1
Instruction Fuzzy Hash: BF31933070020CCBD7449AA5D5787ADBBA3ABC5304F11A62CE406CBBC5CBB99D45CB55

Function 09805733 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a84d65836dd2291c35575351f09466ff0bd08b53fc068a12a88efb0930aa9a7
Instruction ID: 1755c73b4cca93d25fd2924aa75783d9e2a9bdeaec1a017de3359f90dd748dcf
Opcode Fuzzy Hash: 7a84d65836dd2291c35575351f09466ff0bd08b53fc068a12a88efb0930aa9a7
Instruction Fuzzy Hash: C631A23070020CCBE7548AA5D5787ADB7E3ABC5304F22A61CF4168BBC5CBB89D418F55

Function 09805535 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697cc92a5b0a9d2d050e6e030fb4092ee274e57bb9308fe290c5af835373cc89
Instruction ID: 4e37d7a2d0ae7dc66eb2bf595c39140b6a0221774b4642929678012c240b1925
Opcode Fuzzy Hash: 697cc92a5b0a9d2d050e6e030fb4092ee274e57bb9308fe290c5af835373cc89
Instruction Fuzzy Hash: 5221963070020CCBE7489A95D5747ADB7E3ABC5304F11A66CE406CBBC5CBB89D458BA5

Function 09805377 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8187f865ae99f9871cffadf974b2da487e1215eb683da8a397c17664fb20e91b
Instruction ID: 5cecfba5a069d124d267ccbd37c13dd36af06ce35ce9ed5dc36002470f777ecd
Opcode Fuzzy Hash: 8187f865ae99f9871cffadf974b2da487e1215eb683da8a397c17664fb20e91b
Instruction Fuzzy Hash: 9521B63070020CCBE7449A95D5747ADB7A3ABC1304F52A62CF406CBBC5DBB89D458FA5

Function 098053C7 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0cf3ad8fb4bff388bbe39b2be9c842ee81ebf809612f9683dc6a7e2cd17695
Instruction ID: cb5dd91db457f052ae36db149313ca2d63ac5c5a08018fe3b90aa2ce24f82b53
Opcode Fuzzy Hash: bd0cf3ad8fb4bff388bbe39b2be9c842ee81ebf809612f9683dc6a7e2cd17695
Instruction Fuzzy Hash: 3E21613070020CCBE7449A95D5747ADB7A3ABC5304F16A66CE4068BBC5CBB89D458BA5

Function 09805602 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a18062fed6cf5a963f81dfe482cf851d7d8f93de72b779895da95737d19a048
Instruction ID: 8a8a2a2f814ba18b338aa5024047e89be90f2e4683a8306e8b837769600829e5
Opcode Fuzzy Hash: 7a18062fed6cf5a963f81dfe482cf851d7d8f93de72b779895da95737d19a048
Instruction Fuzzy Hash: 9F21C93070020CCBD7849A95D57476EB7A3ABC5704F12A61CF406CBBC5CBB89D428FA5

Function 09805781 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213c3603a864f9893ccbc0863769af4b457c9fed90ca43d1551f5d17322d7122
Instruction ID: 7f48ed44739f9d6cb99cff86c3d57dedd8570163e66063759e23524a70f0fcd9
Opcode Fuzzy Hash: 213c3603a864f9893ccbc0863769af4b457c9fed90ca43d1551f5d17322d7122
Instruction Fuzzy Hash: 9021943070020CCBE7549A95D5747ADB7E3ABC5304F12A61CE406CBBC5CBB89D458FA5

Function 098053A1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8120f38027fef1b55d492e745a2c7d7b1e04d19cb87e815104869c56ea416a57
Instruction ID: 09f650350d1f2126f50e6e9a6e4a57e796bd8942c9c2894f9d8e2b3576b003b2
Opcode Fuzzy Hash: 8120f38027fef1b55d492e745a2c7d7b1e04d19cb87e815104869c56ea416a57
Instruction Fuzzy Hash: DC21743070020CCBE7949A95D5787ADB7A3ABC5304F52A61CE406CBBC5CBB89D45CFA5

