Play interactive tour

Edit tour

Analysis Report https://platform.marketintelligence.spglobal.com/apisvcs/office-tools-service/file

Overview

General Information

Sample URL:	https://platform.marketintelligence.spglobal.com/apisvcs/office-tools-service/file
Analysis ID:	326523
Most interesting Screenshot:

Detection

Score:	12
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Is looking for software installed on the system

PE file contains sections with non-standard names

PE file contains strange resources

Potential browser exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Analysis Advice

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Startup

System is w10x64

iexplore.exe (PID: 4628 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6000 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4628 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

MIOffice-1.0.20310.2.exe (PID: 2600 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe' MD5: 33305875B9DF2B685AEB973644F6A312)

MIOffice-1.0.20310.2.exe (PID: 2996 cmdline: 'C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe' -burn.clean.room='C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe' -burn.filehandle.attached=576 -burn.filehandle.self=656 MD5: 33305875B9DF2B685AEB973644F6A312)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001DA0BB DecryptFileW,	3_2_001DA0BB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001FFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	3_2_001FFA62
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001D9E9E DecryptFileW,DecryptFileW,	3_2_001D9E9E
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0015A0BB DecryptFileW,	4_2_0015A0BB
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0017FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	4_2_0017FA62
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00159E9E DecryptFileW,DecryptFileW,	4_2_00159E9E

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_00204440 FindFirstFileW,FindClose,	3_2_00204440
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001D9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	3_2_001D9B43
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001F7B87 FindFirstFileExW,	3_2_001F7B87
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001C3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	3_2_001C3CC4
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00184440 FindFirstFileW,FindClose,	4_2_00184440
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00159B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	4_2_00159B43
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00177B87 FindFirstFileExW,	4_2_00177B87
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00143CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	4_2_00143CC4
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E21E346 FindFirstFileExW,_free,	4_2_6E21E346

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Jump to behavior

Source: unknown

DNS traffic detected: queries for: platform.marketintelligence.spglobal.com

Source: MIOffice-1.0.20310.2.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000000.234267082.000000000018B000.00000002.00020000.sdmp, MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.470572195.00000000009FB000.00000004.00000001.sdmp, MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: MIOffice-1.0.20310.2.exe, 00000004.00000002.472305804.0000000002D30000.00000004.00000040.sdmp, thm.xml.4.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010(P
Source: MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010.spglle
Source: MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010D0572d=
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.471806243.0000000002F20000.00000004.00000040.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236712544.0000000000EDF000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.471013244.0000000000E88000.00000004.00000020.sdmp, S&P_Global_Market_Intelligence_Office_20201203165440.log.4.dr	String found in binary or memory: https://app.snl.com/
Source: BootstrapperApplicationData.xml.4.dr	String found in binary or memory: https://app.snl.com/SNL.Services.Application.Office.Deploy.Service/Content/Prereqs/VC_REDIST/vc_redi
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236682759.0000000000EB3000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.472305804.0000000002D30000.00000004.00000040.sdmp, BootstrapperApplicationData.xml.4.dr	String found in binary or memory: https://app.snl.com/SNL.Services.Application.Office.Deploy.Service/Content/Prereqs/VSTOR2010/vstor_r
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236682759.0000000000EB3000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp, BootstrapperApplicationData.xml.4.dr	String found in binary or memory: https://app.snl.com/SNL.Services.Application.Office.Deploy.Service/Content/en-US/MIOffice-x64-1.0.20
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236682759.0000000000EB3000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp, BootstrapperApplicationData.xml.4.dr	String found in binary or memory: https://app.snl.com/SNL.Services.Application.Office.Deploy.Service/Content/en-US/MIOffice-x86-1.0.20
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236682759.0000000000EB3000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, BootstrapperApplicationData.xml.4.dr	String found in binary or memory: https://app.snl.com/SNL.Services.Application.Office.Deploy.Service/Content/en-US/PluginManager-1.0.2
Source: MIOffice-1.0.20310.2.exe, 00000004.00000002.472305804.0000000002D30000.00000004.00000040.sdmp, thm.xml.4.dr	String found in binary or memory: https://ecs.syr.edu/faculty/fawcett/handouts/Coretechnologies/WindowsProgramming/WinUser.h
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236712544.0000000000EDF000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.471013244.0000000000E88000.00000004.00000020.sdmp, S&P_Global_Market_Intelligence_Office_20201203165440.log.4.dr	String found in binary or memory: https://platform.mi.spglobal.cn/
Source: BootstrapperApplicationData.xml.4.dr	String found in binary or memory: https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/Prereqs/VC_RE
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236682759.0000000000EB3000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp, BootstrapperApplicationData.xml.4.dr	String found in binary or memory: https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/Prereqs/VSTOR
Source: BootstrapperApplicationData.xml.4.dr	String found in binary or memory: https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/en-US/MIOffic
Source: MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.473715686.0000000002F30000.00000004.00000001.sdmp, BootstrapperApplicationData.xml.4.dr	String found in binary or memory: https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/en-US/PluginM
Source: MIOffice-1.0.20310.2[1].exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

File created: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001F001D	3_2_001F001D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001E41EA	3_2_001E41EA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001C62AA	3_2_001C62AA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001EC332	3_2_001EC332
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001F03D5	3_2_001F03D5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001FA560	3_2_001FA560
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001F07AA	3_2_001F07AA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001CA8F1	3_2_001CA8F1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001FAA0E	3_2_001FAA0E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001F0B6F	3_2_001F0B6F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001EFB89	3_2_001EFB89
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001F2C18	3_2_001F2C18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001F2E47	3_2_001F2E47
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001FEE7C	3_2_001FEE7C
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0017001D	4_2_0017001D
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_001641EA	4_2_001641EA
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_001462AA	4_2_001462AA
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0016C332	4_2_0016C332
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_001703D5	4_2_001703D5
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0017A560	4_2_0017A560
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_001707AA	4_2_001707AA
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0014A8F1	4_2_0014A8F1
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0017AA0E	4_2_0017AA0E
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00170B6F	4_2_00170B6F
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0016FB89	4_2_0016FB89
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00172C18	4_2_00172C18
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00172E47	4_2_00172E47
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0017EE7C	4_2_0017EE7C
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E222631	4_2_6E222631
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E218639	4_2_6E218639
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E222505	4_2_6E222505
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E223AE5	4_2_6E223AE5
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E21FBC0	4_2_6E21FBC0
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E218862	4_2_6E218862
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E22004D	4_2_6E22004D

Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: String function: 00141F13 appears 54 times
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: String function: 00180237 appears 683 times
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: String function: 00180726 appears 34 times
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: String function: 001832F3 appears 83 times
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: String function: 00143821 appears 501 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: String function: 00200237 appears 683 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: String function: 001C3821 appears 501 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: String function: 001C1F13 appears 54 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: String function: 00200726 appears 34 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: String function: 002032F3 appears 83 times

Source: MIOffice-1.0.20310.2[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MIOffice-1.0.20310.2.exe.faw88rs.partial.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MIOffice-1.0.20310.2.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: clean12.evad.win@7/43@1/0

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_001FFE21 FormatMessageW,GetLastError,LocalFree,

3_2_001FFE21

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001C45EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		3_2_001C45EE
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_001445EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		4_2_001445EE

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_0020304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

3_2_0020304F

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_001E6B88 ChangeServiceConfigW,GetLastError,

3_2_001E6B88

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4120EC3AEBEAA047.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Command line argument: cabinet.dll	3_2_001C1070
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Command line argument: msi.dll	3_2_001C1070
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Command line argument: version.dll	3_2_001C1070
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Command line argument: wininet.dll	3_2_001C1070
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Command line argument: comres.dll	3_2_001C1070
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Command line argument: clbcatq.dll	3_2_001C1070
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Command line argument: msasn1.dll	3_2_001C1070
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Command line argument: crypt32.dll	3_2_001C1070
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Command line argument: feclient.dll	3_2_001C1070
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Command line argument: cabinet.dll	3_2_001C1070
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Command line argument: cabinet.dll	4_2_00141070
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Command line argument: msi.dll	4_2_00141070
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Command line argument: version.dll	4_2_00141070
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Command line argument: wininet.dll	4_2_00141070
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Command line argument: comres.dll	4_2_00141070
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Command line argument: clbcatq.dll	4_2_00141070
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Command line argument: msasn1.dll	4_2_00141070
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Command line argument: crypt32.dll	4_2_00141070
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Command line argument: feclient.dll	4_2_00141070
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Command line argument: cabinet.dll	4_2_00141070

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MIOffice-1.0.20310.2.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: MIOffice-1.0.20310.2.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4628 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe'
Source: unknown	Process created: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe 'C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe' -burn.clean.room='C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe' -burn.filehandle.attached=576 -burn.filehandle.self=656
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4628 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Process created: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe 'C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe' -burn.clean.room='C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe' -burn.filehandle.attached=576 -burn.filehandle.self=656	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe

Window detected: Number of UI elements: 20

Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: MIOffice-1.0.20310.2.exe, 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000000.234267082.000000000018B000.00000002.00020000.sdmp, MIOffice-1.0.20310.2[1].exe.2.dr
Source:	Binary string: D:\C\_work\3\a\WixBaDetectCapIqFunc.pdb source: MIOffice-1.0.20310.2.exe, 00000004.00000002.480308584.000000006E225000.00000002.00020000.sdmp, bafunctions.dll.4.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: MIOffice-1.0.20310.2.exe, 00000004.00000002.480396463.000000006E26F000.00000002.00020000.sdmp, wixstdba.dll.4.dr

Source: MIOffice-1.0.20310.2[1].exe.2.dr	Static PE information: section name: .wixburn
Source: MIOffice-1.0.20310.2.exe.faw88rs.partial.2.dr	Static PE information: section name: .wixburn
Source: MIOffice-1.0.20310.2.exe.3.dr	Static PE information: section name: .wixburn

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001EEAD6 push ecx; ret	3_2_001EEAE9
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0016EAD6 push ecx; ret	4_2_0016EAE9
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E212F06 push ecx; ret	4_2_6E212F19
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E224378 push ecx; ret	4_2_6E224376

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\MIOffice-1.0.20310.2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	File created: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Jump to dropped file
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	File created: C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\bafunctions.dll	Jump to dropped file
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	File created: C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe.faw88rs.partial	Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	File created: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Jump to dropped file
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	File created: C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\bafunctions.dll	Jump to dropped file
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	File created: C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\wixstdba.dll	Jump to dropped file

Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Evaded block: after key decision

Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

API coverage: 9.7 %

Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001FFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 001FFF61h	3_2_001FFEC6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001FFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 001FFF5Ah	3_2_001FFEC6
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0017FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0017FF61h	4_2_0017FEC6
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0017FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0017FF5Ah	4_2_0017FEC6

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_00204440 FindFirstFileW,FindClose,	3_2_00204440
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001D9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	3_2_001D9B43
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001F7B87 FindFirstFileExW,	3_2_001F7B87
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001C3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	3_2_001C3CC4
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00184440 FindFirstFileW,FindClose,	4_2_00184440
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00159B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	4_2_00159B43
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00177B87 FindFirstFileExW,	4_2_00177B87
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00143CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	4_2_00143CC4
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E21E346 FindFirstFileExW,_free,	4_2_6E21E346

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_002097A5 VirtualQuery,GetSystemInfo,

3_2_002097A5

Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.471875192.0000000002F30000.00000002.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.472355868.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.471875192.0000000002F30000.00000002.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.472355868.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.471875192.0000000002F30000.00000002.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.472355868.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.471875192.0000000002F30000.00000002.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.472355868.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_001EE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_001EE88A

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001F48D8 mov eax, dword ptr fs:[00000030h]	3_2_001F48D8
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_001748D8 mov eax, dword ptr fs:[00000030h]	4_2_001748D8
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E21A550 mov eax, dword ptr fs:[00000030h]	4_2_6E21A550
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E216A55 mov eax, dword ptr fs:[00000030h]	4_2_6E216A55

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_001C394F GetProcessHeap,RtlAllocateHeap,

3_2_001C394F

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001EE9DC SetUnhandledExceptionFilter,	3_2_001EE9DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001EE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_001EE3D8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001EE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_001EE88A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Code function: 3_2_001F3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_001F3C76
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0016E9DC SetUnhandledExceptionFilter,	4_2_0016E9DC
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0016E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0016E3D8
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_0016E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0016E88A
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_00173C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00173C76
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E21271F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6E21271F
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E219F69 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6E219F69
Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	Code function: 4_2_6E212D37 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6E212D37

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Process created: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe 'C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe' -burn.clean.room='C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe' -burn.filehandle.attached=576 -burn.filehandle.self=656

Jump to behavior

Source: unknown	Process created: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe 'C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe' -burn.clean.room='C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe' -burn.filehandle.attached=576 -burn.filehandle.self=656
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe	Process created: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe 'C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe' -burn.clean.room='C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe' -burn.filehandle.attached=576 -burn.filehandle.self=656			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_00201719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

3_2_00201719

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_00203A5F AllocateAndInitializeSid,CheckTokenMembership,

3_2_00203A5F

Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.471009716.0000000001350000.00000002.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.471160189.0000000001310000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.471009716.0000000001350000.00000002.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.471160189.0000000001310000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.471009716.0000000001350000.00000002.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.471160189.0000000001310000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MIOffice-1.0.20310.2.exe, 00000003.00000002.471009716.0000000001350000.00000002.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.471160189.0000000001310000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_001EEC07 cpuid

3_2_001EEC07

Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe

Queries volume information: C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\logo.png VolumeInformation

Jump to behavior

Source: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_001D4EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

3_2_001D4EDF

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_001C6037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,

3_2_001C6037

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_001C61DF GetUserNameW,GetLastError,

3_2_001C61DF

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_0020887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

3_2_0020887B

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe

Code function: 3_2_001C5195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

3_2_001C5195

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter13	Windows Service1	Access Token Manipulation1	Masquerading21	OS Credential Dumping	System Time Discovery22	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Service Execution1	Boot or Logon Initialization Scripts	Windows Service1	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API3	Logon Script (Windows)	Process Injection13	Access Token Manipulation1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution1	Logon Script (Mac)	Logon Script (Mac)	Process Injection13	NTDS	Process Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery35	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://platform.marketintelligence.spglobal.com/apisvcs/office-tools-service/file	0%	Virustotal		Browse
https://platform.marketintelligence.spglobal.com/apisvcs/office-tools-service/file	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe.faw88rs.partial	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\MIOffice-1.0.20310.2[1].exe	0%	ReversingLabs
C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe	0%	ReversingLabs
C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\bafunctions.dll	0%	ReversingLabs
C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\wixstdba.dll	0%	Metadefender	Browse
C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\wixstdba.dll	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/Prereqs/VC_RE	0%	Avira URL Cloud	safe
https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/en-US/PluginM	0%	Avira URL Cloud	safe
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	0%	Avira URL Cloud	safe
https://platform.mi.spglobal.cn/	0%	Avira URL Cloud	safe
https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/en-US/MIOffic	0%	Avira URL Cloud	safe
https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/Prereqs/VSTOR	0%	Avira URL Cloud	safe
http://appsyndication.org/2006/appsyn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
platform.marketintelligence.spglobal.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0	false		low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wixtoolset.org/schemas/thmutil/2010.spglle	MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp	false		high
https://app.snl.com/SNL.Services.Application.Office.Deploy.Service/Content/Prereqs/VSTOR2010/vstor_r	MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236682759.0000000000EB3000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.472305804.0000000002D30000.00000004.00000040.sdmp, BootstrapperApplicationData.xml.4.dr	false		high
http://wixtoolset.org/schemas/thmutil/2010(P	MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp	false		high
https://app.snl.com/	MIOffice-1.0.20310.2.exe, 00000003.00000002.471806243.0000000002F20000.00000004.00000040.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236712544.0000000000EDF000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.471013244.0000000000E88000.00000004.00000020.sdmp, S&P_Global_Market_Intelligence_Office_20201203165440.log.4.dr	false		high
https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/Prereqs/VC_RE	BootstrapperApplicationData.xml.4.dr	false	Avira URL Cloud: safe	unknown
https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/en-US/PluginM	MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.473715686.0000000002F30000.00000004.00000001.sdmp, BootstrapperApplicationData.xml.4.dr	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/schemas/thmutil/2010	MIOffice-1.0.20310.2.exe, 00000004.00000002.472305804.0000000002D30000.00000004.00000040.sdmp, thm.xml.4.dr	false		high
https://app.snl.com/SNL.Services.Application.Office.Deploy.Service/Content/en-US/MIOffice-x86-1.0.20	MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236682759.0000000000EB3000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp, BootstrapperApplicationData.xml.4.dr	false		high
https://app.snl.com/SNL.Services.Application.Office.Deploy.Service/Content/Prereqs/VC_REDIST/vc_redi	BootstrapperApplicationData.xml.4.dr	false		high
http://wixtoolset.org/schemas/thmutil/2010D0572d=	MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp	false		high
https://app.snl.com/SNL.Services.Application.Office.Deploy.Service/Content/en-US/PluginManager-1.0.2	MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236682759.0000000000EB3000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, BootstrapperApplicationData.xml.4.dr	false		high
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	MIOffice-1.0.20310.2.exe, 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000000.234267082.000000000018B000.00000002.00020000.sdmp, MIOffice-1.0.20310.2[1].exe.2.dr	false	Avira URL Cloud: safe	unknown
https://platform.mi.spglobal.cn/	MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236712544.0000000000EDF000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.471013244.0000000000E88000.00000004.00000020.sdmp, S&P_Global_Market_Intelligence_Office_20201203165440.log.4.dr	false	Avira URL Cloud: safe	unknown
https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/en-US/MIOffic	BootstrapperApplicationData.xml.4.dr	false	Avira URL Cloud: safe	unknown
https://ecs.syr.edu/faculty/fawcett/handouts/Coretechnologies/WindowsProgramming/WinUser.h	MIOffice-1.0.20310.2.exe, 00000004.00000002.472305804.0000000002D30000.00000004.00000040.sdmp, thm.xml.4.dr	false		high
https://platform.mi.spglobal.cn/SNL.Services.Application.Office.Deploy.Service/Content/Prereqs/VSTOR	MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236682759.0000000000EB3000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp, BootstrapperApplicationData.xml.4.dr	false	Avira URL Cloud: safe	unknown
http://appsyndication.org/2006/appsyn	MIOffice-1.0.20310.2.exe	false	Avira URL Cloud: safe	unknown
https://app.snl.com/SNL.Services.Application.Office.Deploy.Service/Content/en-US/MIOffice-x64-1.0.20	MIOffice-1.0.20310.2.exe, 00000003.00000002.472701338.0000000003090000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236682759.0000000000EB3000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000003.236701626.0000000000ED4000.00000004.00000001.sdmp, MIOffice-1.0.20310.2.exe, 00000004.00000002.473745812.0000000003040000.00000004.00000001.sdmp, BootstrapperApplicationData.xml.4.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	326523
Start date:	03.12.2020
Start time:	16:53:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://platform.marketintelligence.spglobal.com/apisvcs/office-tools-service/file
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean12.evad.win@7/43@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 77% Number of executed functions: 127 Number of non-executed functions: 257
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.83.120.32, 2.21.61.94, 51.11.168.160, 52.147.198.201, 13.64.90.137, 104.79.90.110, 152.199.19.161, 40.88.32.150, 92.122.213.247, 92.122.213.194, 13.88.21.125, 51.104.144.132, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, e6034.dsca.akamaiedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, platform.marketintelligence.spglobal.com.edgekey.net, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3F99010F-35CB-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	32344
Entropy (8bit):	1.7930032241687421
Encrypted:	false
SSDEEP:	96:rDZ4ZAv2Al/9WAlbGCtAlbG+KfAlbG+MLRMAlbG/lM4AlbG/PMyYAlMG/PMj2:rDZ4Zc209WstVfXRMZrYF2
MD5:	7DD9F16B2AA88B4E5F8F17C5A7468BB7
SHA1:	7953DD6DBC122203B2DFFE6D71939A5AFB0B445F
SHA-256:	EA2CF55D3C385428F20D87858072F3DA37A725410DBDED91B8E2263426276846
SHA-512:	47F53266B2B8D8A60194FF9548E3CA7323132C9DA7F2E6E49442CD4B4EBC9711CC32305C0738DB914C5399A45F741A911C96A3401C47F892B9CE78D550A34DBE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3F990111-35CB-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.593599824642905
Encrypted:	false
SSDEEP:	48:Iw2GcprvGwpaOG4pQ2GrapbSYrGQpBqGHHpcAsTGUpQ5pGcpm:rqZZQu64BSYFjx2Ak6lg
MD5:	CCD813DDB9B936305C94B7C02F32A9A6
SHA1:	2D640FF3955088C0A4F15E4D282B59F919E2222A
SHA-256:	AB5520A42481971E0A09695A149A060D42EF8D9823633E4F5E395658A2269AA3
SHA-512:	47CEADC26302EE9C9156A9AA0C6E0D9EAF2E70F6DD61916E3BEAA785DAE28BBAC6D8CAC769ACDCD749BF524F6DC86A5FAB56BEF91D95C1253373C85992ECACE5
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe.faw88rs.partial Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	656144
Entropy (8bit):	7.230743605165117
Encrypted:	false
SSDEEP:	12288:/AjuakTOfDlEU4HWDblFlOTPThNMuTwJYcd9s2g1wMzC:ou/OfDlEUKWflmTP3MJGS9s51wM
MD5:	33305875B9DF2B685AEB973644F6A312
SHA1:	46F845A393196FFF741674EDE2CB67F8239237B6
SHA-256:	C76D92D7251B5B6BD89AD0072692443DEFCA2B8A9AA33E8B6986472D62EFF3E3
SHA-512:	A6BD4B29E42C4C2EF465F625F0B53B8CE243B99F63580ADB9955F55BA6F919C872EF1BE186832B2A65EC76CBC1C2440B3A149B67FE834FC9CE9791B6BFC63355
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z..........................................@..........................`......n.....@..............................................G................... ...=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....G.......H..................@..@.reloc...=... ...>..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe.faw88rs.partial:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low
Preview:	3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\MIOffice-1.0.20310.2[1].exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	656144
Entropy (8bit):	7.230743605165117
Encrypted:	false
SSDEEP:	12288:/AjuakTOfDlEU4HWDblFlOTPThNMuTwJYcd9s2g1wMzC:ou/OfDlEUKWflmTP3MJGS9s51wM
MD5:	33305875B9DF2B685AEB973644F6A312
SHA1:	46F845A393196FFF741674EDE2CB67F8239237B6
SHA-256:	C76D92D7251B5B6BD89AD0072692443DEFCA2B8A9AA33E8B6986472D62EFF3E3
SHA-512:	A6BD4B29E42C4C2EF465F625F0B53B8CE243B99F63580ADB9955F55BA6F919C872EF1BE186832B2A65EC76CBC1C2440B3A149B67FE834FC9CE9791B6BFC63355
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z..........................................@..........................`......n.....@..............................................G................... ...=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....G.......H..................@..@.reloc...=... ...>..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.404363038876712
Encrypted:	false
SSDEEP:	3:oVXVPJug/RgAW8JOGXnFPJug/RnCn:o92g/iqGg/g
MD5:	E1045CE239A3608C92CCAFDCF0E27131
SHA1:	DDB4D03360BA517D13DE8480880C74EAB1D2EE75
SHA-256:	1DE25A2B7C0B27F0B734C688F91695D66991C53999C5B88465C4596C2E8E785C
SHA-512:	21A2E5E1B8696ABCBA9EAD47F662A28A801AC4C6C97AFB7ECA506B3AAA8D002CAAD2DA3DD2558BB9AB213CD86B67DBCC9CF9ED84EE060212F2448C22F47FFF1A
Malicious:	false
Reputation:	low
Preview:	[2020/12/03 16:54:24.515] Latest deploy version: ..[2020/12/03 16:54:24.515] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\S&P_Global_Market_Intelligence_Office_20201203165440.log Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7228
Entropy (8bit):	5.428783820067709
Encrypted:	false
SSDEEP:	192:D/yOjDrl8yPbEDHmDkRvLFFiEwAVB2AUJylj1XjL40+ERGzxLLBBFF1nbtht5Tnn:JIpW
MD5:	9471CCA7B93986DC998CBEBA4A2893FC
SHA1:	F2B705BB20EF67C888D77FFAE136C3B88B8F7EB0
SHA-256:	901BBA8A6FD70B462B6F4DBFE85CC985317B6EB3EBFF49B638C1BABC57FA6AE3
SHA-512:	99728D154DDDD20FBFD1E34B7B9A82B74132DD70036D9FDAA7ED90770B106EA18EB625543F52CD672A814D10FFB0D041B6F7D95CC577FAD7B01FFB80477C1828
Malicious:	false
Reputation:	low
Preview:	[0BB4:0F28][2020-12-03T16:54:40]i001: Burn v3.11.1.2318, Windows v10.0 (Build 17134: Service Pack 0), path: C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe..[0BB4:0F28][2020-12-03T16:54:40]i000: Initializing string variable 'BaseUrl' to value 'https://app.snl.com/'..[0BB4:0F28][2020-12-03T16:54:40]i000: Initializing string variable 'ChinaBaseUrl' to value 'https://platform.mi.spglobal.cn/'..[0BB4:0F28][2020-12-03T16:54:40]i000: Initializing string variable 'OfficeToolsUri' to value 'SNL.Services.Application.Office.Deploy.Service/Content/OfficeTools/net461/Common/SPGMI.OfficeToolsDeployment.vsto'..[0BB4:0F28][2020-12-03T16:54:40]i000: Initializing string variable 'EmpowerUri' to value 'SNL.Services.Application.Office.Deploy.Service/Content/Empower/empower-1.0.20310.2.exe'..[0BB4:0F28][2020-12-03T16:54:40]i000: Initializing numeric variable 'EnableCiqUdf' to value '1'..[0BB4:0F28][2020-12-03T16:54:40]i000: Initializing numeric variable 'DisableCiqUdf'

C:\Users\user\AppData\Local\Temp\~DF0FCFF85CAC18A1A1.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.3272516316831608
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwf9lwf9l2pD/9l2pb9l:kBqoxKAuvScS+Ye5+Y5y
MD5:	03ED711972B67099B97227B15904E443
SHA1:	CD9AE3C6044C8845CB926A7A3E2981E1686D9D85
SHA-256:	D63974304CE18BBC2D1EB32A5F8A944174107BD1D2E90EDAB8BAA69AC24FCB32
SHA-512:	299D591EDB13CE5AA0E52928A64A1AE19A1548511737B8FEE8C2E454605E912388EBBE5C2A1F6D03D936C3CC01E640DEA6EA8970A56AAF26024E65503BB79B1E
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4120EC3AEBEAA047.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12981
Entropy (8bit):	0.4422850222876638
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loADF9loAJ9lWAlbG+MbG/OfG//n2:kBqoIASAMAlbG+MbG/OG/P2
MD5:	6D0F979EF6C105846DFA605A7A0D288F
SHA1:	913883746465F4F7629D3052FCC3DFE817DD72B3
SHA-256:	722E1A6F09318BE57F13077B3DDE3A10BB64701E62D22F1D528E65777D9617BF
SHA-512:	C1C1D01958F0CA1AE9C5A56D8BE4862D2C51D6189E7449D1ABC760D5135E5A298DA12600091CBCD81D248F000B957F048FB81762BDD1C54E2425E5A81E11AE4F
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe Download File
Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	656144
Entropy (8bit):	7.230743605165117
Encrypted:	false
SSDEEP:	12288:/AjuakTOfDlEU4HWDblFlOTPThNMuTwJYcd9s2g1wMzC:ou/OfDlEUKWflmTP3MJGS9s51wM
MD5:	33305875B9DF2B685AEB973644F6A312
SHA1:	46F845A393196FFF741674EDE2CB67F8239237B6
SHA-256:	C76D92D7251B5B6BD89AD0072692443DEFCA2B8A9AA33E8B6986472D62EFF3E3
SHA-512:	A6BD4B29E42C4C2EF465F625F0B53B8CE243B99F63580ADB9955F55BA6F919C872EF1BE186832B2A65EC76CBC1C2440B3A149B67FE834FC9CE9791B6BFC63355
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z..........................................@..........................`......n.....@..............................................G................... ...=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....G.......H..................@..@.reloc...=... ...>..................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\10250\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\1028\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3516
Entropy (8bit):	6.219567148964191
Encrypted:	false
SSDEEP:	48:cVT8tOeststhDnkT9C5WNJriuSpN/l/fN3mZS3uNONeN1rZ8vWqPSlTKRKUTKlKx:8TafTk5CgNJGzf8mkE0EFZCAflcLWh9
MD5:	5F9B092FE9D49A674F7CC1D50E17482E
SHA1:	7D4B7874065DF19501C8AE0C2B7A00B669B38CAD
SHA-256:	CDEC74774011FCA631787CCEDF5FB213AB44371498DFC654458567BC0AAC9B13
SHA-512:	43D04CC0E96FA081DE5E5862525A285A2E8E1C71695CCF660B9969BF6E724C545C002E54E9DF6F05DBC033903EDFE7028559293A731066E5730892A75E6EBF38
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="zh-cn" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ........ ................................/passive \| /quiet - .... UI ....... UI ....... ........ UI ........../norestart - .................... UI.../log log.txt - ................. %TEMP% ....</String>.. <String Id="HelpCloseButton">..(&C)</String>.. <String Id="InstallLicenseLinkText">[WixBundleName] <a href="#"

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\1031\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4068
Entropy (8bit):	5.076459584006932
Encrypted:	false
SSDEEP:	96:7TFZOAlcArP7NuNN8YWZhgcyaqsSONLjqrJ5XQuU:PVGATELc165rJ5XW
MD5:	FCCB62789359A42680D9A388F10BC2EB
SHA1:	55214F4375B50BABBE6ADDDBDDCAE58B6F992DFB
SHA-256:	0B42CD07EA601937511E4F6ED16D252E0E0472290A0D14C14CBFB0FC63EF77DD
SHA-512:	DD647A4181C3690B6A1D10520557C201339BA46E3E947EBBFEA1094DD53FA52FEC39D57F5C9F8964D3EADEEDECDA2E45C939F6EA6C3E2BE746F5AF6942EFC631
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="de-de" Language="1031" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Setup von [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installiert, repariert oder deinstalliert.. das Paket oder erstellt eine vollst.ndige lokale Kopie davon im Verzeichnis. Installieren ist der Standardbefehl...../passive \| /quiet - zeigt eine minimale Benutzeroberfl.che (UI) ohne Meldungen oder keine UI und.. keine Meldungen an. Standardm..ig werden die UI und alle Meldungen angezeigt...../norestart - unterdr.ckt jeden Versuch eines Neustarts. Standardm..ig wird auf der UI vor dem Neustart eine Meldung angezeigt.../log log.txt . erstellt ein Protokoll in

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\1033\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	3749
Entropy (8bit):	5.033131958364825
Encrypted:	false
SSDEEP:	48:cyMT8desK19hDUNKwsqq8+JIDxN/WcN3mt7NlN1NVvAdMcgzPDHVXK8KTKjKnSJu:MTLbTxmOeup/vTAAT4IBr1GV
MD5:	DE7D6952EA1019C994137D8D0DBB7837
SHA1:	2B9DA6E024D5614BC67278DF07FFE4610698244B
SHA-256:	D752006341B877BE6671969D7B39DE43B9CC49ABDAECCC817D9B88DD30FE55B5
SHA-512:	98FF32B14908F8A8B963D208C75AF99616EA3C1CEF8C8A96E9A9BAEB134D3F3F8EF97020CC9EAFECEF747107A42F24A0F1C08792EEC10004585596D7EC90BA1E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. By default a log file is created in %TEMP%.</String>.. <String Id="HelpCloseButton">&Close</String>.. <String Id="InstallLicenseLinkText">[

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\1041\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	5.904705637359324
Encrypted:	false
SSDEEP:	96:rTgwtB8QW2Y6lnOGjiK4fP0/vue+5R1NQ+O4Z+y1SUyymqyeH:J88TIjNjQp45y1SH
MD5:	DF93B56B131D3CF39E201E1AF6C11FF1
SHA1:	126519FFAC3D3BA3CF2816B93E3796C7043DA5C5
SHA-256:	405E5838565EE521844FFCCB8259F734505A244E2B1D66253E5AC6C975360B60
SHA-512:	9EC6A83D4D5E883947BF0AF8BD4A9C3045C89276CE989FAEFD1A9D910E090D61738DE1DF4FF23D1BF8A96E4A2B763EDC509AA472BC6BDBFD1C202BA3BC0A2637
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="ja-jp" Language="1041" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">...............</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory]...................... .........................................................../passive \| /quiet..... UI ......................UI ................ ........UI....................../norestart.......

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\1041\thm.xml Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5822
Entropy (8bit):	5.177630994039433
Encrypted:	false
SSDEEP:	96:wHdK+3UzSgz96zYvHKFBiUcjqs81Ef3espO:wHuz8
MD5:	A35C72008597BF43ED1B25A420BA67C2
SHA1:	8211BFEB70D703B5E11651D647A29FFA3ED81270
SHA-256:	CDFF18C3DFA30F559E8A717A33DE369BCDECBC4CD8EF39DADBF4C70772B6561F
SHA-512:	D79B498281C12F586774071187797563C341CBCC8224A84AE904E658960904E2DF8C710B021B4F35322974E03570E7E3E743E0FC33CE58604A84D2E224BF33DE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="275" Height="64" ImageFile="..\logo.png" Visible="yes"/>.... <Page Name="Help">.. <Text X="11" Y="80" Width="-11" Height="30" FontId="2" DisablePrefix="yes">#(loc.HelpHeader)</Text>.. <Text X="11" Y="112" Width="-11" Height="-35" FontId="3" DisablePrefix="yes">#(loc.HelpText)</Te

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\1046\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	3817
Entropy (8bit):	5.112974616871049
Encrypted:	false
SSDEEP:	48:c9oT8vXes/4ShDv0/TQgsWDj4N/kr/N3msl0N+NWNP4NHhc9skPDXeKKeK9KfKtA:vTUlUze8rlpl2UsaMyNpbSkAKw
MD5:	DA9BD020A5927E757770EE24D08271BE
SHA1:	A520924699E976D2A6B9B3E04176D50A76A741D0
SHA-256:	37833A4EA148F5CED1DA7FF24AD438AF6DD8B4B8400E4707B0984B71699D5D0C
SHA-512:	B16E873841196B58FB67E5D3E02B804AF92E017FEF7A0792C0715005ACF3F549C478247AFCC0CA646479C854DB7751D47A63D8CBC3C668B71FF39962FD6F56F1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="pt-br" Language="1046" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Configura..o [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda para configura..o</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. O padr.o . instalar...../passive \| /quiet - exibe UI m.nima sem alerta ou n.o exibe UI nem.. alerta. Por padr.o, a UI e todos os alertas s.o exibidos...../norestart - impede qualquer tentativa de reiniciar. Por padr.o, a UI exibe alerta antes de reiniciar.../log log.txt - registra um arquivo espec.fico. Por padr.o, um arquivo de registro . criado em %TEMP%.</String>.. <String Id="HelpCloseButton">&Fe

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\11274\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\12298\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\13322\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\14346\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\15370\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\16394\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\17418\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\18442\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\19466\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\20490\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\2052\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3516
Entropy (8bit):	6.219567148964191
Encrypted:	false
SSDEEP:	48:cVT8tOeststhDnkT9C5WNJriuSpN/l/fN3mZS3uNONeN1rZ8vWqPSlTKRKUTKlKx:8TafTk5CgNJGzf8mkE0EFZCAflcLWh9
MD5:	5F9B092FE9D49A674F7CC1D50E17482E
SHA1:	7D4B7874065DF19501C8AE0C2B7A00B669B38CAD
SHA-256:	CDEC74774011FCA631787CCEDF5FB213AB44371498DFC654458567BC0AAC9B13
SHA-512:	43D04CC0E96FA081DE5E5862525A285A2E8E1C71695CCF660B9969BF6E724C545C002E54E9DF6F05DBC033903EDFE7028559293A731066E5730892A75E6EBF38
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="zh-cn" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ........ ................................/passive \| /quiet - .... UI ....... UI ....... ........ UI ........../norestart - .................... UI.../log log.txt - ................. %TEMP% ....</String>.. <String Id="HelpCloseButton">..(&C)</String>.. <String Id="InstallLicenseLinkText">[WixBundleName] <a href="#"

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\2058\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\3076\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3516
Entropy (8bit):	6.219567148964191
Encrypted:	false
SSDEEP:	48:cVT8tOeststhDnkT9C5WNJriuSpN/l/fN3mZS3uNONeN1rZ8vWqPSlTKRKUTKlKx:8TafTk5CgNJGzf8mkE0EFZCAflcLWh9
MD5:	5F9B092FE9D49A674F7CC1D50E17482E
SHA1:	7D4B7874065DF19501C8AE0C2B7A00B669B38CAD
SHA-256:	CDEC74774011FCA631787CCEDF5FB213AB44371498DFC654458567BC0AAC9B13
SHA-512:	43D04CC0E96FA081DE5E5862525A285A2E8E1C71695CCF660B9969BF6E724C545C002E54E9DF6F05DBC033903EDFE7028559293A731066E5730892A75E6EBF38
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="zh-cn" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ........ ................................/passive \| /quiet - .... UI ....... UI ....... ........ UI ........../norestart - .................... UI.../log log.txt - ................. %TEMP% ....</String>.. <String Id="HelpCloseButton">..(&C)</String>.. <String Id="InstallLicenseLinkText">[WixBundleName] <a href="#"

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\4106\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\5130\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\6154\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\7178\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\8202\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\9226\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	5.018254271277462
Encrypted:	false
SSDEEP:	96:BTfNydGeKamCZph9sg6EcdRUz5798zow/vPc:CG8Lu/vPc
MD5:	F6933B3D6E9CE2419771FC4E870E2829
SHA1:	F2F84FE9D4CC9DA604928DF8D683D6B4163F4248
SHA-256:	4E3D1A76A2932106AEB7DE8237D16FDFEA6A50B81CFDA60EFE918236484FD06D
SHA-512:	3CD3D2F243A15625B5B29F0013FE9B96F3C43688DA1B3D30ECEF4FCCA951A91324B30067D064792F29DC2EE31E6808DDF1410FFFB8ADB914CEA6DDECB6FC328E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive \| /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\BootstrapperApplicationData.xml Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	27586
Entropy (8bit):	3.799324759098702
Encrypted:	false
SSDEEP:	384:X0sIc61h6N/nEGekMIsMRA649+jVDY2znA:X0sz61h6N/nEGTMJMGz9+jQ
MD5:	DEE1660FEE1B9C659736EA8EF1451BCC
SHA1:	0EC47781FA0DB9E2A8F20138A6BC3EE94C71BE7C
SHA-256:	49C83293327D8F1F3B25AEF00C35C2F5A8A94F28DE5DA4D9DB32F7B746A792AE
SHA-512:	1DD07E6D21981FB2CEEE4803F4635A47E779702D9C12916BC3FF296A8ECB67FE3C8B4FB4517AAC3153E741372EC5997EF9EFECEDE93B42C028B09609CEE99428
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".I.n.t.e.r.n.e.t.E.x.p.l.o.r.e.r.V.e.r.s.i.o.n. .&.g.t.;.=. .M.i.n.i.m.u.m.I.n.t.e.r.n.e.t.E.x.p.l.o.r.e.r.V.e.r.s.i.o.n.". .M.e.s.s.a.g.e.=.".#.(.l.o.c...I.n.t.e.r.n.e.t.E.x.p.l.o.r.e.r.R.e.q.u.i.r.e.d.).". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".S.&.a.m.p.;.P. .G.l.o.b.a.l. .M.a.r.k.e.t. .I.n.t.e.l.l.i.g.e.n.c.e. .O.f.f.i.c.e.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.7.7.f.2.e.7.0.1.-.8.3.6.8.-.4.d.0.3.-.9.6.7.0.-.1.c.6.0.7.a.b.3.e.b.e.e.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.A.7.3.C.E.2.F.3.-.7.8.1.3.-.4.5.5.4.-.8.C.A.B.-.D.5.3.B.1.4.9.

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\bafunctions.dll Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	6.5178363452763355
Encrypted:	false
SSDEEP:	3072:nFsC2pWR7vUFMS5TpGqyUXiluobruqMA58j646r:n+CZRat3GKX9o6A46Fr
MD5:	41045A0077248BD74524BA11A2292765
SHA1:	04EF68F283CD5AAD9B3526042003095A1FE794F0
SHA-256:	5576D21C435EAFE2E446B6B42CA21A76B12B9E51B34970037EE1E4160562E6FE
SHA-512:	89577A72491EC6F9D36BD5BF695B682D9A7B388C94DD18FBD512F6ACD6F21ED45F4B6A61650413CB4C064EF7322F564C15CA94434EBA79A54BED7F5BE4F8B9FA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n............E... ...E.......E...8...x...:...x...8...E...%..........1oR.!...x...........+.......+.......+.......+...Rich*...........................PE..L....u._...........!.....<..........d&.......P............................... ............@.............................h.......<.......................................p..............................@............P..L............................text...!:.......<.................. ..`.rdata..\|q...P...r...@..............@..@.data...X...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\logo.png Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	PNG image data, 233 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3376
Entropy (8bit):	7.662785267522063
Encrypted:	false
SSDEEP:	48:dAinw6pB1J3O9R2vfFC2WXta1KI7jm6vFLbIs9aEVy19p0IVvy++8:fLy9RC9C2Uta1KI7jR9LdS0IVvB
MD5:	ED55002A54E0CF440F1E30DC917016AD
SHA1:	BBF370AF6FF70AFDF4A636B3BF18A83660502F95
SHA-256:	B8C3582E7C5ECC2A132AA07758AFFB2ACE6A4AB741995E184DF5A22E0AFFA8A3
SHA-512:	0CFDCB845BDB6B5F55D8D9F98F9A3ACF91B7BE6ABEFA18018ED8CC371BA25FB7E0C09100481EEB9AB66E6BEA8D5A058FA9EBF0E10C2FF893FFB9BC42755A9E67
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.......@......$P.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.Adobe ImageReadyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpRights:Marked="True" xmpMM:OriginalDocumentID="xmp.did:75583313-8fe7-47cf-ac29-2c01438125a2" xmpMM:DocumentID="xmp.did:73CC77FA22BE11E79E079FF61D43DB6B" xmpMM:InstanceID="xmp.iid:73CC77F922BE11E79E079FF61D43DB6B" xmp:CreatorTool="Adobe Photoshop CC 2017 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0947acea-0acd-4add-aea9-860622b2f208" stRef:documentID="adobe:docid:phot

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\thm.wxl Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4509
Entropy (8bit):	5.019310194487883
Encrypted:	false
SSDEEP:	96:8LuThH+bhBabTxmOeup/vrwWATZgoVOBq9LRO:UbirwBDzO
MD5:	FC0DB4142556D3F38B0744A12F5F9D3D
SHA1:	B0595044C4CAC49FE89B982E6AEC9BAFF38460AD
SHA-256:	8FBEB7F0B546D394D99B49D678D516402E8F54E5DEA590CC91733F502F288019
SHA-512:	F2F29DB5F3B0E13BC0B1FE738EF90B65D82E5513D0F82EB663C39313C5EDAAB53FDEB4BCC0493374253B2994B927CFD5764F5FEDAFD2E3F570D09893F9B26582
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="InstallHeader">Welcome</String>.. <String Id="InstallMessage">Setup will install [WixBundleName] on your computer. Click install to continue, options to set the install directory or Close to exit.</String>.. <String Id="InstallVersion">Version [WixBundleVersion]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Previous version</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninsta

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\thm.xml Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6472
Entropy (8bit):	5.248082357214145
Encrypted:	false
SSDEEP:	96:4fFwOXcXRja6O4z96DY1ZHaFhikGg3znCO88mesP33sw2:4fsaoTE
MD5:	0FDB713A679A7891AA40FA0E755533E9
SHA1:	72EBEED9A288F5FAC80EC74D5FEE79740019CCBA
SHA-256:	B1B86CFC5843F7DEDB813DD7EFD343F9AAACCC88AEB115B45660E59E58A080DE
SHA-512:	A114F3734CA6ED5F44B64F2E489CF566677528463161B70C2A0DAD46E15D30B570CA5B2B49B5E00E11CFE92BA73D73B70248F5A91B8E197B5A161FA1D41C4B44
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="275" Height="64" ImageFile="logo.png" Visible="yes"/>.... <Page Name="Help">.. <Text X="11" Y="80" Width="-11" Height="30" FontId="2" DisablePrefix="yes">#(loc.HelpHeader)</Text>.. <Text X="11" Y="112" Width="-11" Height="-35" FontId="3" DisablePrefix="yes">#(loc.HelpText)</Text>.. <Button Name="Help

C:\Windows\Temp\{C6FF3F32-53F3-4AF7-B82F-A8FA29ED34B6}\.ba\wixstdba.dll Download File
Process:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	6.528352683227767
Encrypted:	false
SSDEEP:	3072:Pl5bBa/bNK3w4AY6CHGN6XZhuEvY2P9bK6SEPZY/Sq6QY9vJ/SLi9Y+WxhslrN1j:PlPa/bN+w/YhzXZhyQK6zPucy2jblx1j
MD5:	8CA04519005AD03B4D9E062B97D7F79D
SHA1:	DF53ED9440D027401D502F3297668009030350A7
SHA-256:	7B9F919A3D1974FD8FA35AD189EDC8BF287F476BD377E713E616B26864A4B0D3
SHA-512:	1A29E9E9BD798C892A7CD3CD4FF259195E4A92E26F53E8F1A86C75C5EB8FDDA58CEBA312CD791651FAD5CE04529696195815A4BA5C143AD52A5EA0D7C539BB77
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........Qq.}Qq.}Qq.}..j}Xq.}..h}&q.}..i}Iq.}...\|@q.}...\|Aq.}...\|Kq.}X..}Uq.}X..}Lq.}Qq.}Sp.}...\|Hq.}...\|Pq.}..d}Pq.}Qq.}Pq.}...\|Pq.}RichQq.}........................PE..L......Z...........!......................................................................@....................................................................4.......T...............................@...............\............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 16:54:24.223201990 CET	57544	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:24.260525942 CET	53	57544	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:25.217988014 CET	55984	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:25.255350113 CET	53	55984	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:42.249346018 CET	64185	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:42.276604891 CET	53	64185	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:43.295959949 CET	65110	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:43.323018074 CET	53	65110	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:43.936450958 CET	58361	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:43.963855982 CET	53	58361	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:44.642616987 CET	63492	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:44.669862032 CET	53	63492	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:45.727556944 CET	60831	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:45.754697084 CET	53	60831	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:46.365542889 CET	60100	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:46.392548084 CET	53	60100	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:48.337548971 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:48.364936113 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:49.042303085 CET	50141	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:49.069406986 CET	53	50141	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:50.089961052 CET	53023	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:50.119648933 CET	53	53023	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:51.188092947 CET	49563	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:51.215167999 CET	53	49563	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:52.602672100 CET	51352	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:52.629937887 CET	53	51352	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:53.388576031 CET	59349	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:53.425776005 CET	53	59349	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:53.453229904 CET	57084	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:53.480365038 CET	53	57084	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:54.214412928 CET	58823	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:54.241993904 CET	53	58823	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:54.562199116 CET	57568	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:54.598061085 CET	53	57568	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:55.216089010 CET	58823	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:55.251980066 CET	53	58823	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:55.710180998 CET	50540	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:55.737348080 CET	53	50540	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:56.229082108 CET	58823	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:56.264873981 CET	53	58823	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:56.530950069 CET	54366	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:56.558082104 CET	53	54366	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:57.663404942 CET	53034	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:57.690584898 CET	53	53034	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:58.229382038 CET	58823	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:58.265163898 CET	53	58823	8.8.8.8	192.168.2.3
Dec 3, 2020 16:54:58.758816957 CET	57762	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:54:58.786052942 CET	53	57762	8.8.8.8	192.168.2.3
Dec 3, 2020 16:55:02.245261908 CET	58823	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:55:02.284008980 CET	53	58823	8.8.8.8	192.168.2.3
Dec 3, 2020 16:55:16.693308115 CET	55435	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:55:16.720691919 CET	53	55435	8.8.8.8	192.168.2.3
Dec 3, 2020 16:55:20.218307018 CET	50713	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:55:20.257960081 CET	53	50713	8.8.8.8	192.168.2.3
Dec 3, 2020 16:55:27.744306087 CET	56132	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:55:27.771560907 CET	53	56132	8.8.8.8	192.168.2.3
Dec 3, 2020 16:55:38.925590038 CET	58987	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:55:38.952712059 CET	53	58987	8.8.8.8	192.168.2.3
Dec 3, 2020 16:55:50.789515972 CET	56579	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:55:50.816577911 CET	53	56579	8.8.8.8	192.168.2.3
Dec 3, 2020 16:55:52.279901028 CET	60633	53	192.168.2.3	8.8.8.8
Dec 3, 2020 16:55:52.330666065 CET	53	60633	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 3, 2020 16:54:25.217988014 CET	192.168.2.3	8.8.8.8	0x349d	Standard query (0)	platform.marketintelligence.spglobal.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 3, 2020 16:54:25.255350113 CET	8.8.8.8	192.168.2.3	0x349d	No error (0)	platform.marketintelligence.spglobal.com	platform.marketintelligence.spglobal.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 4628 Parent PID: 792

General

Start time:	16:54:23
Start date:	03/12/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff65bb50000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 6000 Parent PID: 4628

General

Start time:	16:54:23
Start date:	03/12/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4628 CREDAT:17410 /prefetch:2
Imagebase:	0x1250000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: MIOffice-1.0.20310.2.exe PID: 2600 Parent PID: 4628

General

Start time:	16:54:37
Start date:	03/12/2020
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe'
Imagebase:	0x1c0000
File size:	656144 bytes
MD5 hash:	33305875B9DF2B685AEB973644F6A312
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: MIOffice-1.0.20310.2.exe PID: 2996 Parent PID: 2600

General

Start time:	16:54:39
Start date:	03/12/2020
Path:	C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Temp\{2BF41EAB-EC91-45EC-A700-787D650EE18A}\.cr\MIOffice-1.0.20310.2.exe' -burn.clean.room='C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MIOffice-1.0.20310.2.exe' -burn.filehandle.attached=576 -burn.filehandle.self=656
Imagebase:	0x140000
File size:	656144 bytes
MD5 hash:	33305875B9DF2B685AEB973644F6A312
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: MIOffice-1.0.20310.2.exe PID: 2600 Parent PID: 4628 MIOffice-1.0.20310.2.exeCOMMON

Executed Functions

Function 001C5195, Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 001C5217

Part of subcall function 002004F8: InitializeCriticalSection.KERNEL32(0022B5FC,?,001C5223,00000000,?,?,?,?,?,?), ref: 0020050F

Part of subcall function 001C120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,001C523F,00000000,?), ref: 001C1248
Part of subcall function 001C120A: GetLastError.KERNEL32(?,?,?,001C523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 001C1252

CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 001C5285

Part of subcall function 00200E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00200E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 001C5317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 001C5321
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001C558E

Strings

Failed to run untrusted mode., xrefs: 001C54B6
Failed to parse command line., xrefs: 001C5245
Failed to run RunOnce mode., xrefs: 001C541C
Failed to initialize XML util., xrefs: 001C52F9
engine.cpp, xrefs: 001C5345
Failed to run per-machine mode., xrefs: 001C546C
Failed to initialize Regutil., xrefs: 001C52C9
Invalid run mode., xrefs: 001C53F9
Failed to get OS info., xrefs: 001C534F
Failed to initialize Cryputil., xrefs: 001C52A6
Failed to run per-user mode., xrefs: 001C5494
3.11.1.2318, xrefs: 001C5384
Failed to initialize COM., xrefs: 001C5291
Failed to initialize engine state., xrefs: 001C526C
Failed to initialize Wiutil., xrefs: 001C52E1
Failed to run embedded mode., xrefs: 001C5444
Failed to initialize core., xrefs: 001C53C3