Function 09805434 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f6126e10b2be91a7af0a17cae67fe9351566f42e4f79c69c21a9ad6fe00cc4
Instruction ID: 7d3c8dae0bd86493ad61fb0e78bc36ed83a1c6f63bed01f528291e473a3b87e7
Opcode Fuzzy Hash: 39f6126e10b2be91a7af0a17cae67fe9351566f42e4f79c69c21a9ad6fe00cc4
Instruction Fuzzy Hash: C121863070020CCBE7849AA6D5747ADB7E3ABC5304F22A61CE406CBBC5DBB85D458F69

Function 09805491 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d24435abe76e01dae2e6343ee2d2337f5b20e80e36e889f93d2b07d2140aba4
Instruction ID: 359afb82d8cfe34503842baaf0675c318b2fe47b4ee27360808eaccbed13b495
Opcode Fuzzy Hash: 3d24435abe76e01dae2e6343ee2d2337f5b20e80e36e889f93d2b07d2140aba4
Instruction Fuzzy Hash: 6F21B83070420CCBE7549A95D5747ADB7A3ABC5304F12A61CF406CBBC5CBB89D468FA5

Function 098053BD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e22fa8a9ed58ec50e6ce877ed422fba7b626d888125a838fed5df13c3280a31
Instruction ID: 8b4e2a589e080ca908e5dff1ee62967ff258c6c50a9f5f42f71466879e9761e3
Opcode Fuzzy Hash: 3e22fa8a9ed58ec50e6ce877ed422fba7b626d888125a838fed5df13c3280a31
Instruction Fuzzy Hash: 0321863070420CCBE7949AA5D5747ADB7E3ABC5304F12A61CE406CBBC5CBB89D468FA5

Function 098055E5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10feb5b512e2cc9ed14baaae48c60e82ef8b20737324d6739467684fa7857d2a
Instruction ID: ef5b657dac67172968186b2651010c438df0ca44d32a4eb4ad12edcdb69f4005
Opcode Fuzzy Hash: 10feb5b512e2cc9ed14baaae48c60e82ef8b20737324d6739467684fa7857d2a
Instruction Fuzzy Hash: 9621983070020CCBD7449A95D5747ADB7E3ABC5304F22A62CE506CBBC5CBB45D458FA5

Function 0980530A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d333cac698f8c69827227769a2f95f5feb4e0c9eab6277364c30178e980d51a
Instruction ID: c7aad9de17106fa3e3b0a2b2e16adca80fdba0284d8fabb920295b0bddc5cf08
Opcode Fuzzy Hash: 4d333cac698f8c69827227769a2f95f5feb4e0c9eab6277364c30178e980d51a
Instruction Fuzzy Hash: 1321983070020CCBD7449AA5D5747ADB7E3ABC5304F21A61CE406CBBC5CBB49D468BA5

Function 098051A8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b90e8411d0f31a241fe926328acce18ad194b1a631a0e1203e1ee137f149825
Instruction ID: 63e7fa2d6024cec58cdd83722ceb6046e9af8a9a0d6940641ea3f7c5fffbc788
Opcode Fuzzy Hash: 0b90e8411d0f31a241fe926328acce18ad194b1a631a0e1203e1ee137f149825
Instruction Fuzzy Hash: D1014970B063218FCB163B70841935E3BE6AF8562071408BFD44ACB291EE3AC843C792

Function 09806281 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d271c10ab1dba15e5e50d22f0eacf445ced6a794dbb27868c776f893ee1127
Instruction ID: 2822180e988795ab3eda332a5c718a261dbc54fe3a9d7b1064c571a926955360
Opcode Fuzzy Hash: 92d271c10ab1dba15e5e50d22f0eacf445ced6a794dbb27868c776f893ee1127
Instruction Fuzzy Hash: 81018B31A01208DBDB189B68D8295AE7FF3EBC8711F11842EE802E7390DFB14D058B91

Function 098051B8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534ce5c0e8fdbe9d58edfeb9cfa256a665c52cdff53aa4286029c35be6f9437e
Instruction ID: 63d275f05b323ce4b26951bfa43f486684747cf05e5b643f41e30d1d85d5dbc5
Opcode Fuzzy Hash: 534ce5c0e8fdbe9d58edfeb9cfa256a665c52cdff53aa4286029c35be6f9437e
Instruction Fuzzy Hash: CDF04F31B063615FDB263775481822E7AD6AFC5A25B14087ED54ACB391EE3EC84387C6