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
API String ID: 3262001429-510904028
Opcode ID: 24b4179f1dae91ad7a6c0208f7258fbefa8cc5b52f3d21d070d596a1b374c488
Instruction ID: caeb5dec01c5cd24a66a787e5b557dccf1f83353cea052c6f404bacf0de2960d
Opcode Fuzzy Hash: 24b4179f1dae91ad7a6c0208f7258fbefa8cc5b52f3d21d070d596a1b374c488
Instruction Fuzzy Hash: A3B19571D50B299BDB32AB54CC46FED76B6AF64311F010199F908A6282DB70EED0CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0020304F, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00203609,00000000,?,00000000), ref: 00203069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,001EC025,?,001C5405,?,00000000,?), ref: 00203075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 002030B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002030C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 002030CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002030D6
CoCreateInstance.OLE32(0022B6B8,00000000,00000001,0020B818,?,?,?,?,?,?,?,?,?,?,?,001EC025), ref: 00203111
ExitProcess.KERNEL32 ref: 002031C0

Strings

kernel32.dll, xrefs: 00203059
Wow64RevertWow64FsRedirection, xrefs: 002030CE
IsWow64Process, xrefs: 002030AF
Wow64DisableWow64FsRedirection, xrefs: 002030BB
Wow64EnableWow64FsRedirection, xrefs: 002030C3
xmlutil.cpp, xrefs: 00203099

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: b45c416c61e0d0b58ae012c5f7cd6c4b04cd673e647aa2b3dacaa05ee876f170
Instruction ID: 2dc9372b4ff2152ff1eef02c7fb91f38fd8957e9ddb4507842f248e8a470f7b6
Opcode Fuzzy Hash: b45c416c61e0d0b58ae012c5f7cd6c4b04cd673e647aa2b3dacaa05ee876f170
Instruction Fuzzy Hash: 1141D931A21316BBDB21DFA8D845B6EF7BDEF49710F114068E905E7292D771DE208B90

Uniqueness

Uniqueness Score: -1.00%

Function 001C1070, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001C33C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,001C10DD,?,00000000), ref: 001C33E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 001C10F6

Part of subcall function 001C1175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,001C111A,cabinet.dll,00000009,?,?,00000000), ref: 001C1186
Part of subcall function 001C1175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,001C111A,cabinet.dll,00000009,?,?,00000000), ref: 001C1191
Part of subcall function 001C1175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001C119F
Part of subcall function 001C1175: GetLastError.KERNEL32(?,?,?,?,?,001C111A,cabinet.dll,00000009,?,?,00000000), ref: 001C11BA
Part of subcall function 001C1175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001C11C2
Part of subcall function 001C1175: GetLastError.KERNEL32(?,?,?,?,?,001C111A,cabinet.dll,00000009,?,?,00000000), ref: 001C11D7

CloseHandle.KERNEL32(?,?,?,?,0020B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 001C1131

Strings

cabinet.dll, xrefs: 001C1099, 001C1114
comres.dll, xrefs: 001C10B5
wininet.dll, xrefs: 001C10AE
feclient.dll, xrefs: 001C10D1
crypt32.dll, xrefs: 001C10CA
msi.dll, xrefs: 001C10A0
version.dll, xrefs: 001C10A7
msasn1.dll, xrefs: 001C10C3
clbcatq.dll, xrefs: 001C10BC

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 9904293372ba60c7529c5909906c2f2f17048476a6c1a465ba57dbaa7a7f061a
Instruction ID: 9decce6652480a8b9b6be97ac9754101dbc79f6a2f0f3cb8fd5211f3090135d0
Opcode Fuzzy Hash: 9904293372ba60c7529c5909906c2f2f17048476a6c1a465ba57dbaa7a7f061a
Instruction Fuzzy Hash: 1B217C7195021CBBCB219FA4DC49FEEBBB9AB19710F544119FA10B6282D7749A148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001DA0BB, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed create working folder., xrefs: 001DA0EE
Failed to calculate working folder to ensure it exists., xrefs: 001DA0D8
Failed to copy working folder., xrefs: 001DA116

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: e64d16214bb65b6c1f9b7fb4de895015e5cc0735a37d26091d84f6c8a8efed5d
Instruction ID: 148113be8816d0334c46ff9286339b4051f0b2e9e52a9aaf20d878b78f6dd1c5
Opcode Fuzzy Hash: e64d16214bb65b6c1f9b7fb4de895015e5cc0735a37d26091d84f6c8a8efed5d
Instruction Fuzzy Hash: ED01D432905628FB8B229A54DC0AC9EBAB9DF65B20B514257FC007A311DB319E50EA81

Uniqueness

Uniqueness Score: -1.00%

Function 001C394F, Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: daa0275dfcd1e95b15f0f46e13debbb1a9526ff04ebd03bad10b4f1bfe87bf99
Instruction ID: 41b452993c21cdd05751e39005722a63d9b466521c1a71398c65c4dafcd9e3d7
Opcode Fuzzy Hash: daa0275dfcd1e95b15f0f46e13debbb1a9526ff04ebd03bad10b4f1bfe87bf99
Instruction Fuzzy Hash: 88C012321A430CABCB016FF8EC0EC9ABBACBB286027048400B909C2121C738E0108B60

Uniqueness

Uniqueness Score: -1.00%

Function 001EE9DC, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0002E9E8,001EE131), ref: 001EE9E1

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4c3af6b38ebc0cbc622500ea6f187f860856938dc4e1de264672f8dad7e38a54
Instruction ID: 56f09ba8d484de2d2141e8ba8924c17b0a7a9a91ed22b292e6bad16024b03511
Opcode Fuzzy Hash: 4c3af6b38ebc0cbc622500ea6f187f860856938dc4e1de264672f8dad7e38a54
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 001CDF33, Relevance: 124.9, APIs: 11, Strings: 60, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 001CE058
SysFreeString.OLEAUT32(00000000), ref: 001CE736

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

Strings

Failed to parse MSU package., xrefs: 001CE53B
Failed to get @CacheId., xrefs: 001CE6DB
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 001CE081
cabinet.dll, xrefs: 001CE1FE
Cache, xrefs: 001CE14B
RollbackBoundaryForward, xrefs: 001CE2DF
Failed to get rollback bundary node count., xrefs: 001CDF8E
InstallCondition, xrefs: 001CE2BC
yes, xrefs: 001CE187
MsiPackage, xrefs: 001CE395
Failed to select package nodes., xrefs: 001CE094
feclient.dll, xrefs: 001CE298
MsuPackage, xrefs: 001CE406
Failed to allocate memory for rollback boundary structs., xrefs: 001CDFCA
Size, xrefs: 001CE1E4
Permanent, xrefs: 001CE235
Failed to get @Cache., xrefs: 001CE6FA
Failed to parse dependency providers., xrefs: 001CE6AA
Failed to parse MSI package., xrefs: 001CE3C1
Failed to allocate memory for MSP patch sequence information., xrefs: 001CE4DB
Failed to parse target product codes., xrefs: 001CE69B
Failed to parse MSP package., xrefs: 001CE531
Failed to get package node count., xrefs: 001CE0B1
Failed to get next node., xrefs: 001CE708
package.cpp, xrefs: 001CDFBE, 001CE0E3, 001CE4CF, 001CE564
Failed to get @RollbackBoundaryForward., xrefs: 001CE510
RollbackBoundaryBackward, xrefs: 001CE319
Failed to allocate memory for package structs., xrefs: 001CE0EF
CacheId, xrefs: 001CE1C9
RollbackLogPathVariable, xrefs: 001CE299
MspPackage, xrefs: 001CE3CD
LogPathVariable, xrefs: 001CE276
wininet.dll, xrefs: 001CE25A
Failed to get @LogPathVariable., xrefs: 001CE4E5
Failed to get @RollbackLogPathVariable., xrefs: 001CE4EF
Failed to find forward transaction boundary: %ls, xrefs: 001CE506
comres.dll, xrefs: 001CE234
Failed to get @InstallCondition., xrefs: 001CE4F9
RollbackBoundary, xrefs: 001CDF56
Failed to find backward transaction boundary: %ls, xrefs: 001CE51D
Vital, xrefs: 001CE027, 001CE25B
Failed to get @Id., xrefs: 001CE701
Invalid cache type: %ls, xrefs: 001CE6EA
Failed to get @Permanent., xrefs: 001CE6BF
Failed to get @InstallSize., xrefs: 001CE6CD
Failed to get @PerMachine., xrefs: 001CE6C6
crypt32.dll, xrefs: 001CE2BB
Failed to parse EXE package., xrefs: 001CE389
Failed to allocate memory for patch sequence information to package lookup., xrefs: 001CE570
clbcatq.dll, xrefs: 001CE219
Failed to get @Vital., xrefs: 001CE6B8
InstallSize, xrefs: 001CE1FF
Failed to get @Size., xrefs: 001CE6D4
Failed to get @RollbackBoundaryBackward., xrefs: 001CE527
Failed to select rollback boundary nodes., xrefs: 001CDF69
always, xrefs: 001CE1A7
Failed to parse payload references., xrefs: 001CE6B1
msi.dll, xrefs: 001CE1C8
PerMachine, xrefs: 001CE21A
ExePackage, xrefs: 001CE357

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-2612374807
Opcode ID: 7a909fb494dd4341401ef6c51ecd6bb141a2ad1b65c01af730b529c0d4cd692b
Instruction ID: 6b5b9d3644fc1b07a7aa81913861979b71cf839ad81c43237f0329ddff53b730
Opcode Fuzzy Hash: 7a909fb494dd4341401ef6c51ecd6bb141a2ad1b65c01af730b529c0d4cd692b
Instruction Fuzzy Hash: 3E32B231D50325BBDB119F54CC82FAEBAF4AB25720F214269F911BB291D7B4ED908B90

Uniqueness

Uniqueness Score: -1.00%

Function 001CF9E3, Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Manufacturer, xrefs: 001CFE53
Failed to parse @Version: %ls, xrefs: 001CFAC5
Failed to get @Department., xrefs: 001CFE8E
Tag, xrefs: 001CFA57
DisableRemove, xrefs: 001CFDC9
Name, xrefs: 001CFEC1
Failed to get @DisableModify., xrefs: 001CFDB8
Failed to set registration paths., xrefs: 001CFF08
Failed to get @DisableRemove., xrefs: 001CFDE0
ProductFamily, xrefs: 001CFE9C
Failed to get @Comments., xrefs: 001CFCC0
Version, xrefs: 001CFA91
Failed to get @Publisher., xrefs: 001CFBDF
yes, xrefs: 001CFD36
Failed to get @AboutUrl., xrefs: 001CFC4E
Update, xrefs: 001CFE1E
Failed to get @UpdateUrl., xrefs: 001CFC73
DisplayName, xrefs: 001CFB7E
Classification, xrefs: 001CFEE2
Failed to get @DisplayVersion., xrefs: 001CFBBA
Failed to get @ExecutableName., xrefs: 001CFB07
AboutUrl, xrefs: 001CFC37
HelpTelephone, xrefs: 001CFC12
registration.cpp, xrefs: 001CFD87
Failed to get @Name., xrefs: 001CFED4
Failed to get @Version., xrefs: 001CFAA4
Comments, xrefs: 001CFCA9
Failed to get @HelpTelephone., xrefs: 001CFC29
UpdateUrl, xrefs: 001CFC5C
HelpLink, xrefs: 001CFBED
Failed to select ARP node., xrefs: 001CFB4F
Failed to get @ParentDisplayName., xrefs: 001CFC98
ParentDisplayName, xrefs: 001CFC81
ProviderKey, xrefs: 001CFAD3
Failed to get @ProductFamily., xrefs: 001CFEB3
Failed to get @Register., xrefs: 001CFB70
Failed to get @Id., xrefs: 001CFA49
Register, xrefs: 001CFB5D
Failed to parse related bundles, xrefs: 001CFA83
Registration, xrefs: 001CF9FD
button, xrefs: 001CFD15
Publisher, xrefs: 001CFBC8
Failed to get @Contact., xrefs: 001CFCE8
Failed to get @PerMachine., xrefs: 001CFB25
Failed to parse software tag., xrefs: 001CFE10
Failed to get @DisplayName., xrefs: 001CFB95
Contact, xrefs: 001CFCD1
Failed to get @Tag., xrefs: 001CFA6A
Failed to get @HelpLink., xrefs: 001CFC04
Department, xrefs: 001CFE77
Failed to select Update node., xrefs: 001CFE3C
DisableModify, xrefs: 001CFCF6
ExecutableName, xrefs: 001CFAF4
Failed to get @Classification., xrefs: 001CFEF5
Failed to get @ProviderKey., xrefs: 001CFAE6
Failed to select registration node., xrefs: 001CFA1C
Arp, xrefs: 001CFB33
Invalid modify disabled type: %ls, xrefs: 001CFD94
PerMachine, xrefs: 001CFB12
Failed to get @Manufacturer., xrefs: 001CFE66
DisplayVersion, xrefs: 001CFBA3

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-2956246334
Opcode ID: 255b5129fa68585112b2bb5a949ccac4846b8d565d24847dc8a4f85116024128
Instruction ID: 8be2e80363e4bbee7bd2704a64b4aa04a68e67074ff8b708bb89de9898448e5b
Opcode Fuzzy Hash: 255b5129fa68585112b2bb5a949ccac4846b8d565d24847dc8a4f85116024128
Instruction Fuzzy Hash: A9E1F432E64665BACB1196A0CC42FEDB6A6AB32710F12023DFE11F7191C771DDB196D0

Uniqueness

Uniqueness Score: -1.00%

Function 001CB48B, Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,77E49EB0,00000000), ref: 001CB502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB550
GetLastError.KERNEL32(?,?,?,00000000,77E49EB0,00000000), ref: 001CB556
ReadFile.KERNELBASE(00000000,001C4461,00000040,?,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB59E
GetLastError.KERNEL32(?,?,?,00000000,77E49EB0,00000000), ref: 001CB5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB7BD

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB906

Strings

Failed to allocate buffer for section info., xrefs: 001CB8E4
Failed to seek to section info., xrefs: 001CB6F8, 001CB934
PE Header from file didn't match PE Header in memory., xrefs: 001CBB11
Failed to find valid NT image header in buffer., xrefs: 001CBBD0
Failed to seek to NT header., xrefs: 001CB632
(, xrefs: 001CB81D
Failed to find valid DOS image header in buffer., xrefs: 001CBBEB
Failed to seek past optional headers., xrefs: 001CB7EB
burn, xrefs: 001CB838
PE, xrefs: 001CB698
Failed to read section info, unsupported version: %08x, xrefs: 001CB9F5
Failed to seek to start of file., xrefs: 001CB581
Failed to get total size of bundle., xrefs: 001CBA23
Failed to find Burn section., xrefs: 001CBB32
Failed to read signature size., xrefs: 001CB796
.wix, xrefs: 001CB830
section.cpp, xrefs: 001CB523, 001CB577, 001CB5C5, 001CB628, 001CB677, 001CB6EE, 001CB73D, 001CB78C, 001CB7E1, 001CB898, 001CB8D8, 001CB92A, 001CB98F, 001CB9B9, 001CB9E0, 001CBAC7, 001CBB07, 001CBB26, 001CBB63, 001CBBA1, 001CBBC4, 001CBBDF
Failed to read section info., xrefs: 001CB999
Failed to read section info, data to short: %u, xrefs: 001CB8AA
Failed to open handle to engine process path., xrefs: 001CB52D
Failed to read image section header, index: %u, xrefs: 001CBBAC
Failed to allocate memory for container sizes., xrefs: 001CBAD3
Failed to read signature offset., xrefs: 001CB747
Failed to read DOS header., xrefs: 001CB5CF
Failed to read complete section info., xrefs: 001CB9C5
Failed to read complete image section header, index: %u, xrefs: 001CBB75
4, xrefs: 001CB884
Failed to read NT header., xrefs: 001CB681

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 3411815225-695169583
Opcode ID: 6a047d67d3cb092fdf454a08c17151db5eefa22ee4005733fcb21b03564fd4a4
Instruction ID: 34a2eaa4e2899e0caa8a91b4fd545763fae7d3e879c0d2be670b95bf130d1430
Opcode Fuzzy Hash: 6a047d67d3cb092fdf454a08c17151db5eefa22ee4005733fcb21b03564fd4a4
Instruction Fuzzy Hash: 1F12C776944335ABDB309A54CC8AFAA76A4AF15B20F12429DFD04FB281D771DD80CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 001E0D16, Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,001E08BC,?,?), ref: 001E0D25
GetLastError.KERNEL32(?,?,?,?,001E08BC,?,?), ref: 001E0D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,001E08BC,?,?), ref: 001E0D74
GetLastError.KERNEL32(?,?,?,?,001E08BC,?,?), ref: 001E0D7F
ResetEvent.KERNEL32(?,?,?,?,?,001E08BC,?,?), ref: 001E0DB7
GetLastError.KERNEL32(?,?,?,?,001E08BC,?,?), ref: 001E0DC1

Strings

Failed to wait for begin operation event., xrefs: 001E0DAD, 001E0EE6
Failed to set end of file., xrefs: 001E1094
cabextract.cpp, xrefs: 001E0D53, 001E0DA3, 001E0DE5, 001E0E11, 001E0E94, 001E0EDC, 001E0F21, 001E0F89, 001E0FF4, 001E1045, 001E108A, 001E10CE
Failed to set operation complete event., xrefs: 001E0D5D, 001E0E9E
Invalid operation for this state., xrefs: 001E0E1D
Failed to copy stream name: %ls, xrefs: 001E0E50
Failed to reset begin operation event., xrefs: 001E0DEF, 001E0F2B
Failed to allocate buffer for stream., xrefs: 001E0F93
Failed to set file pointer to beginning of file., xrefs: 001E10D8
Failed to create file: %ls, xrefs: 001E1001
Failed to set file pointer to end of file., xrefs: 001E104F

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: d92b3c26fd083d325345c99dfc730efc744841737f10c3bbbf9ee3f1da5414df
Instruction ID: 224280ab3797975d2627ccfc1fad048490d7bdf18b7e98a5e1af2db5ad966d46
Opcode Fuzzy Hash: d92b3c26fd083d325345c99dfc730efc744841737f10c3bbbf9ee3f1da5414df
Instruction Fuzzy Hash: 9C913733A81BB277D73316A65D0DF6E6990BB25B20F124225FE11BE6C1D3A1DC9082D1

Uniqueness

Uniqueness Score: -1.00%

Function 001C4D39, Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001C33C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,001C10DD,?,00000000), ref: 001C33E8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 001C4F40
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 001C4F4F
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 001C4F5E
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 001C4F69

Strings

burn.clean.room, xrefs: 001C4DDE
Failed to allocate full command-line., xrefs: 001C4E8E
"%ls" %ls, xrefs: 001C4E7A
Failed to wait for clean room process: %ls, xrefs: 001C4F23
Failed to append original command line., xrefs: 001C4E69
-%ls="%ls", xrefs: 001C4DE6
engine.cpp, xrefs: 001C4EEA
burn.filehandle.attached, xrefs: 001C4E17
%ls %ls, xrefs: 001C4E55
Failed to launch clean room process: %ls, xrefs: 001C4EF7
burn.filehandle.self, xrefs: 001C4E45
Failed to get path for current process., xrefs: 001C4D83
Failed to append %ls, xrefs: 001C4E1C
Failed to allocate parameters for unelevated process., xrefs: 001C4DFA
Failed to cache to clean room., xrefs: 001C4DC2
D, xrefs: 001C4EA9

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3884789274-2391192076
Opcode ID: 6320ea162098ecd2f8bb7c520c3cc4e548de05d5f2b693bdbdb8ee2be06de034
Instruction ID: 27564681131dccb79b9ea8945b9d430b0db3f34b7e293dc43bea2275667192bc
Opcode Fuzzy Hash: 6320ea162098ecd2f8bb7c520c3cc4e548de05d5f2b693bdbdb8ee2be06de034
Instruction Fuzzy Hash: 2571C632D14329ABDB229AD4CC45FEFBB78AF25720F11021AF910B7292D774DA118BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001D752A, Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to open attached UX container., xrefs: 001D758E
Failed to set source process folder variable., xrefs: 001D7745
Failed to parse command line., xrefs: 001D7667
Failed to open manifest stream., xrefs: 001D75AB
Failed to get manifest stream from container., xrefs: 001D75CC
Failed to initialize variables., xrefs: 001D7571
Failed to load catalog files., xrefs: 001D780F
WixBundleSourceProcessFolder, xrefs: 001D7734
Failed to get unique temporary folder for bootstrapper application., xrefs: 001D77CE
Failed to load manifest., xrefs: 001D75E8
Failed to get source process folder from path., xrefs: 001D7725
WixBundleUILevel, xrefs: 001D76D6, 001D76E7
Failed to set original source variable., xrefs: 001D776A
Failed to initialize internal cache functionality., xrefs: 001D779F
WixBundleOriginalSource, xrefs: 001D7759
WixBundleSourceProcessPath, xrefs: 001D76F8
WixBundleElevated, xrefs: 001D76A5, 001D76B6
Failed to extract bootstrapper application payloads., xrefs: 001D77EF
Failed to overwrite the %ls built-in variable., xrefs: 001D76BB
Failed to set source process path variable., xrefs: 001D7709

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: 7469a02666b699475a95beb9da4f04a0a85d4eb48cedb4ee1e174f88ca6f3334
Instruction ID: 40e4f703a58e5b95ec7fd4d6ba8a55000e218a7ee5f17505b39f8d9603d54b32
Opcode Fuzzy Hash: 7469a02666b699475a95beb9da4f04a0a85d4eb48cedb4ee1e174f88ca6f3334
Instruction Fuzzy Hash: B5A1A572E44619BADB169AA4CC85FEFB7ACBB10700F010667F915E7281E730E954DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001D86D0, Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,001C4DBC,?,?,00000000,001C4DBC,00000000), ref: 001D8713
GetLastError.KERNEL32 ref: 001D8720

Part of subcall function 00203EDD: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00203F73

SetFilePointerEx.KERNEL32(00000000,0020B4B8,00000000,00000000,00000000,?,00000000,0020B500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001D87CD
GetLastError.KERNEL32 ref: 001D87D7
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,0020B500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001D8902

Strings

cabinet.dll, xrefs: 001D887B
cache.cpp, xrefs: 001D8744, 001D87FB, 001D8862, 001D88D1
Failed to seek to beginning of engine file: %ls, xrefs: 001D8779
Failed to update signature offset., xrefs: 001D8821
Failed to seek to original data in exe burn section header., xrefs: 001D88DB
Failed to seek to signature table in exe header., xrefs: 001D886C
Failed to seek to checksum in exe header., xrefs: 001D8805
Failed to zero out original data offset., xrefs: 001D88F4
msi.dll, xrefs: 001D8814
Failed to copy engine from: %ls to: %ls, xrefs: 001D87A8
Failed to create engine file at path: %ls, xrefs: 001D8751

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: File$ErrorLast$ChangeCloseCreateFindNotificationPointerRead
String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 3608016165-1976062716
Opcode ID: 89c1d4694f3106a0e62b0c1f55c03d720c21f676fdec3a5dca21cddf7368fc5a
Instruction ID: 12ea5e921e1ff8611729d6a86cb13852772b1643f194e92ef5e6b87cc6bf8e59
Opcode Fuzzy Hash: 89c1d4694f3106a0e62b0c1f55c03d720c21f676fdec3a5dca21cddf7368fc5a
Instruction Fuzzy Hash: 5251B973A51236BBE7225A548C4AFBF7668EF45B10F124126FE10FB381EB119C1196E1

Uniqueness

Uniqueness Score: -1.00%

Function 001C762C, Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(001D756B,001C53BD,00000000,001C5445), ref: 001C764C

Strings

WixBundleTag, xrefs: 001C7EAE
Date, xrefs: 001C7770
WixBundleVersion, xrefs: 001C7ECE
WixBundleActiveParent, xrefs: 001C7E62
#, xrefs: 001C76CB
0, xrefs: 001C7663
$, xrefs: 001C7D49
', xrefs: 001C78EB
WixBundleSourceProcessFolder, xrefs: 001C7E9E
WixBundleProviderKey, xrefs: 001C7E7E
InstallerVersion, xrefs: 001C7833
Failed to add built-in variable: %ls., xrefs: 001C7F19
InstallerName, xrefs: 001C7812
WixBundleAction, xrefs: 001C7D76
WixBundleUILevel, xrefs: 001C7EBE
LogonUser, xrefs: 001C7882
WixBundleExecutePackageCacheFolder, xrefs: 001C7D98
WixBundleInstalled, xrefs: 001C7E2A
WixBundleSourceProcessPath, xrefs: 001C7E8E
WixBundleExecutePackageAction, xrefs: 001C7DF8
WixBundleForcedRestartPackage, xrefs: 001C7E14
WixBundleElevated, xrefs: 001C7E46

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 6d9ef8aa44f42b247f658ae984c2bc084176523cc62c1aa636324d60c2d0c041
Instruction ID: b0981bd88130f8cfe9f95e3c92c4f3a179da8cc24adc74fe58b00c030f6246c2
Opcode Fuzzy Hash: 6d9ef8aa44f42b247f658ae984c2bc084176523cc62c1aa636324d60c2d0c041
Instruction Fuzzy Hash: 263249F0C117299BDB658F5AC9887DDFAB4BB49304F6082EED20CB6251C7B05A988F45

Uniqueness

Uniqueness Score: -1.00%

Function 001D82BA, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,001C5489), ref: 001D8310

Part of subcall function 00200879: OpenProcessToken.ADVAPI32(?,00000008,?,001C53BD,00000000,?,?,?,?,?,?,?,001D769D,00000000), ref: 00200897
Part of subcall function 00200879: GetLastError.KERNEL32(?,?,?,?,?,?,?,001D769D,00000000), ref: 002008A1
Part of subcall function 00200879: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,001D769D,00000000), ref: 0020092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 001D8336
GetLastError.KERNEL32 ref: 001D8340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 001D83BD
GetLastError.KERNEL32 ref: 001D83C7
UuidCreate.RPCRT4(?), ref: 001D8406

Strings

Temp\, xrefs: 001D8395
cache.cpp, xrefs: 001D8364, 001D83EB, 001D843C
Failed to convert working folder guid into string., xrefs: 001D8446
%ls%ls\, xrefs: 001D8458
Failed to ensure windows path for working folder ended in backslash., xrefs: 001D838B
Failed to copy working folder path., xrefs: 001D848B
Failed to get windows path for working folder., xrefs: 001D836E
Failed to get temp path for working folder., xrefs: 001D83F5
Failed to append bundle id on to temp path for working folder., xrefs: 001D8470
Failed to concat Temp directory on windows path for working folder., xrefs: 001D83AD
Failed to create working folder guid., xrefs: 001D8413

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$Process$ChangeCloseCreateCurrentDirectoryFindNotificationOpenPathTempTokenUuidWindows
String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 2898636500-819636856
Opcode ID: 2da20fd004b013c07b7449bafbefcdd735a346fe6d7d013259658a250e53c12a
Instruction ID: 199d8e71ad074393a1124fae792b0475affc6173d5ea1b7bdcd4d5fbedf0fb4d
Opcode Fuzzy Hash: 2da20fd004b013c07b7449bafbefcdd735a346fe6d7d013259658a250e53c12a
Instruction Fuzzy Hash: B941E572A41326B7D731A6A49C4EFDE73ACAB25B10F11416ABA08E7240EB74DD4086E1

Uniqueness

Uniqueness Score: -1.00%

Function 001E10FB, Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 001E111D
CoUninitialize.OLE32 ref: 001E1398

Strings

Failed to wait for begin operation event., xrefs: 001E1311
cabextract.cpp, xrefs: 001E1193, 001E12BA, 001E1307, 001E1346, 001E1372
Failed to set operation complete event., xrefs: 001E12C4
Invalid operation for this state., xrefs: 001E137C
Failed to reset begin operation event., xrefs: 001E1350
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 001E1279
Failed to initialize cabinet.dll., xrefs: 001E119F
Failed to initialize COM., xrefs: 001E1129
<the>.cab, xrefs: 001E11BD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: 770713bf6867b9684feb84fa733a34835bbafca004bfea8027cf3d880e2f67af
Instruction ID: 5b437f6b9bb9f6f952eb48e9759497d9e41c79b37d0c7e65a5ba753d2ede06fc
Opcode Fuzzy Hash: 770713bf6867b9684feb84fa733a34835bbafca004bfea8027cf3d880e2f67af
Instruction Fuzzy Hash: 37517636E41AE2F7CB2556A68C05EAF7664AB15B30B330329FE11FB291D3358C4082D2

Uniqueness

Uniqueness Score: -1.00%

Function 001C42D7, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,001C5266,?,?,00000000,?,?), ref: 001C4303
InitializeCriticalSection.KERNEL32(000000D0,?,?,001C5266,?,?,00000000,?,?), ref: 001C430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,001C5266,?,?,00000000,?,?), ref: 001C4352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,001C5266,?,?,00000000,?,?), ref: 001C435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,001C5266,?,?,00000000,?,?), ref: 001C4370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,001C5266,?,?,00000000,?,?), ref: 001C4380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,001C5266,?,?,00000000,?,?), ref: 001C43D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,001C5266,?,?,00000000,?,?), ref: 001C43DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,001C5266,?,?,00000000,?,?), ref: 001C43EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,001C5266,?,?,00000000,?,?), ref: 001C43FE

Strings

Failed to parse file handle: '%ls', xrefs: 001C4482
Failed to initialize engine section., xrefs: 001C4467
burn.filehandle.self, xrefs: 001C43CB, 001C43D3, 001C43D8, 001C43D9, 001C43F9, 001C44CB
Missing required parameter for switch: %ls, xrefs: 001C44A4
engine.cpp, xrefs: 001C4495, 001C44C1
burn.filehandle.attached, xrefs: 001C434D, 001C4355, 001C435A, 001C435B, 001C437B, 001C449F

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: bdeb6f706751689910a59afa81960e44845d7a6b54635176e4bdc58a77c22d47
Instruction ID: 51d8bab274dc268706135d3c498f7ae21d4eaa4f21e8c48245c6d0e197810260
Opcode Fuzzy Hash: bdeb6f706751689910a59afa81960e44845d7a6b54635176e4bdc58a77c22d47
Instruction Fuzzy Hash: 8251F371A44315BFCB25DB68DC96F9AB76CFF21760F10411AFA18E7291D7B0E810CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 001CC28F, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,001CC47F,001C5405,?,?,001C5445), ref: 001CC2D6
GetLastError.KERNEL32(?,001CC47F,001C5405,?,?,001C5445,001C5445,00000000,?,00000000), ref: 001CC2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,001CC47F,001C5405,?,?,001C5445,001C5445,00000000,?), ref: 001CC336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,001CC47F,001C5405,?,?,001C5445,001C5445,00000000,?,00000000), ref: 001CC33C
DuplicateHandle.KERNELBASE(00000000,?,001CC47F,001C5405,?,?,001C5445,001C5445,00000000,?,00000000), ref: 001CC33F
GetLastError.KERNEL32(?,001CC47F,001C5405,?,?,001C5445,001C5445,00000000,?,00000000), ref: 001CC349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,001CC47F,001C5405,?,?,001C5445,001C5445,00000000,?,00000000), ref: 001CC39B
GetLastError.KERNEL32(?,001CC47F,001C5405,?,?,001C5445,001C5445,00000000,?,00000000), ref: 001CC3A5

Strings

Failed to move file pointer to container offset., xrefs: 001CC3D3
feclient.dll, xrefs: 001CC398
crypt32.dll, xrefs: 001CC397
Failed to duplicate handle to container: %ls, xrefs: 001CC37A
container.cpp, xrefs: 001CC30B, 001CC36D, 001CC3C9
Failed to open file: %ls, xrefs: 001CC318
Failed to open container., xrefs: 001CC3F1

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 4650410c962822dfab2542cc7bb41aa660770662d0d0f95b197a4119aaa6178a
Instruction ID: e5a55a59ebd9d45ac8018ea9624610600dc7db5727fbd3366904694f562c7ab6
Opcode Fuzzy Hash: 4650410c962822dfab2542cc7bb41aa660770662d0d0f95b197a4119aaa6178a
Instruction Fuzzy Hash: 7B41C676140342ABDB219E19AD49F5B7AA6FBE5720F21812DFD189B282D731CC11DAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00202AF7, Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001C3838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 001C3877
Part of subcall function 001C3838: GetLastError.KERNEL32 ref: 001C3881

Part of subcall function 00204A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00204A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00202B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00202B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00202B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00202BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00202BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00202BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00202C01

Strings

MsiSetExternalUIRecord, xrefs: 00202BD6
MsiSourceListAddSourceExW, xrefs: 00202BF6
Msi.dll, xrefs: 00202B09
MsiDetermineApplicablePatchesW, xrefs: 00202B56
MsiDeterminePatchSequenceW, xrefs: 00202B36
MsiGetPatchInfoExW, xrefs: 00202B96
MsiGetProductInfoExW, xrefs: 00202BB6
MsiEnumProductsExW, xrefs: 00202B76

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 6ff19148778a1105ddbf206f8a8d02bab51c2636a319ef0a741d4b6335c9419b
Instruction ID: b09f5dde1d948c0093df8d1c1ea6dc794b5409b96771fe9634432e320d769c0b
Opcode Fuzzy Hash: 6ff19148778a1105ddbf206f8a8d02bab51c2636a319ef0a741d4b6335c9419b
Instruction Fuzzy Hash: 73310371921619FADB339FE0FD0EB797BADF715708F40212AE400569B1E7B5086AAF40

Uniqueness

Uniqueness Score: -1.00%

Function 001E1741, Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,001CC3EB,?,00000000,?,001CC47F), ref: 001E1778
GetLastError.KERNEL32(?,001CC3EB,?,00000000,?,001CC47F,001C5405,?,?,001C5445,001C5445,00000000,?,00000000), ref: 001E1781

Strings

Failed to create operation complete event., xrefs: 001E17F5
Failed to copy file name., xrefs: 001E1763
Failed to create begin operation event., xrefs: 001E17AF
wininet.dll, xrefs: 001E1757
cabextract.cpp, xrefs: 001E17A5, 001E17EB, 001E1837
Failed to create extraction thread., xrefs: 001E1841
Failed to wait for operation complete., xrefs: 001E1854

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: a9f60a086f3ad61e7aa6f2c9de3ddf07892f99a6b6f006c005469a840faaf6d3
Instruction ID: 31af98549cf2178afb6ace39c8098131ca6066f4bf92e2f2e26779c23be11d0d
Opcode Fuzzy Hash: a9f60a086f3ad61e7aa6f2c9de3ddf07892f99a6b6f006c005469a840faaf6d3
Instruction Fuzzy Hash: FD210577E91B7676D33216A64C46FAF7A9CEF10BA0B020225BD01BB681EB70DC4085E1

Uniqueness

Uniqueness Score: -1.00%

Function 001E08C2, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 001E08F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 001E090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 001E090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 001E0912
GetLastError.KERNEL32(?,?), ref: 001E091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 001E098B
GetLastError.KERNEL32(?,?), ref: 001E0998

Strings

Failed to open cabinet file: %hs, xrefs: 001E09C9
Failed to add virtual file pointer for cab container., xrefs: 001E0971
cabextract.cpp, xrefs: 001E0940, 001E09BC
<the>.cab, xrefs: 001E08EB
Failed to duplicate handle to cab container., xrefs: 001E094A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: ee85a76400b03f5631cb5efcf71f7aebfc69f312532a86057283e68cb02c95f4
Instruction ID: 4b9ae0cf73ce4fb81c0b0c7775002345ef4ea3b2a89eb5406d1767655297ee75
Opcode Fuzzy Hash: ee85a76400b03f5631cb5efcf71f7aebfc69f312532a86057283e68cb02c95f4
Instruction Fuzzy Hash: B1313972942A35BBEB325F969C49F9FBE68EF09760F110111FD08B7242D7609C50CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 001D6A57, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,001C4E11,?,?), ref: 001D6A77
GetCurrentProcess.KERNEL32(?,00000000,?,?,001C4E11,?,?), ref: 001D6A7D
DuplicateHandle.KERNELBASE(00000000,?,?,001C4E11,?,?), ref: 001D6A80
GetLastError.KERNEL32(?,?,001C4E11,?,?), ref: 001D6A8A
CloseHandle.KERNEL32(000000FF,?,001C4E11,?,?), ref: 001D6B03

Strings

core.cpp, xrefs: 001D6AAE
Failed to duplicate file handle for attached container., xrefs: 001D6AB8
%ls -%ls=%u, xrefs: 001D6AD7
Failed to append the file handle to the command line., xrefs: 001D6AEB
burn.filehandle.attached, xrefs: 001D6AD0

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-4196573879
Opcode ID: 5abc9ff2fa3e8ab6749992bb2e083ab07043c71ccf9669e684a68bedebf29646
Instruction ID: d00523e548e190b2368e4dbf4aee9211c712c1162e497e1a0dcc6f6a163659b5
Opcode Fuzzy Hash: 5abc9ff2fa3e8ab6749992bb2e083ab07043c71ccf9669e684a68bedebf29646
Instruction Fuzzy Hash: D5118132A50225FBCB21ABA89C09E9EBBA8AF15730F118256FD24F73D1D7709D1086D0

Uniqueness

Uniqueness Score: -1.00%

Function 00200879, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,001C53BD,00000000,?,?,?,?,?,?,?,001D769D,00000000), ref: 00200897
GetLastError.KERNEL32(?,?,?,?,?,?,?,001D769D,00000000), ref: 002008A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,001D769D,00000000), ref: 002008D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,001D769D,00000000), ref: 002008EC
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,001D769D,00000000), ref: 0020092B

Strings

procutil.cpp, xrefs: 00200919

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastToken$ChangeCloseFindInformationNotificationOpenProcess
String ID: procutil.cpp
API String ID: 3650908616-1178289305
Opcode ID: a72dc16f6bdd8961791444adfac74ea1101dfa18c3facc9b0cdc06c751ace398
Instruction ID: 083417f30057edeebad3eed41dc7906b836a0f3496f5532e5e489cece9e13171
Opcode Fuzzy Hash: a72dc16f6bdd8961791444adfac74ea1101dfa18c3facc9b0cdc06c751ace398
Instruction Fuzzy Hash: DC21A732D5032AEBF7219F959849B9EBBB8FF14B10F118155AD14A7292D3708E10DAD0

Uniqueness

Uniqueness Score: -1.00%

Function 001D6B13, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 001D6B49
CloseHandle.KERNEL32(00000000), ref: 001D6BB9

Strings

burn.filehandle.self, xrefs: 001D6B5A, 001D6B8C
%ls -%ls=%u, xrefs: 001D6B61, 001D6B93
Failed to append the file handle to the obfuscated command line., xrefs: 001D6BA7
Failed to append the file handle to the command line., xrefs: 001D6B75

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: ef4894d898c2b86455a5c2a2f1dd1a068ff05088df05e17bcc6f74a612c236ca
Instruction ID: 2c1437aa041530737c52f1271d87e07c00df092543c75d64ef28b7f0b49c3959
Opcode Fuzzy Hash: ef4894d898c2b86455a5c2a2f1dd1a068ff05088df05e17bcc6f74a612c236ca
Instruction Fuzzy Hash: 8111D332740724BBDB215A68CC45F9B7BA9DB46B30F114356FD24EB3E2D3B098218691

Uniqueness

Uniqueness Score: -1.00%

Function 00203565, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00203574
InterlockedIncrement.KERNEL32(0022B6C8), ref: 00203591
CLSIDFromProgID.OLE32(Msxml2.DOMDocument,0022B6B8,?,?,?,?,?,?), ref: 002035AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,0022B6B8,?,?,?,?,?,?), ref: 002035B8

Strings

MSXML.DOMDocument, xrefs: 002035B3
Msxml2.DOMDocument, xrefs: 002035A7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 899fda376782ece3c0ae1608e0f78a151a6d44fb8dcf1f9e2f46bc60c138dc96
Instruction ID: fc306c73dd2038d493e7034b814bd3c978b66f5c756d74ace9109f4053fe23e3
Opcode Fuzzy Hash: 899fda376782ece3c0ae1608e0f78a151a6d44fb8dcf1f9e2f46bc60c138dc96
Instruction Fuzzy Hash: D1F03031760336ABD3329BE27D0DB662E6DDB85B55F540429F800D21A6D360D96186B0

Uniqueness

Uniqueness Score: -1.00%

Function 00204A6C, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00204A9D
GlobalAlloc.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00204ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00204AF6
GetLastError.KERNEL32(00000000,0020B7A0,?,00000000,?,00000000,?,00000000), ref: 00204B34
GlobalFree.KERNEL32 ref: 00204B65

Strings

fileutil.cpp, xrefs: 00204AB8, 00204B11

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: 4dbbcd1638ae44f56fdd5a2f1062697c7cf269e2103be968a47a124ad71b53f2
Instruction ID: 811a822e1bcd374deb40404738b104e509cd7c6c1e063c3af88b6c5dc3c383f3
Opcode Fuzzy Hash: 4dbbcd1638ae44f56fdd5a2f1062697c7cf269e2103be968a47a124ad71b53f2
Instruction Fuzzy Hash: CA31C777E50329ABD722AA998C41FAFBAB8AF44750F118255FE14E7283D731DD1086D0

Uniqueness

Uniqueness Score: -1.00%

Function 001E0A81, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 001E0B27
GetLastError.KERNEL32(?,?,?), ref: 001E0B31

Strings

Invalid seek type., xrefs: 001E0ABD
Failed to move file pointer 0x%x bytes., xrefs: 001E0B62
cabextract.cpp, xrefs: 001E0B55

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 82ee83ef74cd0a0952921bc9888ab5602fb73902bc839ee1b8880030ad972efe
Instruction ID: 69aaf76d5f159eb7c8b5c2b809195441fea7494cc9d5c87b1eb6de9b24de4031
Opcode Fuzzy Hash: 82ee83ef74cd0a0952921bc9888ab5602fb73902bc839ee1b8880030ad972efe
Instruction Fuzzy Hash: BC31D435A40A5AFFCB16CF99D884EAEB7B5FF08724B058225FD14A7251D370ED908B90

Uniqueness

Uniqueness Score: -1.00%

Function 002032F3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00203309
SysAllocString.OLEAUT32(?), ref: 00203325
VariantClear.OLEAUT32(?), ref: 002033AC
SysFreeString.OLEAUT32(00000000), ref: 002033B7

Strings

xmlutil.cpp, xrefs: 0020333C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: xmlutil.cpp
API String ID: 760788290-1270936966
Opcode ID: 023054562e33a53f992898a053eade29b9e221d48c11c03e37dd6a9ccc4af94e
Instruction ID: 02197b095f44cc1367150897aaf661335da399eae39ff7cce509192dea85dd70
Opcode Fuzzy Hash: 023054562e33a53f992898a053eade29b9e221d48c11c03e37dd6a9ccc4af94e
Instruction Fuzzy Hash: C0217136911319AFCB21DF94C888FAEBBBDAF85B11F154198F905AB251DB319E108BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001C4115, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,001DA0E8,00000000,00000000,?,00000000,001C53BD,00000000,?,?,001CD5B5,?), ref: 001C4123
GetLastError.KERNEL32(?,001DA0E8,00000000,00000000,?,00000000,001C53BD,00000000,?,?,001CD5B5,?,00000000,00000000), ref: 001C4131
CreateDirectoryW.KERNEL32(?,840F01E8,001C5489,?,001DA0E8,00000000,00000000,?,00000000,001C53BD,00000000,?,?,001CD5B5,?,00000000), ref: 001C419A
GetLastError.KERNEL32(?,001DA0E8,00000000,00000000,?,00000000,001C53BD,00000000,?,?,001CD5B5,?,00000000,00000000), ref: 001C41A4

Strings

dirutil.cpp, xrefs: 001C41D4

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 547f95be902acb88f633d84e8eb996b3fe47ee599d9d05fbb27a8980512aabfc
Instruction ID: bfd1d4d6d0eb8df864ce344eda710f75211a8a6e8906f42bf3e9300a4816a020
Opcode Fuzzy Hash: 547f95be902acb88f633d84e8eb996b3fe47ee599d9d05fbb27a8980512aabfc
Instruction Fuzzy Hash: 3D112436A0833597D7322AA55C64F7BA654EF71B61F19402DFDC8EB241E360EC9082D2

Uniqueness

Uniqueness Score: -1.00%

Function 001C56A9, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,001C6595,001C6595,?,001C563D,?,?,00000000), ref: 001C56E5
GetLastError.KERNEL32(?,001C563D,?,?,00000000,?,?,001C6595,?,001C7F02,?,?,?,?,?), ref: 001C5714

Strings

Failed to compare strings., xrefs: 001C5742
version.dll, xrefs: 001C56D7
variable.cpp, xrefs: 001C5738

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-4228644734
Opcode ID: e2cfb8356d302269691c21e2d5feba15b99863a852fa330dc2d90d120659b4b2
Instruction ID: b9ad95de126f08a9a3ad3cf172fbd915fffeb09d0967aa565fdcc613782c19a3
Opcode Fuzzy Hash: e2cfb8356d302269691c21e2d5feba15b99863a852fa330dc2d90d120659b4b2
Instruction Fuzzy Hash: 98213736600B25EFC7148F98CD44F5AB7A5EB15720B61031DE924AB3C0EB30FD8186A0

Uniqueness

Uniqueness Score: -1.00%

Function 001E09EA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001E140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,001E0A19,?,?,?), ref: 001E1434
Part of subcall function 001E140C: GetLastError.KERNEL32(?,001E0A19,?,?,?), ref: 001E143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 001E0A27
GetLastError.KERNEL32 ref: 001E0A31

Strings

cabextract.cpp, xrefs: 001E0A55
Failed to read during cabinet extraction., xrefs: 001E0A5F

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 33c1a4b617163764831d0cbe983ed4f0990b54bad250b81d52bb50ab6277aa49
Instruction ID: 61fbd59cc35b3d160312c0f6682980acb0ea2edb5b1d7082f39bba83e16b5f1e
Opcode Fuzzy Hash: 33c1a4b617163764831d0cbe983ed4f0990b54bad250b81d52bb50ab6277aa49
Instruction Fuzzy Hash: D811E136A01669BBCB229F96EC08E9E7BA8FF49760B024125FD04A7291C7309910CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001E140C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,001E0A19,?,?,?), ref: 001E1434
GetLastError.KERNEL32(?,001E0A19,?,?,?), ref: 001E143E

Strings

cabextract.cpp, xrefs: 001E1462
Failed to move to virtual file pointer., xrefs: 001E146C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: bf32b4171bc430426e70bda49557e88ebeced19511342b31c704b269d10f4815
Instruction ID: 07ff9d4020b04b72abc67c156afb6ad044978cea84f879cd53cc872d62e1feae
Opcode Fuzzy Hash: bf32b4171bc430426e70bda49557e88ebeced19511342b31c704b269d10f4815
Instruction Fuzzy Hash: 8901A237941A7ABBC7225A969C08E8FFF65FF107707118125FD285A691D731DC20C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00203EDD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00203F73
GetLastError.KERNEL32 ref: 00203FD6

Strings

fileutil.cpp, xrefs: 00203FFA

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: 70d14809cc840cd847ce14879cb23ea30405924688326b1b057e5841b863279b
Instruction ID: df2631148aaa8934201ede49b50eb425e1c79e500bc23e51f84057d830b9a5c4
Opcode Fuzzy Hash: 70d14809cc840cd847ce14879cb23ea30405924688326b1b057e5841b863279b
Instruction Fuzzy Hash: A1318371E2036B9BDB31DE54C9447DA77B9FB04751F0040A6FA48E7681D7B49ED08A90

Uniqueness

Uniqueness Score: -1.00%

Function 00204E3A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00203F9A,?,?,?), ref: 00204E5E
GetLastError.KERNEL32(?,?,00203F9A,?,?,?), ref: 00204E68

Strings

fileutil.cpp, xrefs: 00204E91

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: 7b8786a766896418e9a6a469a3a5116991369a78bc985445541559cc7a1196b1
Instruction ID: 47d57b9930ebacdb6e34042abf4cd11e184cab985614872be3eec324fe050b8d
Opcode Fuzzy Hash: 7b8786a766896418e9a6a469a3a5116991369a78bc985445541559cc7a1196b1
Instruction Fuzzy Hash: 05F06D73A10229ABD7219E9ADC49EDFBB6DFB44761F014215FE08E7181D731AE1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0020490D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,001D8770,00000000,00000000,00000000,00000000,00000000), ref: 00204925
GetLastError.KERNEL32(?,?,?,001D8770,00000000,00000000,00000000,00000000,00000000), ref: 0020492F

Strings

fileutil.cpp, xrefs: 00204953

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: 48f6c39a589e12a8f05212aff47c13761fb64a63933a93ef493fa4a28945a43c
Instruction ID: b6f8eaae41d51cc7efa6ae7049b4a4c83ddca2a1579b928827e7c23e9355aa31
Opcode Fuzzy Hash: 48f6c39a589e12a8f05212aff47c13761fb64a63933a93ef493fa4a28945a43c
Instruction Fuzzy Hash: 9AF0A9B661022EABDB219F85DC09EAB7FA8EF05760F018164BE5497352E731DC20D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 001C3838, Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 001C3877
GetLastError.KERNEL32 ref: 001C3881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 001C38EA

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: e1b52d878c193634f5aca0b135cb9222fb8cc3d92313887b7606f5db3a49ba9b
Instruction ID: e3649b1b79fd174090bfec39dba209ff0b76f368ac98bddb81dbc5749a6b08dd
Opcode Fuzzy Hash: e1b52d878c193634f5aca0b135cb9222fb8cc3d92313887b7606f5db3a49ba9b
Instruction Fuzzy Hash: 0E2107B2D0133DA7DB309B659C49F9AB7A89B54710F1142A9FE24E7241DB70DE408BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001C3A16, Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,001C3BB6,00000000,?,001C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,001C13B8), ref: 001C3A20
RtlFreeHeap.NTDLL(00000000,?,001C3BB6,00000000,?,001C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,001C13B8,000001C7,00000100), ref: 001C3A27
GetLastError.KERNEL32(?,001C3BB6,00000000,?,001C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,001C13B8,000001C7,00000100,?), ref: 001C3A31

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 0155a71f000d6a727f297aa11843b637a7a29674c39225843a17d323574727c4
Instruction ID: e65fcf27f48949abdaa0975c9a4e7b5c488322d0b7e8aac116165add187b3f67
Opcode Fuzzy Hash: 0155a71f000d6a727f297aa11843b637a7a29674c39225843a17d323574727c4
Instruction Fuzzy Hash: 44D01273A0423957C73217E66C5CA5BBE58EF14AA17014125FD58D7221D725CD1096E4

Uniqueness

Uniqueness Score: -1.00%

Function 00200F6C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0022AAA0,00000000,?,002057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00200F80

Strings

regutil.cpp, xrefs: 00200FC3

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: ae5930fb9cc0caf3b02cbff8f60e4f9fb2c7c307223f5159ce7e88b72ac9069c
Instruction ID: aaa2b2287fc93c748ed938540a046428ba9cb46308439816270e0e5684b34055
Opcode Fuzzy Hash: ae5930fb9cc0caf3b02cbff8f60e4f9fb2c7c307223f5159ce7e88b72ac9069c
Instruction Fuzzy Hash: 47F0223362133376EB3009968C4DB6BAA59DB917A0F154125BD469E692EA618C20B2F0

Uniqueness

Uniqueness Score: -1.00%

Function 001FF479, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001FF491

Part of subcall function 0020998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00209A09
Part of subcall function 0020998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00209A1A