Function 09806290 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f59717c1789a04c31c1d8e3571e2418a03945c26f0f677f971986858e7a6c0f
Instruction ID: d1ab261d1f7f09a28da2b8bc49331addc4a1e199d1cdf330f35479468d8e4d40
Opcode Fuzzy Hash: 2f59717c1789a04c31c1d8e3571e2418a03945c26f0f677f971986858e7a6c0f
Instruction Fuzzy Hash: 4D019E31600208EBDB149F65C8296AE7FF7EB8C710F11402DE502A7380DF715D04CB91

Function 06E10BA1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3898521032.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7132a4a1aa5c378e31dcae936eb0a31d07dae1a658dc520b2007fc6e6e167dd
Instruction ID: 7cc452c49e3943fc590727118c5b8178bf644c487b07d07055d132699a1cb002
Opcode Fuzzy Hash: c7132a4a1aa5c378e31dcae936eb0a31d07dae1a658dc520b2007fc6e6e167dd
Instruction Fuzzy Hash: 7EF08177E063105FD790CF759408A9EBB66EB84715B42C477D40EDF206DD308441AF84

Function 098058A8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56bd65e633ed2e28e83a9496b8a74fb0a13d1c17a7d12cab3e2a2494a39a1cf
Instruction ID: 2498160afc7e6c05634eb36a70343409f4ef469386387336e8ffb06bb8f3af30
Opcode Fuzzy Hash: f56bd65e633ed2e28e83a9496b8a74fb0a13d1c17a7d12cab3e2a2494a39a1cf
Instruction Fuzzy Hash: A201D630A00218DBDB649A29C85579A77E6EBC0300F20853EE50297795DB359D468FA6

Function 09804340 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08db6334a58165deefa64822308bffce15b748255951f71f1c827c5e32fd7d9
Instruction ID: ea45b08f5c7696102099b486790ffc56bba8879dafc93d5a541ecf88e204babf
Opcode Fuzzy Hash: b08db6334a58165deefa64822308bffce15b748255951f71f1c827c5e32fd7d9
Instruction Fuzzy Hash: 29F0F631B001189FCB44EEB8E819ADE77E1EFC8304F410079D101EB3A1EB7998158BD2

Function 06E10BB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3898521032.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f701e21422c070730e3d3626540b66785dad7bdbe47519322a2130b71a123b
Instruction ID: 89cbbe11e55ca111d993c2c345a162f6bcb1ef496604f895c446c8df21fc4f89
Opcode Fuzzy Hash: 61f701e21422c070730e3d3626540b66785dad7bdbe47519322a2130b71a123b
Instruction Fuzzy Hash: 89F0E232E052209BE790CF669408A9EBBAAEB88615B42C476E80DDB105EE3088419FC1

Function 09804519 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81a828cb3f88ff687881e41c87641c4e3dffd266624ec85c7322cc52b907e78
Instruction ID: 183b917ea6bbb8fafe04e5bc75a84f128045b46c22b48ffe572832c3756819f4
Opcode Fuzzy Hash: a81a828cb3f88ff687881e41c87641c4e3dffd266624ec85c7322cc52b907e78
Instruction Fuzzy Hash: EBF0B430E00208DFCB44AB78D82A66E73B0EB84305F41487DD516DB3E1FB389405CB86

Function 09804350 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26900f5682071cab6a2eb35b16158b1a257fc9fed90b30f1cae87a898f0f126
Instruction ID: 6bf7b19fed4f71fdff3aebc921c422d8622fd3f25187b564e0186db8656e37cb
Opcode Fuzzy Hash: e26900f5682071cab6a2eb35b16158b1a257fc9fed90b30f1cae87a898f0f126
Instruction Fuzzy Hash: E3F08231B001189FCB40EEB8E919ADE77E5EFC9701F410078D205EB3A5DB79A9158B96