Strings

px8p, xrefs: 001FF479, 001FF48B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: px8p
API String ID: 1269201914-1459850159
Opcode ID: ba6e304cb0cd8299369fb178f69b4b5c249a0499b3cede491e35a2efa06d2798
Instruction ID: 101471a97d60c93d34ddd4483a529215c028612dfec3111cfe733c82f57a6701
Opcode Fuzzy Hash: ba6e304cb0cd8299369fb178f69b4b5c249a0499b3cede491e35a2efa06d2798
Instruction Fuzzy Hash: 2FB012A527A515BD730852913C02C37010CC6C2F22331C36EB841C4482A8804CA1C032

Uniqueness

Uniqueness Score: -1.00%

Function 001FF49A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001FF491

Part of subcall function 0020998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00209A09
Part of subcall function 0020998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00209A1A

Strings

px8p, xrefs: 001FF48B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: px8p
API String ID: 1269201914-1459850159
Opcode ID: 51f89db74fa6f48b3779dd22a999cfeb2401234d21ccc4c45082479ed78a6496
Instruction ID: 5e10e335d7c7e24c26c6e2b6188e3625c560fca816ab53b13a395cf5b05c160c
Opcode Fuzzy Hash: 51f89db74fa6f48b3779dd22a999cfeb2401234d21ccc4c45082479ed78a6496
Instruction Fuzzy Hash: 7BB012A127A515BE734892953D03C37010CC6C7F22331826EB441C5482E8804CA28032

Uniqueness

Uniqueness Score: -1.00%

Function 001FF4AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001FF491

Part of subcall function 0020998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00209A09
Part of subcall function 0020998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00209A1A

Strings

px8p, xrefs: 001FF48B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: px8p
API String ID: 1269201914-1459850159
Opcode ID: cbbe33a6769885fe6cf0890f6c14ea95b0db5e8af66cfd4575b79f618d5193ef
Instruction ID: 503f00a727d3d51ceecaf500bdbc7599fde9f5b71ab335f5a1c90b83ec9a834c
Opcode Fuzzy Hash: cbbe33a6769885fe6cf0890f6c14ea95b0db5e8af66cfd4575b79f618d5193ef
Instruction Fuzzy Hash: F4B012A127A655BD734893953C02C37010CC6C6F22331C36EF441C5482E8804CE18032

Uniqueness

Uniqueness Score: -1.00%

Function 001F8726, Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001F872A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001F876A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 4887236bd32eed8f67b4c5a911dd3ea3908d06a2041e82c5513c5e860cc81812
Instruction ID: f064183487757928922b6854f517e0fc0883b4b78d3f90667b03a2b2ad53590e
Opcode Fuzzy Hash: 4887236bd32eed8f67b4c5a911dd3ea3908d06a2041e82c5513c5e860cc81812
Instruction Fuzzy Hash: 7CE065771059186BD62232357C8BA7F7A19DFD17B17360115FA0486142DF309D0241F1

Uniqueness

Uniqueness Score: -1.00%

Function 001C3AF0, Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,?,001C226D,?,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000), ref: 001C3B04
RtlReAllocateHeap.NTDLL(00000000,?,001C226D,?,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3B0B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 256a54eab918d08a674269f0d7462cfc10523ca4cdba80ada28c3e6de421674a
Instruction ID: 164239f5ebd077e95d4325980542453a97eaf5e125c447a2957987eda6fb1739
Opcode Fuzzy Hash: 256a54eab918d08a674269f0d7462cfc10523ca4cdba80ada28c3e6de421674a
Instruction Fuzzy Hash: E1D0C93215430DEBCF015FE8EC0DDAA7BACEB586027048405B919C2221C739E4609A60

Uniqueness

Uniqueness Score: -1.00%

Function 002035C3, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002035F8

Part of subcall function 0020304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00203609,00000000,?,00000000), ref: 00203069
Part of subcall function 0020304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,001EC025,?,001C5405,?,00000000,?), ref: 00203075

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 240aee13d6756b665d7925d2e25955c78d9538fd452bc50e38c71956b8188d05
Instruction ID: 2a1655a402a8f7e1c0fe856809e2502999b3b4ef09b6cff7ffc51e596c6e2727
Opcode Fuzzy Hash: 240aee13d6756b665d7925d2e25955c78d9538fd452bc50e38c71956b8188d05
Instruction Fuzzy Hash: AE314D76E10329ABDB11DFA8C884ADEB7F8EF08710F01456AED05AB351D7319E108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00205870, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,0022AAA0,00000000,80070490,?,?,001D8B19,WiX\Burn,PackageCache,00000000,0022AAA0,00000000,00000000,80070490), ref: 002058CA

Part of subcall function 002010B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0020112B
Part of subcall function 002010B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00201163

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: a58cca9e07ab928145d5849602167608e096fbf6df84ba7dcbc44d73c71ddae1
Instruction ID: 655e31c9877b2d710842783d5ecd9e1f3a18588bdb4a9c7b9b3fd810764190bf
Opcode Fuzzy Hash: a58cca9e07ab928145d5849602167608e096fbf6df84ba7dcbc44d73c71ddae1
Instruction Fuzzy Hash: AF118F3682173AEBDB216E948C859AFBB69AF04320B158139ED4167152C7314EB09F91

Uniqueness

Uniqueness Score: -1.00%

Function 001F521A, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,001F1F87,?,0000015D,?,?,?,?,001F33E0,000000FF,00000000,?,?), ref: 001F524C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 52e48b8610538d0bbfcd7cc9f9b3c645f9469b4a5af073bcfa2bd10090947c3a
Instruction ID: cf5ffc2a318e1de55fac226cd67b3897522630c943d1a9fb1c0a2177f729f34c
Opcode Fuzzy Hash: 52e48b8610538d0bbfcd7cc9f9b3c645f9469b4a5af073bcfa2bd10090947c3a
Instruction Fuzzy Hash: B0E02B31540A6CEBE7312765AC09B7B7B4A9FE23A1F260310AF1596092CB60DD4141E1

Uniqueness

Uniqueness Score: -1.00%

Function 001C34B5, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,001D8BD3,0000001C,80070490,00000000,00000000,80070490), ref: 001C34D5

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 1489f8b18b28ef4b1d74a5b378458b2f0165538ce5ae81efb26170843314f279
Instruction ID: 87c6f061895fa94f9d35927f43335df849700f464a3e0d8d3ad2839a764bf7aa
Opcode Fuzzy Hash: 1489f8b18b28ef4b1d74a5b378458b2f0165538ce5ae81efb26170843314f279
Instruction Fuzzy Hash: A9E012722012247BE6132F655C05EEB7B5C9F253547008059FE40D6011D776E950C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00209674, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0020966B

Part of subcall function 0020998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00209A09
Part of subcall function 0020998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00209A1A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fc1e68edaa0c067c5d032c3aa971862bf1cb818094120df7a8f3f9f237454a71
Instruction ID: 96403790b5f03dcf5d13203f2711263f21a08e119969d71e3a9f3027cf4c34b0
Opcode Fuzzy Hash: fc1e68edaa0c067c5d032c3aa971862bf1cb818094120df7a8f3f9f237454a71
Instruction Fuzzy Hash: 88B01291279212BDB74852853C03C37020CC2C1B11330C21FB802C15C3F8804CF44132

Uniqueness

Uniqueness Score: -1.00%

Function 00209653, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0020966B

Part of subcall function 0020998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00209A09
Part of subcall function 0020998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00209A1A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7256bd5adf118dbcdce79cb94048e42b48170bcf221da539be92f3da71549f76
Instruction ID: b1872cf84e6d4a60914f3377cd01c2d1e832cbf63ca48b2a153a6f432d443250
Opcode Fuzzy Hash: 7256bd5adf118dbcdce79cb94048e42b48170bcf221da539be92f3da71549f76
Instruction Fuzzy Hash: 6CB01291279355BDBB0812857C82C37010CC6C1F11330C21FB402E04C3B8804CF00233

Uniqueness

Uniqueness Score: -1.00%

Function 00209684, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0020966B

Part of subcall function 0020998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00209A09
Part of subcall function 0020998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00209A1A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f81417e18700b5fea272aaf0b1648cf746b4ae2ad4a9d42374fc16727cac957f
Instruction ID: d4f9fed0f03a14ffb763ff62da6f5ab0dc9a7ef985d5cbc6c649c99433915953
Opcode Fuzzy Hash: f81417e18700b5fea272aaf0b1648cf746b4ae2ad4a9d42374fc16727cac957f
Instruction Fuzzy Hash: ECB01291279351BDBB4852C93E43C37010CC6C2F11330821FB402D15C3F8814CF10132

Uniqueness

Uniqueness Score: -1.00%

Function 001C14B6, Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,001C21A8,?,00000000,?,00000000,?,001C390C,00000000,?,00000104), ref: 001C14E8

Part of subcall function 001C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,001C21CC,000001C7,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3BDB
Part of subcall function 001C3BD3: HeapSize.KERNEL32(00000000,?,001C21CC,000001C7,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3BE2

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: f50e8ba1336f65fc063a043a680f46b999bd5686d40e60bdb22328dea387721d
Instruction ID: 3c999cf8565cf524b9b5118c06f42ccc3e575d12313956cae08a21cab33a50ee
Opcode Fuzzy Hash: f50e8ba1336f65fc063a043a680f46b999bd5686d40e60bdb22328dea387721d
Instruction Fuzzy Hash: 5701F933280218BBCF255E54EC84FAA7765AFA7B60F61821DFA165B253D731DC008691

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001CA8F1, Relevance: 170.4, APIs: 29, Strings: 68, Instructions: 688COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 001CB11C

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

CompareStringW.KERNEL32(0000007F,00000000,0020CA9C,000000FF,DirectorySearch,000000FF,0020CA9C,Condition,feclient.dll,0020CA9C,Variable,?,0020CA9C,0020CA9C,?,?), ref: 001CAA29
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 001CAA7E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 001CAA9A
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 001CAABE
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 001CAB11
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 001CAB2B
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 001CAB53
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 001CAB91
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 001CABB0
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 001CABCF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 001CAC8D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 001CACA7

Part of subcall function 002032F3: VariantInit.OLEAUT32(?), ref: 00203309
Part of subcall function 002032F3: SysAllocString.OLEAUT32(?), ref: 00203325
Part of subcall function 002032F3: VariantClear.OLEAUT32(?), ref: 002033AC
Part of subcall function 002032F3: SysFreeString.OLEAUT32(00000000), ref: 002033B7

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 001CAD06
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 001CAD28
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 001CAD48
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 001CAE20
SysFreeString.OLEAUT32(?), ref: 001CAFFE

Strings

numeric, xrefs: 001CACF7
HKCU, xrefs: 001CABA3
RegistrySearch, xrefs: 001CAB46
Variable, xrefs: 001CA9DE
cabinet.dll, xrefs: 001CACBA
Failed to get Value attribute., xrefs: 001CB03C
HKLM, xrefs: 001CABC2
directory, xrefs: 001CAE13
version.dll, xrefs: 001CAC1E
path, xrefs: 001CAA8D, 001CAB3A
Failed to get @Type., xrefs: 001CB0B0
Condition, xrefs: 001CA9F9
feclient.dll, xrefs: 001CA9F8
UpgradeCode, xrefs: 001CAE8C
Win64, xrefs: 001CAC5D
Failed to get Key attribute., xrefs: 001CB06E
Failed to allocate memory for search structs., xrefs: 001CA97D
Failed to get @Root., xrefs: 001CB07F
Failed to get next node., xrefs: 001CB0EB
Failed to get Win64 attribute., xrefs: 001CB046
Failed to get @UpgradeCode., xrefs: 001CB08D
Unexpected element name: %ls, xrefs: 001CB0CD
Path, xrefs: 001CAA3B, 001CAACE
Key, xrefs: 001CAC04
Invalid value for @Type: %ls, xrefs: 001CB0A1
wininet.dll, xrefs: 001CAC03
Failed to get search node count., xrefs: 001CA945
search.cpp, xrefs: 001CA973
MsiProductSearch, xrefs: 001CAE39
Failed to get @ProductCode or @UpgradeCode., xrefs: 001CB094
comres.dll, xrefs: 001CADA6, 001CAE5B, 001CAE8B, 001CAF90
Failed to select search nodes., xrefs: 001CA920
MsiFeatureSearch, xrefs: 001CAF53
FeatureId, xrefs: 001CAF91
FileSearch, xrefs: 001CAAB1
ComponentId, xrefs: 001CADA7
Failed to get @Id., xrefs: 001CB0E4
VariableType, xrefs: 001CACDE
string, xrefs: 001CAD1B
Type, xrefs: 001CAA56, 001CAAE9, 001CAC42, 001CADC2, 001CAEC2, 001CAFAC
Invalid value for @VariableType: %ls, xrefs: 001CB05D
language, xrefs: 001CAEF7
Failed to get @ExpandEnvironment., xrefs: 001CB050
state, xrefs: 001CADF7, 001CAF13, 001CAFC5
Failed to get @Variable., xrefs: 001CB0DD
Invalid value for @Root: %ls, xrefs: 001CB078
Value, xrefs: 001CAC1F
ExpandEnvironment, xrefs: 001CACBB
HKU, xrefs: 001CABE1
Failed to get @VariableType., xrefs: 001CB064
keyPath, xrefs: 001CADDB
clbcatq.dll, xrefs: 001CAA3A, 001CAACD, 001CAD83, 001CAF75
Failed to get @FeatureId., xrefs: 001CB0B7
assignment, xrefs: 001CAF2D
HKCR, xrefs: 001CAB82
version, xrefs: 001CAB1E, 001CAD3B, 001CAEDB
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch, xrefs: 001CA90D
value, xrefs: 001CAC9A
msi.dll, xrefs: 001CAC5C
Failed to get @Condition., xrefs: 001CB028
Failed to get @ComponentId., xrefs: 001CB086
Failed to get @Path., xrefs: 001CB032
ProductCode, xrefs: 001CAD84, 001CAE5C, 001CAF76
DirectorySearch, xrefs: 001CAA1A
exists, xrefs: 001CAA6F, 001CAB02, 001CAC7E
MsiComponentSearch, xrefs: 001CAD61
Root, xrefs: 001CAB69
Failed to get @ProductCode., xrefs: 001CB0BE

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
API String ID: 2748437055-1695159631
Opcode ID: 1a3b4f392116d87b34fbf6167c2789235e9e38225677a6b6136546db858f7fd1
Instruction ID: 84c04c016520836fb2699e0b66e268bad75b3dcea9f4c7aa341aeac2f4f585f7
Opcode Fuzzy Hash: 1a3b4f392116d87b34fbf6167c2789235e9e38225677a6b6136546db858f7fd1
Instruction Fuzzy Hash: 7622D571D5832ABACF219A948C43FAE7A74AF22734F310758B930B61D2D770DD60DA91

Uniqueness

Uniqueness Score: -1.00%

Function 001C3CC4, Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 320fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 001C3D40
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C3D53
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 001C3D9E
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C3DA8
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 001C3DF6
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C3E00
FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 001C3E53
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C3E64
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 001C3F3E
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,?), ref: 001C3F52
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 001C3F79
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 001C3F9C
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 001C3FB5
FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 001C3FC5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C3FDA
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C4009
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C402B
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C404D
RemoveDirectoryW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 001C4064
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C406E
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 001C4095
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C40B0
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 001C40E6

Strings

DEL, xrefs: 001C3F6D
dirutil.cpp, xrefs: 001C3D76, 001C3FFA
*.*, xrefs: 001C3E2C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: *.*$DEL$dirutil.cpp
API String ID: 1544372074-1252831301
Opcode ID: fe9f63585e232fe82ec75156ff30680937f1a9c03f10b2b05dae7494d615cf86
Instruction ID: a90891d8f7585948b4aa4e377a44a3d12f66b421b2050bc762bd336aba3685bc
Opcode Fuzzy Hash: fe9f63585e232fe82ec75156ff30680937f1a9c03f10b2b05dae7494d615cf86
Instruction Fuzzy Hash: EDB1E572D452399BDB315AA48C09FEAB675AF60720F01429DFE58B7190D732CE90CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 001E41EA, Relevance: 43.0, Strings: 34, Instructions: 498COMMON

Download Yara Rule

Strings

ACTION=ADMIN, xrefs: 001E4709
Failed to perform minor upgrade of MSI package., xrefs: 001E4638
Failed to add ADMIN property on admin install., xrefs: 001E471E
Failed to add the list of dependencies to ignore to the properties., xrefs: 001E46CA
Failed to add patch properties to argument string., xrefs: 001E44FD
Failed to install MSI package., xrefs: 001E4746
REBOOT=ReallySuppress, xrefs: 001E45A0, 001E476C
Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 001E469B
Failed to add feature action properties to argument string., xrefs: 001E44B9
Failed to add reinstall all property on minor upgrade., xrefs: 001E45EA
WixBundleExecutePackageCacheFolder, xrefs: 001E436A, 001E48A4
Failed to add patch properties to obfuscated argument string., xrefs: 001E451F
REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 001E45F5
Failed to enable logging for package: %ls to: %ls, xrefs: 001E441F
feclient.dll, xrefs: 001E42C5, 001E434D, 001E441D, 001E454B, 001E47D8
IGNOREDEPENDENCIES, xrefs: 001E46A5, 001E4784
Failed to uninstall MSI package., xrefs: 001E47EF
crypt32.dll, xrefs: 001E440A
REINSTALL=ALL, xrefs: 001E45D3, 001E464D
Failed to add reboot suppression property on install., xrefs: 001E45BB
%ls %ls=ALL, xrefs: 001E46B6, 001E4795
Failed to initialize external UI handler., xrefs: 001E43F4
msasn1.dll, xrefs: 001E440B
%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 001E4687
Failed to add properties to argument string., xrefs: 001E4463
Failed to build MSI path., xrefs: 001E439D
Failed to add obfuscated properties to argument string., xrefs: 001E4497
Failed to add feature action properties to obfuscated argument string., xrefs: 001E44DB
Failed to add reboot suppression property on uninstall., xrefs: 001E477D
WixBundleExecutePackageAction, xrefs: 001E43B7, 001E48B4
Failed to run maintanance mode for MSI package., xrefs: 001E46F6
VersionString, xrefs: 001E428E, 001E42EF
Failed to get cached path for package: %ls, xrefs: 001E434F
Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 001E460C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$crypt32.dll$feclient.dll$msasn1.dll
API String ID: 0-2033600224
Opcode ID: 3e1e224fe993d67643a21efe23283ec8c2799aafac2b65fd968d1c4c191f6501
Instruction ID: f5a723012f3dac178de07ad68f39b2f5253f8b502561819d4fbd2379344e837f
Opcode Fuzzy Hash: 3e1e224fe993d67643a21efe23283ec8c2799aafac2b65fd968d1c4c191f6501
Instruction Fuzzy Hash: 7A02C071950A65AFDB229E55CC81FADB7BABF65700F0101A5F908A7251C732DEA0CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00201719, Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 002017B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002017BB
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00201808
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0020180E
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00201848
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0020184E
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0020188E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00201894
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 002018D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002018DA
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 0020191A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00201920
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00201A11
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00201A4B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00201A55
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00201A8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00201A97
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00201AD0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00201ADA
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 00201B18
LocalFree.KERNEL32(?), ref: 00201B2E

Strings

srputil.cpp, xrefs: 002017DC

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
String ID: srputil.cpp
API String ID: 267631441-4105181634
Opcode ID: 7fc630df834663aa3ef2e91230a13bbfe92f2e40d4a1ce6b6331d437bed73967
Instruction ID: a050f210156cda410f4436cb86856f2a73f2301f290ba8cfffaccb704219ccbc
Opcode Fuzzy Hash: 7fc630df834663aa3ef2e91230a13bbfe92f2e40d4a1ce6b6331d437bed73967
Instruction Fuzzy Hash: B7C17376D5133DABD7318F969C48BDFFAB8AF44750F0141AAA904B7281E7709E50CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 001EC332, Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 376COMMON

Download Yara Rule

Strings

Failed to copy version for pseudo bundle., xrefs: 001EC72D
Failed to append relation type to repair arguments for related bundle package, xrefs: 001EC5F1
Failed to copy key for pseudo bundle., xrefs: 001EC542
Failed to allocate memory for pseudo bundle payload hash., xrefs: 001EC4AD
-%ls, xrefs: 001EC34C
Failed to copy filename for pseudo bundle., xrefs: 001EC417
Failed to copy repair arguments for related bundle package, xrefs: 001EC5D0
Failed to copy key for pseudo bundle payload., xrefs: 001EC3F3
Failed to allocate memory for dependency providers., xrefs: 001EC6DE
Failed to copy cache id for pseudo bundle., xrefs: 001EC55F
Failed to append relation type to install arguments for related bundle package, xrefs: 001EC5A9
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 001EC385
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 001EC3BE
Failed to copy uninstall arguments for related bundle package, xrefs: 001EC623
Failed to copy display name for pseudo bundle., xrefs: 001EC74F
Failed to copy local source path for pseudo bundle., xrefs: 001EC43B
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 001EC644
Failed to copy download source for pseudo bundle., xrefs: 001EC469
pseudobundle.cpp, xrefs: 001EC379, 001EC3B2, 001EC4A1, 001EC6D2
Failed to copy install arguments for related bundle package, xrefs: 001EC584

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: b83e83a834bf311e91f687880270795fbb78f40d5712c1971eb03cd8e6fea357
Instruction ID: 4a125aeb8a67b45a627e60b01f7e9c8934e7ed1529463575ca2742cf428d2eb1
Opcode Fuzzy Hash: b83e83a834bf311e91f687880270795fbb78f40d5712c1971eb03cd8e6fea357
Instruction Fuzzy Hash: E9C1E071B00A96ABCB19DF25CC81FAEB7A8BF29710B054129FD15EB241D770EC519BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001C45EE, Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 141sleepshutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 001C4617
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 001C461E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 001C4628
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 001C4678
GetLastError.KERNEL32 ref: 001C4682
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 001C46C6
GetLastError.KERNEL32 ref: 001C46D0
Sleep.KERNEL32(000003E8), ref: 001C470C
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 001C471D
GetLastError.KERNEL32 ref: 001C4727
CloseHandle.KERNEL32(?), ref: 001C477D

Strings

Failed to get process token., xrefs: 001C4656
Failed to get shutdown privilege LUID., xrefs: 001C46B0
engine.cpp, xrefs: 001C464C, 001C46A6, 001C46F4, 001C475E
Failed to schedule restart., xrefs: 001C4768
SeShutdownPrivilege, xrefs: 001C466B
Failed to adjust token to add shutdown privileges., xrefs: 001C46FE

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
API String ID: 2241679041-1583736410
Opcode ID: 31e7e43deeac8144398fb8ff4555de0d4c99fa1d2c89ea638669c6957eff6cc5
Instruction ID: c3db8488e88c29100719ac08855374197195cb0f126707874c7113b34241c688
Opcode Fuzzy Hash: 31e7e43deeac8144398fb8ff4555de0d4c99fa1d2c89ea638669c6957eff6cc5
Instruction Fuzzy Hash: 81414A77E50336ABD7315BA59D5AF6F7668AB11710F110128FE10B7281D725CC0085E1

Uniqueness

Uniqueness Score: -1.00%

Function 001D4EDF, Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 165pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 001D4F0D
GetLastError.KERNEL32(?,00000000,?,?,001C452F,?), ref: 001D4F16
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,001C452F,?), ref: 001D4FB8
GetLastError.KERNEL32(?,001C452F,?), ref: 001D4FC5
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,001C452F), ref: 001D5040
GetLastError.KERNEL32(?,?,?,?,?,?,?,001C452F,?), ref: 001D504B
CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,001C452F,?), ref: 001D508B
LocalFree.KERNEL32(00000000,?,001C452F,?), ref: 001D50B9

Strings

Failed to create the security descriptor for the connection event and pipe., xrefs: 001D4F44
Failed to allocate full name of pipe: %ls, xrefs: 001D4F84
Failed to create pipe: %ls, xrefs: 001D4FF6, 001D507C
Failed to allocate full name of cache pipe: %ls, xrefs: 001D5022
\\.\pipe\%ls.Cache, xrefs: 001D500C
pipe.cpp, xrefs: 001D4F3A, 001D4FE9, 001D506F
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 001D4F08
\\.\pipe\%ls, xrefs: 001D4F6E

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 1214480349-3253666091
Opcode ID: 44421045800c2588e1b0913de6b25a2d649286c22834cf0ce1efb3db141d7dba
Instruction ID: 930e28c10d1ee0ceb1e6ebc5043c1bae22a35d23fb668520846a002b3e9cc237
Opcode Fuzzy Hash: 44421045800c2588e1b0913de6b25a2d649286c22834cf0ce1efb3db141d7dba
Instruction Fuzzy Hash: E5510772D50725BBDB21ABA4CC46FDEBBB4AF14720F110126FD14B62D1D3B55E908AD0

Uniqueness

Uniqueness Score: -1.00%

Function 001FFA62, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 173encryptionfileCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,001D9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 001FFAC7
GetLastError.KERNEL32 ref: 001FFAD1
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 001FFB0E
GetLastError.KERNEL32 ref: 001FFB18
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 001FFB5F
ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 001FFB83
GetLastError.KERNEL32 ref: 001FFB8D
CryptDestroyHash.ADVAPI32(00000000), ref: 001FFBCA
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 001FFBE1
GetLastError.KERNEL32 ref: 001FFBFC
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 001FFC34
GetLastError.KERNEL32 ref: 001FFC3E
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 001FFC77
GetLastError.KERNEL32 ref: 001FFC85

Strings

cryputil.cpp, xrefs: 001FFBB1

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
String ID: cryputil.cpp
API String ID: 3955742341-2185294990
Opcode ID: 66f0834a826da5231bb128c7945f84525f1361349f50765921eb259f1256aa61
Instruction ID: d0b74e86817772bbdf9831bbcf2c023b6357cddf76e15acc3b169eb39b3a85ae
Opcode Fuzzy Hash: 66f0834a826da5231bb128c7945f84525f1361349f50765921eb259f1256aa61
Instruction Fuzzy Hash: D751B437D4023DABD7328A519C19BEB7A64AF04751F0141B9BF48FB290E7B49D819AE0

Uniqueness

Uniqueness Score: -1.00%

Function 001D9E9E, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON

Download Yara Rule

Strings

Failed to reset permissions on unverified cached payload: %ls, xrefs: 001D9FF1
Failed to move verified file to complete payload path: %ls, xrefs: 001DA06C
copying, xrefs: 001DA030, 001DA038
Failed to concat complete cached path., xrefs: 001D9EF4
Failed to transfer working path to unverified path for payload: %ls., xrefs: 001D9FA4
moving, xrefs: 001DA029
Failed to create unverified path., xrefs: 001D9F6E
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 001D9FCB
Failed to get cached path for package with cache id: %ls, xrefs: 001D9EC8

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: ef87fc45ad5eaf784dbe1a6b23ce73bfd10263d2eb18915412a1175bc940a61c
Instruction ID: 2f012cb75e797613fdf3d30adc02e28f1daa4174a261a6fc572333a822d671b1
Opcode Fuzzy Hash: ef87fc45ad5eaf784dbe1a6b23ce73bfd10263d2eb18915412a1175bc940a61c
Instruction Fuzzy Hash: 0A516031944219FBDF226BA4CC46FEDBB76AF14700F504152FA00B52A1E7769EB0AF85

Uniqueness

Uniqueness Score: -1.00%

Function 001C62AA, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 001C62F8
GetLastError.KERNEL32 ref: 001C6302

Strings

Failed to set variant value., xrefs: 001C6423
Failed to get OS info., xrefs: 001C6330
variable.cpp, xrefs: 001C6326

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-1971907631
Opcode ID: fdbba640919f1e76e2a0e243d6de9be74d6351f2d512d398e64cc11341b96b3d
Instruction ID: 6d52d7b0b712c40ed6119a849c86423978452b307d80776deb12c25ffd1268e8
Opcode Fuzzy Hash: fdbba640919f1e76e2a0e243d6de9be74d6351f2d512d398e64cc11341b96b3d
Instruction Fuzzy Hash: 6C41E472A00268ABDB248B59DC49FEF7BB8EB95710F00019EF509E7181C734DE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001FFEC6, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0022B5FC,00000000,?,?,?,?,001E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 001FFEF4
GetCurrentProcessId.KERNEL32(00000000,?,001E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 001FFF04
GetCurrentThreadId.KERNEL32 ref: 001FFF0D
GetLocalTime.KERNEL32(8007139F,?,001E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 001FFF23
LeaveCriticalSection.KERNEL32(0022B5FC,001E12CF,?,00000000,0000FDE9,?,001E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0020001A

Strings

,e", xrefs: 001FFF53
0e", xrefs: 001FFF70
(e", xrefs: 001FFF5A
%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 001FFFC0
$e", xrefs: 001FFF61

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: $e"$%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$(e"$,e"$0e"
API String ID: 296830338-1576165156
Opcode ID: 4dd007ef20ccc6cc1208adb3111936a8eafcf3c0eec52f0ec93b9bbe12162650
Instruction ID: d41182185b916aed6cca82c5e7c0347d4e011375c47502c314d5f23ea28fa7a3
Opcode Fuzzy Hash: 4dd007ef20ccc6cc1208adb3111936a8eafcf3c0eec52f0ec93b9bbe12162650
Instruction Fuzzy Hash: 52417272D10219ABDB219FE4EC48BBEB7B9EF09B11F140029F501A6291D7748D51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C6037, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 001C6062
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 001C6076
GetLastError.KERNEL32 ref: 001C6088
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 001C60DC
GetLastError.KERNEL32 ref: 001C60E6

Strings

Failed to set variant value., xrefs: 001C6124
Failed to get the Date., xrefs: 001C610B
Failed to get the required buffer length for the Date., xrefs: 001C60AD
Failed to allocate the buffer for the Date., xrefs: 001C60C4
variable.cpp, xrefs: 001C60A3, 001C6101

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: e6e407661c19d9e000f4711bdf30012c4f1724f649ac6b94434463e84a637bf2
Instruction ID: 03c8a9fab8aa6afb033b6c2af05e7a865381590c35f86ffe76d319c8b2ec333a
Opcode Fuzzy Hash: e6e407661c19d9e000f4711bdf30012c4f1724f649ac6b94434463e84a637bf2
Instruction Fuzzy Hash: CC31B972A407297BDB219BE9CC46FAFBB68AB54710F110129FE00F7182D761DD5046E1

Uniqueness

Uniqueness Score: -1.00%

Function 001D9B43, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 001D9BF2
lstrlenW.KERNEL32(?), ref: 001D9C19
FindNextFileW.KERNEL32(00000000,00000010), ref: 001D9C79
FindClose.KERNEL32(00000000), ref: 001D9C84

Part of subcall function 001C3CC4: GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 001C3D40
Part of subcall function 001C3CC4: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 001C3D53

Strings

.unverified, xrefs: 001D9B86
*.*, xrefs: 001D9BCC

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: a4d5fcc94d014751b4f4750c7d7beadd5a2ab3adfe7ba39605b683095b0ae5c5
Instruction ID: abc79a046280d12a47b2b6680f5e6ba8b12ad5a3994062a80ae703bcbb91a09b
Opcode Fuzzy Hash: a4d5fcc94d014751b4f4750c7d7beadd5a2ab3adfe7ba39605b683095b0ae5c5
Instruction Fuzzy Hash: 71417C3091066CAECF21AB60DD4DBEEB7F8AF54301F5001A6E908E11A1EB759ED4DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0020887B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 002088D0
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 002088E2

Strings

feclient.dll, xrefs: 002088AA
crypt32.dll, xrefs: 002088A0
%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 0020892D
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 002088B9

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: 445e0e991ed5d1f71f6cf92c30aacdf7d6ae47eb4973ba718e2ab4e04f97542d
Instruction ID: 87969ea5905cc4604fd85998007ceea085baff3104a5f5e015b0de2e8252c78a
Opcode Fuzzy Hash: 445e0e991ed5d1f71f6cf92c30aacdf7d6ae47eb4973ba718e2ab4e04f97542d
Instruction Fuzzy Hash: 052128A6900128FADB20DB9ADC05FBFB3FCAB5D711F00855AF945D2180E7389A90D770

Uniqueness

Uniqueness Score: -1.00%

Function 001FAA0E, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001FAB54

Strings

1#SNAN, xrefs: 001FBD53
1#IND, xrefs: 001FBD4C
1#QNAN, xrefs: 001FBD5A
1#INF, xrefs: 001FBD61

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7f0b14d305f0ebe8ec34aa77ad94672f4a41543d14ebeb0ccb347e7d020ba30f
Instruction ID: 42fc8c2eb0f6c8635809fa949994d0d5751eba4d8959dd911d0ea6ce447d241a
Opcode Fuzzy Hash: 7f0b14d305f0ebe8ec34aa77ad94672f4a41543d14ebeb0ccb347e7d020ba30f
Instruction Fuzzy Hash: 6AC219B1E0862C8BDB25CE28DD807FAB7B5EB84315F1541EAD54DE7240E778AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 001C61DF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001C620F
GetLastError.KERNEL32 ref: 001C6219

Strings

Failed to set variant value., xrefs: 001C625E
Failed to get the user name., xrefs: 001C6242
variable.cpp, xrefs: 001C6238

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: a13d6908f8534db2f77e90de8055a28addecb0beb46f51a9252be48b72f09113
Instruction ID: ed9af565974b21efaa953d9e44e59f1abe5f986bf242febd263191b6a85f7a62
Opcode Fuzzy Hash: a13d6908f8534db2f77e90de8055a28addecb0beb46f51a9252be48b72f09113
Instruction Fuzzy Hash: 3001F972A0172967D7219B55DC4AFAFB7A89F11720F110259FC14E7282DB70DE404AD5

Uniqueness

Uniqueness Score: -1.00%

Function 001FFE21, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,002004F4,?,?,?,?,00000001), ref: 001FFE40
GetLastError.KERNEL32(?,002004F4,?,?,?,?,00000001,?,001C5616,?,?,00000000,?,?,001C5395,00000002), ref: 001FFE4C
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,002004F4,?,?,?,?,00000001,?,001C5616,?,?), ref: 001FFEB5

Strings

logutil.cpp, xrefs: 001FFE6B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: 4ea241715e2a3dd4fc3579edbcb3885deed298e1e916d48fa9629c627683a639
Instruction ID: dd1afcab293d227c4a697b3ac937f4ba033cc966af9b4b2bcd4eb11d63ccbc26
Opcode Fuzzy Hash: 4ea241715e2a3dd4fc3579edbcb3885deed298e1e916d48fa9629c627683a639
Instruction Fuzzy Hash: 84118F32A0022DEBDB319F949D09EBF7B69EF54710F02406DFE0596172D7B18E21D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 001E6B88, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,001E6B32,00000000,00000003), ref: 001E6B9F
GetLastError.KERNEL32(?,001E6B32,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,001E6F28,?), ref: 001E6BA9

Strings

msuengine.cpp, xrefs: 001E6BCD
Failed to set service start type., xrefs: 001E6BD7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuengine.cpp
API String ID: 1456623077-1628545019
Opcode ID: b97a72db7169c2760926a5b28ec660a63dc9d77e0be25888516214f23c3fb94c
Instruction ID: d0a27bcab0a9b1d2478914d1ee345ae7d418d507afb1dda75227573d7c67fd35
Opcode Fuzzy Hash: b97a72db7169c2760926a5b28ec660a63dc9d77e0be25888516214f23c3fb94c
Instruction Fuzzy Hash: 24F0A73374967577C73126966C09E8F7E489F117B0B110315FD28EA2D1DB51891085E0

Uniqueness

Uniqueness Score: -1.00%

Function 001F3C76, Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 001F3D6E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 001F3D78
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 001F3D85

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e64f894452772a286ef465c00c94315beb892622216e5aa190720d32e759e653
Instruction ID: aea14f9c75b04b80c5a38d92a4405a245fc1230f8c6bfccf8cb22d367b088899
Opcode Fuzzy Hash: e64f894452772a286ef465c00c94315beb892622216e5aa190720d32e759e653
Instruction Fuzzy Hash: 8931D27491122CABCB21DF65DD89B9CBBB8BF18710F5045EAE81CA7251E7309F818F44

Uniqueness

Uniqueness Score: -1.00%

Function 001F48D8, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,001F48AE,00000000,00227F08,0000000C,001F4A05,00000000,00000002,00000000), ref: 001F48F9
TerminateProcess.KERNEL32(00000000,?,001F48AE,00000000,00227F08,0000000C,001F4A05,00000000,00000002,00000000), ref: 001F4900
ExitProcess.KERNEL32 ref: 001F4912

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 85bef17ebba231ec84e1a6b976072e1d18a4508127ff0adc952b8ffbf484959b
Instruction ID: ed2e11fa9c6bfaa00f845492f9ee821fe4f1c86b40d4591779acd8c13c2b3c63
Opcode Fuzzy Hash: 85bef17ebba231ec84e1a6b976072e1d18a4508127ff0adc952b8ffbf484959b
Instruction Fuzzy Hash: 12E0B63150024CAFCF22AF64ED0DA6A3B69FF59785B104014FA298A222CB75DD52CA90

Uniqueness

Uniqueness Score: -1.00%

Function 001F7B87, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 001F7C51

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: b0ba4b324cae71861d6c155cbf66c5f333ab2892df67724f3e99db2a46f9efd5
Instruction ID: f9dcb2f369afb28cb260c5ded8009be862a9c33163e648ee875d71bf8a6d317f
Opcode Fuzzy Hash: b0ba4b324cae71861d6c155cbf66c5f333ab2892df67724f3e99db2a46f9efd5
Instruction Fuzzy Hash: 3541137290421D6ECB249FB9DC89EBB77B8EB84314F504668FA15D71C0E7719E818B60

Uniqueness

Uniqueness Score: -1.00%

Function 001FA560, Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction ID: 5b2f9efd8832877a9c4a5a50262b34c494005dab53a3a04f500963700d36c385
Opcode Fuzzy Hash: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction Fuzzy Hash: 84024BB1E002199FDF14CFA9C8806ADB7F1FF88324F65826AD919E7380D735A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00203A5F, Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00203BF1: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00203A8E,?), ref: 00203C62

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00203AB2
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00203AC3

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: fcaf7090efcfec1144d0c43425defbed94561df1f124507f5b869e65d0c41025
Instruction ID: 8c75e2fa3833204b1286bc2b2783b6fcb0c67c8a3f7b930be949fe6e86df307d
Opcode Fuzzy Hash: fcaf7090efcfec1144d0c43425defbed94561df1f124507f5b869e65d0c41025
Instruction Fuzzy Hash: 6A113971A1031AAFDB10DFA4DC89BAFB7FDFF08300F50482AA541A6182E7709A50CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00204440, Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(001E923A,?,00000100,00000000,00000000), ref: 0020447B
FindClose.KERNEL32(00000000), ref: 00204487

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 22869b1def812f609ee1c1b312fc5f2bc7b6a958d8df6704e2fbbe7ed3f678be
Instruction ID: 9055a9b13c2b0285dd0a410ed275412f492c17dd57f23345883243d67f3a940f
Opcode Fuzzy Hash: 22869b1def812f609ee1c1b312fc5f2bc7b6a958d8df6704e2fbbe7ed3f678be
Instruction Fuzzy Hash: 2801F971A0030D6BCB20EFA5ED8DEABB3ACEBC5315F004065F918C3281D7345D598B54

Uniqueness

Uniqueness Score: -1.00%

Function 001F2C18, Relevance: 2.7, Strings: 2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

comres.dll, xrefs: 001F2DBF, 001F2DD8, 001F2E00, 001F2E2B
0, xrefs: 001F2D88

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID: 0$comres.dll
API String ID: 0-3030269839
Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction ID: 68f13977725ea5e692fd4d0d55335583a16cea5cc834ff19fbf515b50c731de9
Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction Fuzzy Hash: 39519CB0200B4C57DF3C89A885A67FF2B959B66340F280919EB47DB282C739EE418356

Uniqueness

Uniqueness Score: -1.00%

Function 001FEE7C, Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001FEE77,?,?,00000008,?,?,001FEB17,00000000), ref: 001FF0A9

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 41caeb3ee2bbeafb080eadfc0496b6469dd27cdd40a7b55d5112d7fd574bb619
Instruction ID: b8745a166fb50e2136dd3bd251a50c57ae4d7a23ca4d594e2a7fdac46163e2ae
Opcode Fuzzy Hash: 41caeb3ee2bbeafb080eadfc0496b6469dd27cdd40a7b55d5112d7fd574bb619
Instruction Fuzzy Hash: 23B17E31610609DFD719CF28C48AB657BE0FF45364F29866CE999CF2A2C775D982CB40

Uniqueness

Uniqueness Score: -1.00%

Function 001EEC07, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 001EEC20

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 462ec188189add3dfe8e12a3de078dbe124822cd54a3d1f562ccc75a227f8f00
Instruction ID: e64edb3b41b095011832b32c4cc66a5effe3ce7e0a4b88ebaab7a665fc936f5f
Opcode Fuzzy Hash: 462ec188189add3dfe8e12a3de078dbe124822cd54a3d1f562ccc75a227f8f00
Instruction Fuzzy Hash: D6518D71D007459BDB28CF9AE8897AEBBF4FB48310F25806AD405EB260D3B19E12CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001EFB89, Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384595c23a0f35336fea54bcd2013c71750daa9307723bcdffbed72d9b483c95
Instruction ID: 8496379f06dfca8bb928f65035b912d8cc89bbb2f7d9830bd195246f98c7ad02
Opcode Fuzzy Hash: 384595c23a0f35336fea54bcd2013c71750daa9307723bcdffbed72d9b483c95
Instruction Fuzzy Hash: 2102D5331089E24BDB2D4A3A847007E7BE16A823B171F47ADDCB6CB1D6DF10E566D660

Uniqueness

Uniqueness Score: -1.00%

Function 001F0B6F, Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction ID: 8cc6e5070dc87272a273f4f46ac23c42bef0f5ba124f37362c2bdc70fe0c3171
Opcode Fuzzy Hash: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction Fuzzy Hash: 95C170372091A60BEF6E8239843407EBBE15A963B131E179DD5F2CB1D7EF209935D620

Uniqueness

Uniqueness Score: -1.00%

Function 001F07AA, Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction ID: 81f85c26599b51be6e1e6ab76249080fcd69a2d65f264badc199a5fb4c3bf414
Opcode Fuzzy Hash: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction Fuzzy Hash: 23C1AD372091A64AEF2E8239843407EBBE16E863B131F179DD5F6CB1C7EF209564D620

Uniqueness

Uniqueness Score: -1.00%

Function 001F03D5, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction ID: ef89a92acf5d15eb07763cf25a4a4a932518347d93326d9a87288e0a9767099e
Opcode Fuzzy Hash: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction Fuzzy Hash: 67C191322051A64BEF2E8639887407EBBE15A963B131B179DD5F2CB0D7EF20D535DA20

Uniqueness

Uniqueness Score: -1.00%

Function 001F001D, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction ID: 0af7669449240c87ce933b247cef08675c0bc873585fa62f3ce43b1da2c15d39
Opcode Fuzzy Hash: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction Fuzzy Hash: 79B18E322091A64BEF2E4339883447EFBE16A963B131F179DD5B2CB1C6EF20D565D620

Uniqueness

Uniqueness Score: -1.00%

Function 001F2E47, Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f5985ad5bef8fea7b91658617f8112b70f0185775be5686faf7b3c1dc8174c
Instruction ID: 7b02560eaae13d4ee8227e73d6b91888d3440c81dc39aed08027c138dc3a7e83
Opcode Fuzzy Hash: 33f5985ad5bef8fea7b91658617f8112b70f0185775be5686faf7b3c1dc8174c
Instruction Fuzzy Hash: 3C61687171070D66DB389A288895BBE73A5EF51700F64091AFB83DF282D735DE81C725

Uniqueness

Uniqueness Score: -1.00%

Function 001CFF99, Relevance: 84.5, APIs: 1, Strings: 47, Instructions: 484registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 001D0592

Strings

BundleTag, xrefs: 001D017B, 001D0180
"%ls" %ls, xrefs: 001D0484
NoModify, xrefs: 001D038B, 001D039E
"%ls" /uninstall /quiet, xrefs: 001D0448
DisplayIcon, xrefs: 001D01BB, 001D01C5
%hs, xrefs: 001D0198
Comments, xrefs: 001D033A, 001D034D
/modify, xrefs: 001D0474
HelpLink, xrefs: 001D025A, 001D026D
BundleAddonCode, xrefs: 001D0075, 001D007D
ParentDisplayName, xrefs: 001D02F2, 001D0305
Failed to write %ls value., xrefs: 001D0531
Failed to write update registration., xrefs: 001D04E5
VersionMajor, xrefs: 001D010F, 001D0115
EstimatedSize, xrefs: 001D051C, 001D0521, 001D0530
BundlePatchCode, xrefs: 001D00B1, 001D00B9
%hu.%hu.%hu.%hu, xrefs: 001D00F0
3.11.1.2318, xrefs: 001D0193
"%ls" /modify, xrefs: 001D03B0
BundleDetectCode, xrefs: 001D0093, 001D009B
QuietUninstallString, xrefs: 001D044D, 001D0463
/uninstall, xrefs: 001D047B, 001D0480
UninstallString, xrefs: 001D0489, 001D049F
Failed to update name and publisher., xrefs: 001D01EE
BundleVersion, xrefs: 001D00CF, 001D00F5
VersionMinor, xrefs: 001D0138, 001D013E
Publisher, xrefs: 001D0234, 001D0247
NoElevateOnModify, xrefs: 001D03D7, 001D03EA
Failed to register the bundle dependency key., xrefs: 001D0553
Failed to update resume mode., xrefs: 001D056D
BundleCachePath, xrefs: 001D003C, 001D0041
ParentKeyName, xrefs: 001D0312, 001D0325
SystemComponent, xrefs: 001D0428, 001D043B
BundleUpgradeCode, xrefs: 001D0057, 001D005F
URLUpdateInfo, xrefs: 001D02CC, 001D02DF
Failed to cache bundle from path: %ls, xrefs: 001CFFEF
BundleProviderKey, xrefs: 001D015A, 001D015F
%s,0, xrefs: 001D01C0
URLInfoAbout, xrefs: 001D02A6, 001D02B9
Contact, xrefs: 001D0362, 001D0375
ModifyPath, xrefs: 001D03B5, 001D03CB
HelpTelephone, xrefs: 001D0280, 001D0293
NoRemove, xrefs: 001D0403, 001D0416
Failed to write software tags., xrefs: 001D04C5
EngineVersion, xrefs: 001D019D, 001D01A2
Failed to create registration key., xrefs: 001D001C
DisplayVersion, xrefs: 001D0201, 001D0214

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.11.1.2318$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
API String ID: 3535843008-2755343042
Opcode ID: a522aaf1dc4bcadbbb0ecdc5a4275c19d9adc82ef7074c28aca13538be71f4d5
Instruction ID: 9d18d8dff038ce0267167f99cb1098f6db89c1f804c26e9b0cb19345b2b95398
Opcode Fuzzy Hash: a522aaf1dc4bcadbbb0ecdc5a4275c19d9adc82ef7074c28aca13538be71f4d5
Instruction Fuzzy Hash: EAF1C331A51725BBDF235664DD42FEE76A5AB28710F050152FD00B63A2DBB1EDB0EAC0

Uniqueness

Uniqueness Score: -1.00%

Function 001CCDBD, Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 366COMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,001C545D,00000000,0020CA9C,001C5445,00000000), ref: 001CCEF3

Strings

Failed to get @CertificateRootThumbprint., xrefs: 001CD1C7
Failed to to find container: %ls, xrefs: 001CD186
FileSize, xrefs: 001CD002
Failed to parse @FileSize., xrefs: 001CD1A1
Hash, xrefs: 001CD0B7
Failed to select payload nodes., xrefs: 001CCDEB
SourcePath, xrefs: 001CCFB0
Failed to hex decode the Payload/@Hash., xrefs: 001CD1DC
Failed to find catalog., xrefs: 001CD1CE
external, xrefs: 001CCF21
Failed to get @SourcePath., xrefs: 001CD1F1
Failed to get @Catalog., xrefs: 001CD1D5
embedded, xrefs: 001CCF05
Failed to get @Packaging., xrefs: 001CD213
Failed to get @Container., xrefs: 001CD18D
FilePath, xrefs: 001CCEAB
Failed to allocate memory for payload structs., xrefs: 001CCE49
Payload, xrefs: 001CCDD8
download, xrefs: 001CCEE5
CertificateRootThumbprint, xrefs: 001CD07A
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 001CD1B2
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 001CD1B9
Catalog, xrefs: 001CD0EC
Failed to get @Id., xrefs: 001CD221
Failed to get @Hash., xrefs: 001CD1E3
Failed to get @LayoutOnly., xrefs: 001CD197
Failed to hex decode @CertificateRootThumbprint., xrefs: 001CD1C0
Failed to get payload node count., xrefs: 001CCE10
Failed to get @DownloadUrl., xrefs: 001CD1EA
Failed to get @FileSize., xrefs: 001CD1AB
Invalid value for @Packaging: %ls, xrefs: 001CD200
LayoutOnly, xrefs: 001CCF8D
Failed to get @FilePath., xrefs: 001CD21A
payload.cpp, xrefs: 001CCE3F
CertificateRootPublicKeyIdentifier, xrefs: 001CD03D
Failed to get next node., xrefs: 001CD228
Packaging, xrefs: 001CCEC6
DownloadUrl, xrefs: 001CCFD9
Container, xrefs: 001CCF4B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$download$embedded$external$payload.cpp
API String ID: 1171520630-3127305756
Opcode ID: 9d8df71c5bcf44597d5501c8c2be77dbb93a3bdd050bfbdb2ebc36b1b237dbbd
Instruction ID: 3b6f899ace1f8892ada33f109f03dbac62df2c91fe5845c835b6875ecac68ed8
Opcode Fuzzy Hash: 9d8df71c5bcf44597d5501c8c2be77dbb93a3bdd050bfbdb2ebc36b1b237dbbd
Instruction Fuzzy Hash: 9BC11572D90329BFCB21DA90DD42FADB664AB15B20F250279F901B75D2C770EE208BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001C8476, Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(001C5445,?,00000000,80070490,?,?,?,?,?,?,?,?,001EC1BF,?,001C5445,?), ref: 001C84A7
LeaveCriticalSection.KERNEL32(001C5445,?,?,?,?,?,?,?,?,001EC1BF,?,001C5445,?,001C5445,001C5445,Chain), ref: 001C8804

Strings

Failed to set variant value., xrefs: 001C878F
Invalid value for @Type: %ls, xrefs: 001C8778
Failed to get variable node count., xrefs: 001C84E1
numeric, xrefs: 001C85BC
Failed to change variant type., xrefs: 001C87DA
Variable, xrefs: 001C84B1
Failed to get @Hidden., xrefs: 001C87E8
Persisted, xrefs: 001C854A
Failed to get @Persisted., xrefs: 001C87E1
Failed to get @Id., xrefs: 001C87EF
Failed to set value of variable: %ls, xrefs: 001C87A7
Failed to get @Type., xrefs: 001C8788
string, xrefs: 001C85F7
Failed to insert variable '%ls'., xrefs: 001C86C6
Failed to get @Value., xrefs: 001C8796
Type, xrefs: 001C85A3
Hidden, xrefs: 001C852F
Initializing hidden variable '%ls', xrefs: 001C8671
Initializing numeric variable '%ls' to value '%ls', xrefs: 001C85E2
Attempt to set built-in variable value: %ls, xrefs: 001C87C8
Value, xrefs: 001C8565
Failed to find variable value '%ls'., xrefs: 001C87D2
variable.cpp, xrefs: 001C87B9
Initializing string variable '%ls' to value '%ls', xrefs: 001C861A
Failed to select variable nodes., xrefs: 001C84C4
Failed to get next node., xrefs: 001C87F6
version, xrefs: 001C862C
Initializing version variable '%ls' to value '%ls', xrefs: 001C8653
Failed to set variant encryption, xrefs: 001C879D