Function 09804528 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b291fcd917096d94327b0ababa1c401c50bfcbe4b20759a1bb8a0812df59b1f
Instruction ID: 18724e7c1ab2747b2049ec0992ed00b2dca66c070278621f34f494dc2c379dac
Opcode Fuzzy Hash: 5b291fcd917096d94327b0ababa1c401c50bfcbe4b20759a1bb8a0812df59b1f
Instruction Fuzzy Hash: 0EF03034E04209DFCB44AB78D92526E73B5ABC4319F40487CD606DB3D1FB3D95068B96

Function 09803250 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92411ceb897f5675ba11bd49185722e9c26584e6878cae1eeaac6d4fbb32272d
Instruction ID: 5c37fe13fddc6ebdb51ea063112de7eedcc77fe70aa0c15608edc2735c59a8c9
Opcode Fuzzy Hash: 92411ceb897f5675ba11bd49185722e9c26584e6878cae1eeaac6d4fbb32272d
Instruction Fuzzy Hash: E4F0ED33A0008ADFEB84CEA4DA166FA73E1EBC8303F00482AD516D7240E3BC15078F02

Function 09805279 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae835d5725200566ac487eb031a7dd07cf903b325c265b149fc92243f57ed8e
Instruction ID: 60bbb9487ac5031b06d2f3380ef20497956bf9a815ab60346ee5f376811c6a31
Opcode Fuzzy Hash: fae835d5725200566ac487eb031a7dd07cf903b325c265b149fc92243f57ed8e
Instruction Fuzzy Hash: 7FE092312012945FC71AAB79D959A9A7FA9EFC1210B0144BAD018CB2A1EF698D06C7E5

Function 06E15DF8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3898521032.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de3e7ef3bff3986bd59b61d0e2d308b6f86e075e8b68cc5d3a2573c8999c29b
Instruction ID: be811a6a5b775d5f14a44ebfe54b6c436ac6e30d36d27e805a821df1a3962308
Opcode Fuzzy Hash: 1de3e7ef3bff3986bd59b61d0e2d308b6f86e075e8b68cc5d3a2573c8999c29b
Instruction Fuzzy Hash: F0F0DAB5A41254CFC790CF28C859A887BF1FF4A314F1540D9D64A9B321EB309D42CF41

Function 06E141DE Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3898521032.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135b6ac59687ff5d9b739ffa1c2c1160a49d11318965aefc4ae1bfb51072e954
Instruction ID: 93c8febb660edde7aea29651929132a8551d416d6b53d144b41a64cafe782ec8
Opcode Fuzzy Hash: 135b6ac59687ff5d9b739ffa1c2c1160a49d11318965aefc4ae1bfb51072e954
Instruction Fuzzy Hash: DBF0D475A052148FCB51CF28C994A887BF1FF49309F0601D5D649AB321D774AD85CF40

Function 098057A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119ae9e466d2b1252fb3a3bbcc66b6ef5e21acad760e55fbc93eadba2ebf108b
Instruction ID: 4c0ce57aa4c6c9ec6485a11a5f1a74b485182b97f5accc9efce750316190042b
Opcode Fuzzy Hash: 119ae9e466d2b1252fb3a3bbcc66b6ef5e21acad760e55fbc93eadba2ebf108b
Instruction Fuzzy Hash: E8E0D834A01014CFF780CA17EE517A87763FBD4315F149079F50682695C7385645DE18

Function 09805288 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67feacc8bbfe58b7a98f93d402e4e8cab5165fda1e17330226f5d20bf7b20cef
Instruction ID: 4dbdd84a8128d6ec7058ba690bb1570ea700aef8fe6b0fc0e6a2c9eb47de3af3
Opcode Fuzzy Hash: 67feacc8bbfe58b7a98f93d402e4e8cab5165fda1e17330226f5d20bf7b20cef
Instruction Fuzzy Hash: 17D0C2322002544BC71A6B6DEA08B9A37AEEFC0210B00003AE1288B350CF69DD05C7E5