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-1614826165
Opcode ID: d2e8170f59aa9ec275696535e70e607b3a5be1ba28b8a6b73d9a815299d38d97
Instruction ID: 04b40e63e7fffe01048e9cc9a83ddcd82ef32c575f12333b420d5fd9fc8a13b1
Opcode Fuzzy Hash: d2e8170f59aa9ec275696535e70e607b3a5be1ba28b8a6b73d9a815299d38d97
Instruction Fuzzy Hash: 85B1AE72D00329BBCB16DB94CC86FAEBB74AF25710F210259F914B62D2DB71DA50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001E6CCC, Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 379COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,001DBDDC,00000007,?,?,?), ref: 001E6D20

Part of subcall function 00200ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,001C5EB2,00000000), ref: 00200AE0
Part of subcall function 00200ACC: GetProcAddress.KERNEL32(00000000), ref: 00200AE7
Part of subcall function 00200ACC: GetLastError.KERNEL32(?,?,?,001C5EB2,00000000), ref: 00200AFE

CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 001E710F
CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 001E7123

Strings

Failed to CreateProcess on path: %ls, xrefs: 001E6F9A
"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 001E6E75
2, xrefs: 001E6FB3
msuengine.cpp, xrefs: 001E6F8D, 001E7022, 001E704A
Failed to determine WOW64 status., xrefs: 001E6D32
Failed to wait for executable to complete: %ls, xrefs: 001E709E
Failed to get action arguments for MSU package., xrefs: 001E6DD6
Failed to find System32 directory., xrefs: 001E6D95
"%ls" "%ls" /quiet /norestart, xrefs: 001E6E48
WixBundleExecutePackageCacheFolder, xrefs: 001E6E0B, 001E713B
SysNative\, xrefs: 001E6D6A
wusa.exe, xrefs: 001E6DA0
D, xrefs: 001E6F3B
Failed to append SysNative directory., xrefs: 001E6D7D
Bootstrapper application aborted during MSU progress., xrefs: 001E7054
Failed to format MSU uninstall command., xrefs: 001E6E89
Failed to append log path to MSU command-line., xrefs: 001E6ED4
Failed to find Windows directory., xrefs: 001E6D5F
Failed to allocate WUSA.exe path., xrefs: 001E6DB3
Failed to build MSU path., xrefs: 001E6E35
Failed to ensure WU service was enabled to install MSU package., xrefs: 001E6F2E
/log:, xrefs: 001E6EA2
Failed to append log switch to MSU command-line., xrefs: 001E6EB6
Failed to get process exit code., xrefs: 001E702C
Failed to get cached path for package: %ls, xrefs: 001E6DFC
Failed to format MSU install command., xrefs: 001E6E5C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuengine.cpp$wusa.exe
API String ID: 1400713077-4261965642
Opcode ID: ea01f9761758a3a055b2c033a9eb35eca5060d16220ee7df4938b3b062f91f7e
Instruction ID: d40359e275cd85d12903080c9348c271752a26336a35b0854bc822d37c9d2bc4
Opcode Fuzzy Hash: ea01f9761758a3a055b2c033a9eb35eca5060d16220ee7df4938b3b062f91f7e
Instruction Fuzzy Hash: FED1A170A40B5AFBEB119FE6CC85FEEBAB8BF29740F500025F600A2191D7B59954DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001ED43E, Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 290synchronizationprocessCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 001ED4B3
StringFromGUID2.OLE32(?,?,00000027), ref: 001ED4DC
CreateProcessW.KERNEL32 ref: 001ED5C5
GetLastError.KERNEL32(?,?,?,?), ref: 001ED5CF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 001ED668
WaitForSingleObject.KERNEL32(0020B500,000000FF,?,?,?,?), ref: 001ED673
ReleaseMutex.KERNEL32(0020B500,?,?,?,?), ref: 001ED69D
GetExitCodeProcess.KERNEL32 ref: 001ED6BE
GetLastError.KERNEL32(?,?,?,?), ref: 001ED6CC
GetLastError.KERNEL32(?,?,?,?), ref: 001ED704

Part of subcall function 001ED33E: WaitForSingleObject.KERNEL32(?,000000FF,74B5F730,00000000,?,?,?,?,001ED642,?), ref: 001ED357
Part of subcall function 001ED33E: ReleaseMutex.KERNEL32(?,?,?,?,001ED642,?), ref: 001ED375
Part of subcall function 001ED33E: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001ED3B6
Part of subcall function 001ED33E: ReleaseMutex.KERNEL32(?), ref: 001ED3CD
Part of subcall function 001ED33E: SetEvent.KERNEL32(?), ref: 001ED3D6

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 001ED7B9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 001ED7D1

Strings

Failed to CreateProcess on path: %ls, xrefs: 001ED5FE
NetFxChainer.cpp, xrefs: 001ED4F1, 001ED5F3, 001ED6F0, 001ED728
Failed to create netfx chainer guid., xrefs: 001ED4C0
NetFxSection.%ls, xrefs: 001ED509
NetFxEvent.%ls, xrefs: 001ED52B
Failed to allocate event name., xrefs: 001ED53F
Failed to wait for netfx chainer process to complete, xrefs: 001ED732
Failed to create netfx chainer., xrefs: 001ED55E
Failed to get netfx return code., xrefs: 001ED6FA
%ls /pipe %ls, xrefs: 001ED57F
Failed to process netfx chainer message., xrefs: 001ED648
D, xrefs: 001ED5AA
Failed to convert netfx chainer guid into string., xrefs: 001ED4FB
Failed to allocate netfx chainer arguments., xrefs: 001ED593
Failed to allocate section name., xrefs: 001ED51D

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 1533322865-1825855094
Opcode ID: 2a24c8c1277a5d393801064a66c75e02ebaf647806d07579e30518b443a336cb
Instruction ID: 84c6a6b363eb8dc9532e028826f02abc083a34d62cea24a63ac66faa96eed46d
Opcode Fuzzy Hash: 2a24c8c1277a5d393801064a66c75e02ebaf647806d07579e30518b443a336cb
Instruction Fuzzy Hash: 84A1B072D00768AFDB219BA5EC85BAEB7B8AF18310F114169FD08F7252D7349D408F91

Uniqueness

Uniqueness Score: -1.00%

Function 0020744A, Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 340COMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 0020755D
SysFreeString.OLEAUT32(00000000), ref: 00207726
SysFreeString.OLEAUT32(00000000), ref: 002077C3

Strings

subtitle, xrefs: 002075CC
author, xrefs: 0020749B, 0020762C
icon, xrefs: 00207574
@, xrefs: 002076CC
updated, xrefs: 00207604
generator, xrefs: 00207550
logo, xrefs: 002075B0
entry, xrefs: 002074D5, 0020769E
title, xrefs: 002075E8
link, xrefs: 002074F2, 002076D4
category, xrefs: 002074B8, 00207665
(, xrefs: 00207701
atomutil.cpp, xrefs: 00207477, 002077AD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-2592408802
Opcode ID: 7c8d48b7f498bccc697b5161faec014edd837395d2ed5e21e7b25469df6f5296
Instruction ID: 9bd138e8c9f4b7e7c5bb5c770d31e5534db74def8969d58843e2a798154dda0e
Opcode Fuzzy Hash: 7c8d48b7f498bccc697b5161faec014edd837395d2ed5e21e7b25469df6f5296
Instruction Fuzzy Hash: 75B16F31D68326BBDB119BA4CC45FAEB674AB05760F200355F621B61E2D771FE20CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0020710D, Relevance: 45.8, APIs: 11, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00223E78,000000FF,?,?,?), ref: 002071D4
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 002071F9
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00207219
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 00207235
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 0020725D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00207279
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 002072B2
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 002072EB

Part of subcall function 00206D50: SysFreeString.OLEAUT32(00000000), ref: 00206E89
Part of subcall function 00206D50: SysFreeString.OLEAUT32(00000000), ref: 00206EC8

SysFreeString.OLEAUT32(00000000), ref: 0020736F
SysFreeString.OLEAUT32(00000000), ref: 0020741F

Strings

published, xrefs: 00207227
feclient.dll, xrefs: 00207206
author, xrefs: 00207138, 0020726B
updated, xrefs: 0020724F
clbcatq.dll, xrefs: 00207242
cabinet.dll, xrefs: 00207150
(, xrefs: 0020734A
title, xrefs: 0020720B
content, xrefs: 002072DD
msi.dll, xrefs: 00207137
summary, xrefs: 002071EB
version.dll, xrefs: 00207133
link, xrefs: 00207172, 0020731D
category, xrefs: 00207155, 002072A4
atomutil.cpp, xrefs: 0020740C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-4294603148
Opcode ID: 2b182712a66dcf0f8979d46bb700f2ab76088005b1f2e2e9202470a8893f202d
Instruction ID: d158f328d88a2d809a305ae9d1923b501e21ec34ee58d0567d874ff07570ea97
Opcode Fuzzy Hash: 2b182712a66dcf0f8979d46bb700f2ab76088005b1f2e2e9202470a8893f202d
Instruction Fuzzy Hash: 37A16131D68326FBDB219B94CC45FADBA74AB05720F204395F921B61D2D770FA60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D54DC, Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 229filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,0020B500,?,00000000,?,001C452F,?,0020B500), ref: 001D54FD
GetCurrentProcessId.KERNEL32(?,001C452F,?,0020B500), ref: 001D5508
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,001C452F,?,0020B500), ref: 001D553F
ConnectNamedPipe.KERNEL32(?,00000000,?,001C452F,?,0020B500), ref: 001D5554
GetLastError.KERNEL32(?,001C452F,?,0020B500), ref: 001D555E
Sleep.KERNEL32(00000064,?,001C452F,?,0020B500), ref: 001D5593
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,001C452F,?,0020B500), ref: 001D55B6
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,001C452F,?,0020B500), ref: 001D55D1
WriteFile.KERNEL32(?,001C452F,0020B500,00000000,00000000,?,001C452F,?,0020B500), ref: 001D55EC
WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,001C452F,?,0020B500), ref: 001D5607
ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,001C452F,?,0020B500), ref: 001D5622
GetLastError.KERNEL32(?,001C452F,?,0020B500), ref: 001D567D
GetLastError.KERNEL32(?,001C452F,?,0020B500), ref: 001D56B1
GetLastError.KERNEL32(?,001C452F,?,0020B500), ref: 001D56E5
GetLastError.KERNEL32(?,001C452F,?,0020B500), ref: 001D5719
GetLastError.KERNEL32(?,001C452F,?,0020B500), ref: 001D574A
GetLastError.KERNEL32(?,001C452F,?,0020B500), ref: 001D577B

Strings

Failed to write secret to pipe., xrefs: 001D570F
Failed to write secret length to pipe., xrefs: 001D5743
crypt32.dll, xrefs: 001D55CF
Failed to write our process id to pipe., xrefs: 001D56DB
Failed to wait for child to connect to pipe., xrefs: 001D5673
Failed to reset pipe to blocking., xrefs: 001D5774
Failed to set pipe to non-blocking., xrefs: 001D57A5
pipe.cpp, xrefs: 001D5669, 001D569D, 001D56D1, 001D5705, 001D5739, 001D576A, 001D579B
Failed to read ACK from pipe., xrefs: 001D56A7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
API String ID: 2944378912-2047837012
Opcode ID: 610110128064ac7ee6dba2989ad57e6cefcfde608f9194ab367ed2c7f4339bc8
Instruction ID: 3754bb64414c60d66305bd0947b2c39bbdf4fe9e5ea4805b74e2d6d1dffd5d34
Opcode Fuzzy Hash: 610110128064ac7ee6dba2989ad57e6cefcfde608f9194ab367ed2c7f4339bc8
Instruction Fuzzy Hash: 77711977D90735BBDB209BA48C49FEEB6A9AF10B10F624126BD04FB281D774DD4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 001CA416, Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001CA45A
_MREFOpen@16.MSPDB140-MSVCRT ref: 001CA480
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 001CA768

Strings

Failed to format key string., xrefs: 001CA465
Failed to query registry key value., xrefs: 001CA5DA
Failed to allocate memory registry value., xrefs: 001CA587
Failed to change value type., xrefs: 001CA70F
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 001CA740
Registry key not found. Key = '%ls', xrefs: 001CA4B4
search.cpp, xrefs: 001CA54A, 001CA57D, 001CA5D0, 001CA6D3
Failed to format value string., xrefs: 001CA48B
Failed to query registry key value size., xrefs: 001CA554
Failed to allocate string buffer., xrefs: 001CA667
Failed to open registry key., xrefs: 001CA4ED
Unsupported registry key value type. Type = '%u', xrefs: 001CA608
Failed to read registry value., xrefs: 001CA6F6
Failed to set variable., xrefs: 001CA72B
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 001CA51C
Failed to clear variable., xrefs: 001CA4D8
Failed to get expand environment string., xrefs: 001CA6DD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: ee9edf337688b82aefba0572d4574cea9fa394518d98f375317f8c9413c666b9
Instruction ID: 42ecb7f15d2756c2f653e92a8977508e3b95260a5ca28542b41c1f4e46ab7072
Opcode Fuzzy Hash: ee9edf337688b82aefba0572d4574cea9fa394518d98f375317f8c9413c666b9
Instruction Fuzzy Hash: 1AA10472D0032DBBCF239AA4CC49FAEBA78BF28714F568119F900B6191D771D9509A92

Uniqueness

Uniqueness Score: -1.00%

Function 001C5770, Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,001CA8B4,00000100,000002C0,000002C0,00000100), ref: 001C5795
lstrlenW.KERNEL32(000002C0,?,001CA8B4,00000100,000002C0,000002C0,00000100), ref: 001C579F
_wcschr.LIBVCRUNTIME ref: 001C59A7
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,001CA8B4,00000100,000002C0,000002C0,00000100), ref: 001C5C4A

Strings

Failed to format placeholder string., xrefs: 001C5A57
Failed to append placeholder., xrefs: 001C5A4D
Failed to allocate string., xrefs: 001C5BC1
Failed to determine variable visibility: '%ls'., xrefs: 001C5A3A
Failed to append string., xrefs: 001C581B
Failed to get variable name., xrefs: 001C5A8C
Failed to allocate buffer for format string., xrefs: 001C57BD
variable.cpp, xrefs: 001C59FE, 001C5A1F, 001C5A78, 001C5ACA, 001C5B56, 001C5B88, 001C5C04
Failed to allocate record., xrefs: 001C5A0B
Failed to get formatted length., xrefs: 001C5B92
Failed to set variable value., xrefs: 001C5A61
*****, xrefs: 001C5913
Failed to allocate variable array., xrefs: 001C5A85
Failed to set record string., xrefs: 001C5B60
Failed to reallocate variable array., xrefs: 001C5A2C
[%d], xrefs: 001C5962
Failed to set record format string., xrefs: 001C5AD4
Failed to format record., xrefs: 001C5C0E
Failed to copy string., xrefs: 001C5C2E

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 73a7e54d6dc0b23af4690d83887cac04a28f24447f583e44c7ab600aeb91b644
Instruction ID: a0ab44e666b9afee7c180b469740bafcae8306481e40a924fb25faf1b5a833fe
Opcode Fuzzy Hash: 73a7e54d6dc0b23af4690d83887cac04a28f24447f583e44c7ab600aeb91b644
Instruction Fuzzy Hash: 00F1A571901715EFDB109FA58881FAF7BAAEB24B50F15812DFD04AB281D774EE418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 001ECE81, Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 240synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,001ED558,?,?,?), ref: 001ECEC7
GetLastError.KERNEL32(?,?,001ED558,?,?,?), ref: 001ECED4
ReleaseMutex.KERNEL32(?), ref: 001ED13C

Strings

failed to allocate memory for mutex name, xrefs: 001ECF89
NetFxChainer.cpp, xrefs: 001ECEA3, 001ECEF5, 001ECF5A, 001ECFC9, 001ED01B, 001ED063
failed to allocate memory for event name, xrefs: 001ECF1A
%ls_mutex, xrefs: 001ECF75
Failed to create mutex: %ls, xrefs: 001ECFD6
%ls_send, xrefs: 001ECF06
Failed to create event: %ls, xrefs: 001ECF67
Failed to MapViewOfFile for %ls., xrefs: 001ED070
Failed to allocate memory for NetFxChainer struct., xrefs: 001ECEAD
failed to copy event name to shared memory structure., xrefs: 001ED09A
Failed to memory map cabinet file: %ls, xrefs: 001ED028

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: d760cf57b2a720ebd4a2462ca705057498ff64d92e162ad1b004ce7efd740655
Instruction ID: d545553f8c49f3f738038fb290a8bea9b4961887ff3670bf5a065f8da090fa0c
Opcode Fuzzy Hash: d760cf57b2a720ebd4a2462ca705057498ff64d92e162ad1b004ce7efd740655
Instruction Fuzzy Hash: 7B812676A41B72BBC7219BA6AC4DF9EBAA4BF15720F164114FD14AB342D730DD10CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 001CEA42, Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 002032F3: VariantInit.OLEAUT32(?), ref: 00203309
Part of subcall function 002032F3: SysAllocString.OLEAUT32(?), ref: 00203325
Part of subcall function 002032F3: VariantClear.OLEAUT32(?), ref: 002033AC
Part of subcall function 002032F3: SysFreeString.OLEAUT32(00000000), ref: 002033B7

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,0020CA9C,?,?,Action,?,?,?,00000000,001C5445), ref: 001CEB13
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 001CEB5D

Strings

Failed to get @Action., xrefs: 001CEC69
Failed to get RelatedBundle element count., xrefs: 001CEA97
Failed to resize Detect code array in registration, xrefs: 001CEC2E
Detect, xrefs: 001CEB04
RelatedBundle, xrefs: 001CEA50
Failed to resize Addon code array in registration, xrefs: 001CEC3C
Action, xrefs: 001CEAD0
Failed to get RelatedBundle nodes, xrefs: 001CEA72
Patch, xrefs: 001CEBDD
cabinet.dll, xrefs: 001CEBBA
Failed to resize Patch code array in registration, xrefs: 001CEC43
comres.dll, xrefs: 001CEB26
Failed to resize Upgrade code array in registration, xrefs: 001CEC35
Addon, xrefs: 001CEB9A
Upgrade, xrefs: 001CEB50
Invalid value for @Action: %ls, xrefs: 001CEC52
version.dll, xrefs: 001CEB70
Failed to get next RelatedBundle element., xrefs: 001CEC70
Failed to get @Id., xrefs: 001CEC62

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: e6fd86a133198fc20c02b98d5fc4165f4eb29220f4bd9bc0c3a9bceb87b0e629
Instruction ID: 251b287cc4aa20e2f49c314c46d032e9fbcd87fafe920a842bb86321a5498dc4
Opcode Fuzzy Hash: e6fd86a133198fc20c02b98d5fc4165f4eb29220f4bd9bc0c3a9bceb87b0e629
Instruction Fuzzy Hash: B4719D31A44616BFCB14DB94C985FAAB7F4FB25720F204258E921A76C1D770EE61CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D46DC, Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 185fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,001D4BF5,0020B4E8,?,feclient.dll,00000000,?,?), ref: 001D46F3
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,001D4BF5,0020B4E8,?,feclient.dll,00000000,?,?), ref: 001D4714
GetLastError.KERNEL32(?,001D4BF5,0020B4E8,?,feclient.dll,00000000,?,?), ref: 001D471A
ReadFile.KERNEL32(feclient.dll,00000000,0020B518,?,00000000,00000000,0020B519,?,001D4BF5,0020B4E8,?,feclient.dll,00000000,?,?), ref: 001D47A8
GetLastError.KERNEL32(?,001D4BF5,0020B4E8,?,feclient.dll,00000000,?,?), ref: 001D47AE

Strings

Failed to read verification process id from parent pipe., xrefs: 001D4861
Verification secret from parent does not match., xrefs: 001D4816
feclient.dll, xrefs: 001D46E2, 001D4712, 001D4713, 001D47A7, 001D482C, 001D4882
Failed to inform parent process that child is running., xrefs: 001D48BB
Verification process id from parent does not match., xrefs: 001D48FD
msasn1.dll, xrefs: 001D482B
Verification secret from parent is too big., xrefs: 001D4775
Failed to read size of verification secret from parent pipe., xrefs: 001D4748
pipe.cpp, xrefs: 001D473E, 001D4769, 001D47D2, 001D480A, 001D4857, 001D48B1, 001D48F1
Failed to read verification secret from parent pipe., xrefs: 001D47DC
Failed to allocate buffer for verification secret., xrefs: 001D4791

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastRead$CurrentProcess
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 1233551569-452622383
Opcode ID: 137776a08abdd6f927c0f4b23fbd8ef11195a195680e81c0b54da95db5e195f2
Instruction ID: 997a11f2043361b9aebbcf77bcfa3d03f4947c7d91488040c7ea0ef03e3f30b9
Opcode Fuzzy Hash: 137776a08abdd6f927c0f4b23fbd8ef11195a195680e81c0b54da95db5e195f2
Instruction Fuzzy Hash: 6851FC36D40366B7DB219BD49C46FAF76A8AB12B50F110226FE14FB380D7709D4097E1

Uniqueness

Uniqueness Score: -1.00%

Function 001E27FC, Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON

Download Yara Rule

Strings

Protocol, xrefs: 001E28C3
none, xrefs: 001E2936
Failed to get @DetectCondition., xrefs: 001E2825
Failed to get @Repairable., xrefs: 001E28B5
Failed to parse command lines., xrefs: 001E2988
Failed to get @UninstallArguments., xrefs: 001E2869
Failed to get @InstallArguments., xrefs: 001E2847
Failed to get @Protocol., xrefs: 001E2974
Invalid protocol type: %ls, xrefs: 001E295C
Failed to parse exit codes., xrefs: 001E290C
UninstallArguments, xrefs: 001E2858
RepairArguments, xrefs: 001E287A
netfx4, xrefs: 001E2915
DetectCondition, xrefs: 001E2814
burn, xrefs: 001E28E0
InstallArguments, xrefs: 001E2836
Repairable, xrefs: 001E289C
Failed to get @RepairArguments., xrefs: 001E288B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: e9fe7c0d541503508997de4c9683bbf3c4f003255e7219c959dfbc985a7c2c77
Instruction ID: 8d22758c9f90479d198f8b69a3de8af9b299db72768376debae8ce269ba0ace0
Opcode Fuzzy Hash: e9fe7c0d541503508997de4c9683bbf3c4f003255e7219c959dfbc985a7c2c77
Instruction Fuzzy Hash: 4C412E71E94BB2BACB2595658C52FEEB19C5B26730F210321F924B72C3D7709D6086D1

Uniqueness

Uniqueness Score: -1.00%

Function 001C8F72, Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,560020DB,00000001,?,001C9946,?,00000000,00000000,?,?,001C992E,?,?,00000000,?), ref: 001C8FB2

Strings

Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 001C9408
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 001C9380
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 001C91DE
Failed to set symbol value., xrefs: 001C9060
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 001C93C4
-, xrefs: 001C9118
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 001C9242
AND, xrefs: 001C92BC
NOT, xrefs: 001C92DB
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 001C9162
condition.cpp, xrefs: 001C9084, 001C914E, 001C91CA, 001C922E, 001C936C, 001C93B0, 001C93F4
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 001C9098

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: StringType
String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-3594736606
Opcode ID: 948bdc8de37ab893c2ff15b522391f7999568919aacf0b6eb7f77c227999791f
Instruction ID: 10b20a30c117ea4c9b7cf304afdfac5e5a780369f3c11f98cdff6e246e5a5e49
Opcode Fuzzy Hash: 948bdc8de37ab893c2ff15b522391f7999568919aacf0b6eb7f77c227999791f
Instruction Fuzzy Hash: 52F1D271600305FFDB29CF94C98DFAABBA8FB25700F10854EF9159A585C3B5DAA1CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001E1BB1, Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 001E1CB8
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 001E1CD6

Strings

Failed to allocate memory for exit code structs., xrefs: 001E1C43
Failed to parse @Code value: %ls, xrefs: 001E1D91
error, xrefs: 001E1CC9
Failed to get @Code., xrefs: 001E1D98
scheduleReboot, xrefs: 001E1CE5
Invalid exit code type: %ls, xrefs: 001E1DA7
ExitCode, xrefs: 001E1BBF
Failed to get next node., xrefs: 001E1DBE
exeengine.cpp, xrefs: 001E1C39
forceReboot, xrefs: 001E1D03
Failed to select exit code nodes., xrefs: 001E1BDE
success, xrefs: 001E1CA9
Failed to get @Type., xrefs: 001E1DB7
Failed to get exit code node count., xrefs: 001E1C03
Code, xrefs: 001E1D25
Type, xrefs: 001E1C90

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
API String ID: 2664528157-1714101571
Opcode ID: 24d4a9a82bd424ffacd50330ab2f99d5e38cb616f244483b1b1d2936619c93f0
Instruction ID: 4565fde125e1f4cf32bbbad54c850832197113a92e34ec30988d8db1a10dd901
Opcode Fuzzy Hash: 24d4a9a82bd424ffacd50330ab2f99d5e38cb616f244483b1b1d2936619c93f0
Instruction Fuzzy Hash: A261E230A4465ABBCB15DB96CC45EEEBBB9FF15720F204255F821AB2D1CB709E50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D6BCA, Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 351synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 001CD4A8: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,001D7040,000000B8,00000000,?,00000000,7743A770), ref: 001CD4B7
Part of subcall function 001CD4A8: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 001CD4C6
Part of subcall function 001CD4A8: LeaveCriticalSection.KERNEL32(000000D0,?,001D7040,000000B8,00000000,?,00000000,7743A770), ref: 001CD4DB

CreateThread.KERNEL32 ref: 001D6E34
GetLastError.KERNEL32(?,?,?,?,?,?,?,001C4522,?,0020B500,?,001C4846,?,?), ref: 001D6E43
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,001C4522,?,0020B500,?,001C4846,?,?), ref: 001D6EA0
ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 001D6F92
CloseHandle.KERNEL32(00000000), ref: 001D6F9B
CloseHandle.KERNEL32(crypt32.dll,?,00000000,?,00000000,00000001,00000000), ref: 001D6FB5