Function 09806251 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b96c5fec4bb0442c796e6d80e3b857a13fcc9f598ed5e528a6bd185b9e3457
Instruction ID: 21d91d0345bcb5746049721de4d1d07649ce1767dfe48198fd7db0913b58de2f
Opcode Fuzzy Hash: b8b96c5fec4bb0442c796e6d80e3b857a13fcc9f598ed5e528a6bd185b9e3457
Instruction Fuzzy Hash: DAD012355457528FD70A5614A4126D63F32E797631705819BE001CB1A6CFA40C97CB54

Function 09803260 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a659bead27975fbb4cc572a8081562e0a6e3b7fc709039b6ae05d3565b4fde04
Instruction ID: e7419ea07bff5870683ca2a6bc3834c303749ff8a63303e0882555fa2f18bf85
Opcode Fuzzy Hash: a659bead27975fbb4cc572a8081562e0a6e3b7fc709039b6ae05d3565b4fde04
Instruction Fuzzy Hash: 66E08631E0010DCFDB00DE59C9187EB77B4DB84301F004475D51497341D7B86516CB46

Function 06E10CB9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3898521032.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cce94552e64198e5ba3eec9e3c2f80f3625a48543e8f269656d10b391bda95f
Instruction ID: aac5898e4b51d46dfff1d0a14e7dece2a45f8f81aa97da430e02abe35e690b4a
Opcode Fuzzy Hash: 5cce94552e64198e5ba3eec9e3c2f80f3625a48543e8f269656d10b391bda95f
Instruction Fuzzy Hash: 32E04F30A14311DFEB454F94C98C6983BB0AB45706B461469EA02DF204CF30D846BF55

Function 09803925 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bcaa85fe0d957a4fd17f93189637df689499a1ac7553cf333ddc0cc160520b
Instruction ID: c33073455df5bb02c3df38cf16263b1241bdb46ddf068f6924e9f5197f3103ce
Opcode Fuzzy Hash: c1bcaa85fe0d957a4fd17f93189637df689499a1ac7553cf333ddc0cc160520b
Instruction Fuzzy Hash: 45E01A306001218FDA84DF28D9A5BE933E5AF48304F0911AE9016DB392CB285A04CB9C

Function 09806698 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3899226256.0000000009800000.00000040.00000800.00020000.00000000.sdmp, Offset: 09800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9800000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6acc56352be8200f86ea79fd87901f5712a697cd9f5dcf61abb1f44bb42b2be
Instruction ID: b4d07bc8930b4743f2ad50b87f6dadbfecd98e7b3985ab53461b62fcc3aed8d5
Opcode Fuzzy Hash: a6acc56352be8200f86ea79fd87901f5712a697cd9f5dcf61abb1f44bb42b2be
Instruction Fuzzy Hash: 98D05E34506340AFC3068B10C951844BFA1EF87211714C0CAE0098B1A2C7329C43CB52

Function 06E11995 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3898521032.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ceb898bca64e145bfe2f2c665f68f05e7613165e15e5ad916fae51b895cd0f0
Instruction ID: 24c59cfbe0121cefe7368f384e4a174849568976e25adb84f9cc28484f2430cd
Opcode Fuzzy Hash: 0ceb898bca64e145bfe2f2c665f68f05e7613165e15e5ad916fae51b895cd0f0
Instruction Fuzzy Hash: DCB0923146810A8BF2884621940E3C5BD22BB00201F0A46B29C0A8A5218A318C899A80

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MicrosoftOfficeWord.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
MicrosoftOfficeWord.exe

Function 00407C9A Relevance: 44.1, APIs: 2, Strings: 23, Instructions: 306
memoryCOMMON

Function 004085BD Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 266
memoryCOMMONLIBRARYCODE

Function 004080FE Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 262
memoryCOMMON

Function 00409A07 Relevance: 2.1, APIs: 1, Instructions: 551
COMMON

Function 004097D3 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 00409429 Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Function 00411F70 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 205
memoryCOMMON

Function 0040D0B0 Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 308
registrylibraryfileCOMMON

Function 00412270 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 222
filelibraryloaderCOMMON

Function 004125C0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 129
memoryencryptionCOMMON

Function 00402820 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 421
COMMON

Function 0040385C Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 315
COMMON

Function 0040E290 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 276
windowCOMMON