Part of subcall function 001EBD05: SetThreadExecutionState.KERNEL32 ref: 001EBD0A

Strings

Engine cannot start apply because it is busy with another action., xrefs: 001D6C28
core.cpp, xrefs: 001D6C8A, 001D6E67
UX aborted apply begin., xrefs: 001D6C94
Failed to register bundle., xrefs: 001D6DEE
crypt32.dll, xrefs: 001D6ECD, 001D6EE7, 001D6FB4
Failed while caching, aborting execution., xrefs: 001D6E98
Failed to cache engine to working directory., xrefs: 001D6D71
Another per-machine setup is already executing., xrefs: 001D6DC8
Failed to set initial apply variables., xrefs: 001D6D02
Failed to elevate., xrefs: 001D6D94
Failed to create cache thread., xrefs: 001D6E71
Another per-user setup is already executing., xrefs: 001D6CD8

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseHandle$CriticalSectionThread$CompareCreateEnterErrorExchangeExecutionInterlockedLastLeaveMutexReleaseState
String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 2169948125-4292671789
Opcode ID: a9aa96916496a9e778c57a32b804064886883fb5849a3a1540cb513db50505d7
Instruction ID: d0868875e1f3162a6925aa2bbc60244564aea22dce8373c7f8d8b652c8938d68
Opcode Fuzzy Hash: a9aa96916496a9e778c57a32b804064886883fb5849a3a1540cb513db50505d7
Instruction Fuzzy Hash: 0CC1B072900625EBDF159FA4D885BEE37A9EF14704F04417BFD09AE242DB749980CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00208134, Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 00208161
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 0020817C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 0020821F
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,0020B518,00000000), ref: 0020825E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 002082B1
CompareStringW.KERNEL32(0000007F,00000000,0020B518,000000FF,true,000000FF), ref: 002082CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00208307
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 0020844B

Strings

apuputil.cpp, xrefs: 0020836E
true, xrefs: 002082C1
type, xrefs: 002081A7
upgrade, xrefs: 00208211
version, xrefs: 00208250, 002082F9
exclusive, xrefs: 002082A3
application, xrefs: 0020816E
enclosure, xrefs: 00208439
http://appsyndication.org/2006/appsyn, xrefs: 00208154

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: bafd73569f43691acb5b84ca7c0b64b0d2234c54a8d1f749bb6cd65b89ccd5e7
Instruction ID: 9f171c871b2f44b0d5261e70d08ca9a909a877591b98e09fbe5d4df6ffcb06bf
Opcode Fuzzy Hash: bafd73569f43691acb5b84ca7c0b64b0d2234c54a8d1f749bb6cd65b89ccd5e7
Instruction Fuzzy Hash: 47B19E32624706AFDB219F54CC85F5B77A6BF44730F254658F9A9AB2D2DB70E860CB00

Uniqueness

Uniqueness Score: -1.00%

Function 002077F7, Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 206COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 00207857
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 0020787C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 0020789C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 002078CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 002078EB
SysFreeString.OLEAUT32(00000000), ref: 00207916
SysFreeString.OLEAUT32(00000000), ref: 0020798D
SysFreeString.OLEAUT32(00000000), ref: 002079D9

Strings

comres.dll, xrefs: 002078A6
type, xrefs: 002078DD
rel, xrefs: 0020784A
feclient.dll, xrefs: 00207889
title, xrefs: 002078C1
length, xrefs: 0020788E
msi.dll, xrefs: 00207975
version.dll, xrefs: 002078FA
href, xrefs: 0020786E
msasn1.dll, xrefs: 002079C7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$Compare$Free
String ID: comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-3944986760
Opcode ID: 29f92941178597475e273ee5ab18dc95da04727570c487802b804f1b23f69510
Instruction ID: a1910feeb3a1774b46e55bf84e17ec57ef192fc779c0e989b13465d530fda8c0
Opcode Fuzzy Hash: 29f92941178597475e273ee5ab18dc95da04727570c487802b804f1b23f69510
Instruction Fuzzy Hash: 07613072D2831AFBDB11DB94CC45EADB7B9AF04720F2042A5E521A71D2D731AE20DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001DE3C8, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 146registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001DE2AF: LoadBitmapW.USER32(?,00000001), ref: 001DE2E5
Part of subcall function 001DE2AF: GetLastError.KERNEL32 ref: 001DE2F1

LoadCursorW.USER32(00000000,00007F00), ref: 001DE429
RegisterClassW.USER32 ref: 001DE43D
GetLastError.KERNEL32 ref: 001DE448
UnregisterClassW.USER32 ref: 001DE54D
DeleteObject.GDI32(00000000), ref: 001DE55C

Strings

Failed to register window., xrefs: 001DE476
WixBurnSplashScreen, xrefs: 001DE436, 001DE548
Failed to create window., xrefs: 001DE4DF
Unexpected return value from message pump., xrefs: 001DE537
Failed to load splash screen., xrefs: 001DE401
splashscreen.cpp, xrefs: 001DE46C, 001DE4D5

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 164797020-2188509422
Opcode ID: d8217892109cb85a59246864159b7ecf2740fd486458e0f6a026baf186da68f3
Instruction ID: d2557e273174ffbd1881d2560eec7896806f0d10e771a49a05f8c520732d04ce
Opcode Fuzzy Hash: d8217892109cb85a59246864159b7ecf2740fd486458e0f6a026baf186da68f3
Instruction Fuzzy Hash: 0A41A376900619BFEB21ABE4ED49EAEB7F9FF04751F110126FA01EA251E7309D10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001E9DE1, Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 233threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,001EBC85,00000001), ref: 001E9E46
GetLastError.KERNEL32(?,001EBC85,00000001), ref: 001E9FB6
GetExitCodeThread.KERNEL32(00000001,00000000,?,001EBC85,00000001), ref: 001E9FF6
GetLastError.KERNEL32(?,001EBC85,00000001), ref: 001EA000

Strings

Failed to get cache thread exit code., xrefs: 001EA031
Failed to execute dependency action., xrefs: 001E9F36
Failed to execute MSI package., xrefs: 001E9EA6
Invalid execute action., xrefs: 001EA056
apply.cpp, xrefs: 001E9FDD, 001EA027
Failed to execute compatible package action., xrefs: 001E9F73
Failed to execute MSU package., xrefs: 001E9EFB
Cache thread exited unexpectedly., xrefs: 001EA047
Failed to execute MSP package., xrefs: 001E9ECB
Failed to load compatible package on per-machine package., xrefs: 001E9F5C
Failed to execute EXE package., xrefs: 001E9E7D
Failed to wait for cache check-point., xrefs: 001E9FE7
Failed to execute package provider registration action., xrefs: 001E9F17

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: ffbd33419fec5918a9d39dd27b6e44b9ec9f5318d091c10ec1533c37c95c7981
Instruction ID: 2ac0886eec709f4b071ed4f3adc76a61987105d39c7935dccdcc66b982be6d18
Opcode Fuzzy Hash: ffbd33419fec5918a9d39dd27b6e44b9ec9f5318d091c10ec1533c37c95c7981
Instruction Fuzzy Hash: 3B716F71A016A9EFDB14CFA5C941EBEBBF8EF55B10F114169F905EB240D330AE409BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CF210, Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 183registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00203AF1: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 00203B3E

RegCloseKey.ADVAPI32(00000000,?,00210D10,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 001CF440

Part of subcall function 002014A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,001CF28D,00210D10,Resume,00000005,?,00000000,00000000,00000000), ref: 002014BB

Strings

Failed to write Resume value., xrefs: 001CF293
Resume, xrefs: 001CF282
burn.runonce, xrefs: 001CF2DA
Failed to write resume command line value., xrefs: 001CF35D
Failed to create run key., xrefs: 001CF31D
BundleResumeCommandLine, xrefs: 001CF348, 001CF3DB
Failed to write run key value., xrefs: 001CF33B
Failed to format resume command line for RunOnce., xrefs: 001CF2F9
registration.cpp, xrefs: 001CF3C4, 001CF412
Installed, xrefs: 001CF2A5
"%ls" /%ls, xrefs: 001CF2E5
Failed to delete resume command line value., xrefs: 001CF41C
Failed to write Installed value., xrefs: 001CF2B6
Failed to delete run key value., xrefs: 001CF3CE

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$registration.cpp
API String ID: 2348918689-2631711097
Opcode ID: 2a7c1642ccfc146c6107c5fd0881540162c1fc8368bd0d2bf7811694f3bd8623
Instruction ID: e213728ccc63343e3e3e76a7de4afde7f22190d252b8e396daa3e295136dfe43
Opcode Fuzzy Hash: 2a7c1642ccfc146c6107c5fd0881540162c1fc8368bd0d2bf7811694f3bd8623
Instruction Fuzzy Hash: 5951C236D5036AFBDF259AA08C46FEFB6A6BB20710F11013DF900B6191D770D961DAC1

Uniqueness

Uniqueness Score: -1.00%

Function 001ECC91, Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 174processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(74B061D0,00000002,00000000), ref: 001ECC9D

Part of subcall function 001D4D8D: UuidCreate.RPCRT4(?), ref: 001D4DC0

CreateProcessW.KERNEL32 ref: 001ECD7B
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 001ECD85
GetProcessId.KERNEL32(001E2401,?,?,00000000,?,?,?,?), ref: 001ECDBD

Part of subcall function 001D54DC: lstrlenW.KERNEL32(?,?,00000000,?,0020B500,?,00000000,?,001C452F,?,0020B500), ref: 001D54FD
Part of subcall function 001D54DC: GetCurrentProcessId.KERNEL32(?,001C452F,?,0020B500), ref: 001D5508
Part of subcall function 001D54DC: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,001C452F,?,0020B500), ref: 001D553F
Part of subcall function 001D54DC: ConnectNamedPipe.KERNEL32(?,00000000,?,001C452F,?,0020B500), ref: 001D5554
Part of subcall function 001D54DC: GetLastError.KERNEL32(?,001C452F,?,0020B500), ref: 001D555E
Part of subcall function 001D54DC: Sleep.KERNEL32(00000064,?,001C452F,?,0020B500), ref: 001D5593
Part of subcall function 001D54DC: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,001C452F,?,0020B500), ref: 001D55B6
Part of subcall function 001D54DC: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,001C452F,?,0020B500), ref: 001D55D1
Part of subcall function 001D54DC: WriteFile.KERNEL32(?,001C452F,0020B500,00000000,00000000,?,001C452F,?,0020B500), ref: 001D55EC
Part of subcall function 001D54DC: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,001C452F,?,0020B500), ref: 001D5607

Part of subcall function 00200A28: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,001C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00200A38
Part of subcall function 00200A28: GetLastError.KERNEL32(?,?,001C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00200A46

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,001ECBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 001ECE41
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,001ECBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 001ECE50
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,001ECBEF,?,?,?,?,?,00000000,?,?,?), ref: 001ECE67

Strings

Failed to create embedded pipe., xrefs: 001ECD27
Failed to create embedded process at path: %ls, xrefs: 001ECDB3
embedded.cpp, xrefs: 001ECDA6
Failed to wait for embedded executable: %ls, xrefs: 001ECE24
Failed to allocate embedded command., xrefs: 001ECD54
Failed to process messages from embedded message., xrefs: 001ECE04
Failed to wait for embedded process to connect to pipe., xrefs: 001ECDDF
%ls -%ls %ls %ls %u, xrefs: 001ECD40
Failed to create embedded pipe name and client token., xrefs: 001ECD00
burn.embedded, xrefs: 001ECD38

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
API String ID: 875070380-3803182736
Opcode ID: 5c26755482e9f2875e04b1e34149312b5cb50d5868e93db22bbdd78a642e2234
Instruction ID: 69b3e5f9612030284146c0f49096e35148110502a4a497822ef29e6fc72490bc
Opcode Fuzzy Hash: 5c26755482e9f2875e04b1e34149312b5cb50d5868e93db22bbdd78a642e2234
Instruction Fuzzy Hash: FE517C72D4066DBBDF229BD4DC46BDEBBB9AF18710F110122FA00B6291E7719A518BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00207F7E, Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,00208468,00000001,?), ref: 00207F9E
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,00208468,00000001,?), ref: 00207FB9
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,00208468,00000001,?), ref: 00207FD4
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,00208468,00000001,?), ref: 00208040
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,00208468,00000001,?), ref: 00208064
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,00208468,00000001,?), ref: 00208088
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,00208468,00000001,?), ref: 002080A8
lstrlenW.KERNEL32(006C0064,?,00208468,00000001,?), ref: 002080C3

Strings

apuputil.cpp, xrefs: 002080DB
name, xrefs: 00207FCB
sha1, xrefs: 0020807F
msi.dll, xrefs: 00207F98
sha256, xrefs: 0020809F
digest, xrefs: 00207FB0
md5, xrefs: 0020805B
http://appsyndication.org/2006/appsyn, xrefs: 00207F91
algorithm, xrefs: 00208037

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-2492263259
Opcode ID: 31d444f8537823bcebac4020a89e27eb33baf98e6f4b3238d6e21343079b6b1a
Instruction ID: a1f7c9ba2e326ffa92c3915a0b017fab0929cf75f2a908bc473e64ce2f146cc3
Opcode Fuzzy Hash: 31d444f8537823bcebac4020a89e27eb33baf98e6f4b3238d6e21343079b6b1a
Instruction Fuzzy Hash: 9E518931668723BBDB215F54DC89F16BA62AF15B30F204314F575AE2D2CBA1E8648790

Uniqueness

Uniqueness Score: -1.00%

Function 001CA03E, Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001CA0B6

Strings

State, xrefs: 001CA098
Failed to get product info., xrefs: 001CA1E3
AssignmentType, xrefs: 001CA091
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 001CA148
Failed to change value type., xrefs: 001CA21D
Language, xrefs: 001CA09F
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 001CA175
Failed to enumerate related products for upgrade code., xrefs: 001CA0F1
Failed to copy upgrade code., xrefs: 001CA116
Product or related product not found: %ls, xrefs: 001CA1A1
Failed to set variable., xrefs: 001CA23C
Unsupported product search type: %u, xrefs: 001CA07E
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 001CA24F
Failed to format GUID string., xrefs: 001CA0C1
VersionString, xrefs: 001CA0A6, 001CA131, 001CA147, 001CA15B, 001CA174, 001CA188

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: 4210797228367f51ee7993cdc3d31664b6c31721bcc80b6f8a5f6f58e54de445
Instruction ID: 098ae6bc6f2fe3adfd8bd956155ba1628a5aab5c1c55c07574e625d325449439
Opcode Fuzzy Hash: 4210797228367f51ee7993cdc3d31664b6c31721bcc80b6f8a5f6f58e54de445
Instruction Fuzzy Hash: EA61E632D5022CBBCF139AA4CD85F9E7B79EF25318F550159F900BA292C332DE509B92

Uniqueness

Uniqueness Score: -1.00%

Function 001CECBE, Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 173COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 001CEE4C

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

SysFreeString.OLEAUT32(?), ref: 001CEE04

Strings

Failed to allocate memory for software tag structs., xrefs: 001CED4B
Failed to get @Regid., xrefs: 001CEE9F
SoftwareTag, xrefs: 001CECCD
Failed to get software tag count., xrefs: 001CED13
Failed to select software tag nodes., xrefs: 001CECEE
Failed to convert SoftwareTag text to UTF-8, xrefs: 001CEE81
Filename, xrefs: 001CED7F
Failed to get next node., xrefs: 001CEEB3
registration.cpp, xrefs: 001CED41
Failed to get @Filename., xrefs: 001CEEA9
Failed to get @Path., xrefs: 001CEE95
Path, xrefs: 001CEDB2
Failed to get SoftwareTag text., xrefs: 001CEE8B
Regid, xrefs: 001CED9A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$registration.cpp
API String ID: 336948655-1068704183
Opcode ID: 9c07dbdfae4372d53a504e0b61783a1b57193c227f7e1a04b1bf90914b529ad9
Instruction ID: ad0acbaea077c9a580d98cd9f363439bc2821eddee433fe37a967c4d0ecc9c0b
Opcode Fuzzy Hash: 9c07dbdfae4372d53a504e0b61783a1b57193c227f7e1a04b1bf90914b529ad9
Instruction Fuzzy Hash: 58518235A01319BBCB25DF98C881FAEBBE8BF20750B1141ADE911AB241C770DE508B90

Uniqueness

Uniqueness Score: -1.00%

Function 001D4B2A, Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 158sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 001D4B84
GetLastError.KERNEL32 ref: 001D4B92
Sleep.KERNEL32(00000064), ref: 001D4BB6

Strings

Failed to verify parent pipe: %ls, xrefs: 001D4BFE
feclient.dll, xrefs: 001D4BE9, 001D4C84, 001D4C98, 001D4CDC
Failed to open companion process with PID: %u, xrefs: 001D4CDE
\\.\pipe\%ls.Cache, xrefs: 001D4C17
Failed to allocate name of parent cache pipe., xrefs: 001D4C2B
Failed to open parent pipe: %ls, xrefs: 001D4BDC
pipe.cpp, xrefs: 001D4BCF, 001D4CD2
\\.\pipe\%ls, xrefs: 001D4B3C
Failed to allocate name of parent pipe., xrefs: 001D4B50

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
API String ID: 408151869-3212458075
Opcode ID: 43c0c8844d343343b7c3569ac449bc143aa69727d909cdd21e9a1f7a99a1a0b3
Instruction ID: 3a9a432a829688abf2099377ea9a0270eaaa5b1cf50af3afa72153c94c5b84cb
Opcode Fuzzy Hash: 43c0c8844d343343b7c3569ac449bc143aa69727d909cdd21e9a1f7a99a1a0b3
Instruction Fuzzy Hash: 24412A36DA1732BBDB3156A08D46F9A7694AF21720F110223FE04BB3D0D775DD508AD4

Uniqueness

Uniqueness Score: -1.00%

Function 001CF585, Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,001D04DF,InstallerVersion,InstallerVersion,00000000,001D04DF,InstallerName,InstallerName,00000000,001D04DF,Date,InstalledDate,00000000,001D04DF,LogonUser), ref: 001CF733

Part of subcall function 002014F4: RegSetValueExW.ADVAPI32(00020006,00210D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,001CF335,00000000,?,00020006), ref: 00201527

Strings

Failed to get the formatted key path for update registration., xrefs: 001CF5A7
Date, xrefs: 001CF6C9
PublishingGroup, xrefs: 001CF667, 001CF67A
Publisher, xrefs: 001CF63F, 001CF652
Failed to create the key for update registration., xrefs: 001CF5D3
InstalledBy, xrefs: 001CF6A4, 001CF6BD
InstallerVersion, xrefs: 001CF701, 001CF706, 001CF707, 001CF717
Failed to write %ls value., xrefs: 001CF71C
InstallerName, xrefs: 001CF6E4, 001CF6E9, 001CF6EA, 001CF6FA
PackageVersion, xrefs: 001CF61F, 001CF632
InstalledDate, xrefs: 001CF6C4, 001CF6DD
LogonUser, xrefs: 001CF6A9
ReleaseType, xrefs: 001CF68A, 001CF68F, 001CF69E
ThisVersionInstalled, xrefs: 001CF5DF, 001CF5F2
PackageName, xrefs: 001CF5FF, 001CF612

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: 9d27389aa21641f875fddc4db62ea1c179e6c1980171fe7e9566aa439cdb8cc8
Instruction ID: ffc5fde8339e6aa55e4d86b00ed5192c83db8986ba9f715b429b780644c7a69d
Opcode Fuzzy Hash: 9d27389aa21641f875fddc4db62ea1c179e6c1980171fe7e9566aa439cdb8cc8
Instruction Fuzzy Hash: 0E41A471A90765F7CF22A694CC02FEF7AA69B31B10F11016CB904B62A3C771DE759A84

Uniqueness

Uniqueness Score: -1.00%

Function 001DE7B4, Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 001DE7FF
RegisterClassW.USER32 ref: 001DE82B
GetLastError.KERNEL32 ref: 001DE836
CreateWindowExW.USER32 ref: 001DE89D
GetLastError.KERNEL32 ref: 001DE8A7
UnregisterClassW.USER32 ref: 001DE945

Strings

Failed to register window., xrefs: 001DE864
Failed to create window., xrefs: 001DE8D5
WixBurnMessageWindow, xrefs: 001DE824, 001DE940
Unexpected return value from message pump., xrefs: 001DE930
uithread.cpp, xrefs: 001DE85A, 001DE8CB

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 6f1068280378f2611ca3a0927639dee32a821272130cc15bad81103d2e1feacc
Instruction ID: 87557f41b272af3b0185e8892c8c4bfcc477009ebd1e8598df74df7a1759526c
Opcode Fuzzy Hash: 6f1068280378f2611ca3a0927639dee32a821272130cc15bad81103d2e1feacc
Instruction Fuzzy Hash: 8441C472901315AFDB25AFA0DC48BDEBFF8EF05721F214166F904BA241D730A950DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001EC774, Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON

Download Yara Rule

Strings

Failed to copy local source path for passthrough pseudo bundle., xrefs: 001EC9B7
Failed to copy key for passthrough pseudo bundle payload., xrefs: 001EC9C5
Failed to copy cache id for passthrough pseudo bundle., xrefs: 001ECA05
Failed to copy related arguments for passthrough bundle package, xrefs: 001ECA82
Failed to allocate memory for pseudo bundle payload hash., xrefs: 001EC9AD
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 001ECAAC
Failed to recreate command-line arguments., xrefs: 001ECA43
Failed to copy filename for passthrough pseudo bundle., xrefs: 001EC9BE
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 001EC7B4
Failed to copy key for passthrough pseudo bundle., xrefs: 001EC988
Failed to copy download source for passthrough pseudo bundle., xrefs: 001EC98F
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 001EC9E7
pseudobundle.cpp, xrefs: 001EC7A8, 001EC9A1, 001EC9DB
Failed to copy install arguments for passthrough bundle package, xrefs: 001ECA62

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: d1cdf7d69038515d55ea56f8c854f4ae647923465e6db49bdd44d1b6b27f22a4
Instruction ID: cfbcbb58dfb96558ccc3b32722645a2bb7a265c207c544152943774d6f0fd636
Opcode Fuzzy Hash: d1cdf7d69038515d55ea56f8c854f4ae647923465e6db49bdd44d1b6b27f22a4
Instruction Fuzzy Hash: A6B17935A00A56EFCB15DF68C881F99BBA1BF18714F118169FD19AB352C731E822DBC0

Uniqueness

Uniqueness Score: -1.00%

Function 001EDE46, Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 204stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 001EDE61

Strings

Failed while waiting for BITS download., xrefs: 001EE012
Failed to add file to BITS job., xrefs: 001EDF2E
Failed to set callback interface for BITS job., xrefs: 001EDF99
Falied to start BITS job., xrefs: 001EE019
Failed to create BITS job., xrefs: 001EDEF0
Failed to create BITS job callback., xrefs: 001EDF74
Failed to set credentials for BITS job., xrefs: 001EDF0F
Failed to copy download URL., xrefs: 001EDEA8
Failed to complete BITS job., xrefs: 001EE00B
bitsengine.cpp, xrefs: 001EDE77, 001EDF6A
Failed to download BITS job., xrefs: 001EDFF8
Failed to initialize BITS job callback., xrefs: 001EDF82
Invalid BITS engine URL: %ls, xrefs: 001EDE83

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
API String ID: 1659193697-2382896028
Opcode ID: 01347718963db1c311f3fb994e280a5d497339f6284bd531dd77c775738c4d8b
Instruction ID: e1b8ce675a08c4b53d495a21c2507870c80b126afced54cec1fd3cc673c78c54
Opcode Fuzzy Hash: 01347718963db1c311f3fb994e280a5d497339f6284bd531dd77c775738c4d8b
Instruction Fuzzy Hash: 30613931A00A65FFCB219F95E885E9EBBF4EF19B10B124156FC04AF252D7B1DD119B80

Uniqueness

Uniqueness Score: -1.00%

Function 001CBC93, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 190processCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001CBCE5
CreateProcessW.KERNEL32 ref: 001CBDF2
GetLastError.KERNEL32(?,?,?,?), ref: 001CBDFC
WaitForInputIdle.USER32 ref: 001CBE50
CloseHandle.KERNEL32(?,?,?), ref: 001CBE9B
CloseHandle.KERNEL32(?,?,?), ref: 001CBEA8

Strings

"%ls", xrefs: 001CBD62, 001CBD7C
Failed to CreateProcess on path: %ls, xrefs: 001CBE2D
approvedexe.cpp, xrefs: 001CBE20
Failed to format argument string., xrefs: 001CBCF0
"%ls" %s, xrefs: 001CBD0B, 001CBD4C
Failed to format obfuscated argument string., xrefs: 001CBD3C
D, xrefs: 001CBDD1
Failed to create executable command., xrefs: 001CBD1F
Failed to create obfuscated executable command., xrefs: 001CBD90

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
API String ID: 155678114-2737401750
Opcode ID: d91c931acde67fe3ab1e6a949c9dcf8257467f453c7ac6ef2190b183469289fa
Instruction ID: 8db68c0cb96767144c28fcbef0eb583fd4cd0fdb5c85c0414e55bbe5c672797e
Opcode Fuzzy Hash: d91c931acde67fe3ab1e6a949c9dcf8257467f453c7ac6ef2190b183469289fa
Instruction Fuzzy Hash: F4517F72D4461ABBCF21AFD0CD82EEEBB79BF24710F104169FA14B2152D7319E209B91

Uniqueness

Uniqueness Score: -1.00%

Function 001E69D2, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 153serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,001E6F28,?), ref: 001E6A0B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,001E6F28,?,?,?), ref: 001E6A18
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,001E6F28,?,?,?), ref: 001E6A60
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,001E6F28,?,?,?), ref: 001E6A6C
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,001E6F28,?,?,?), ref: 001E6AA6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,001E6F28,?,?,?), ref: 001E6AB0
CloseServiceHandle.ADVAPI32(00000000), ref: 001E6B67
CloseServiceHandle.ADVAPI32(?), ref: 001E6B71

Strings

Failed to mark WU service to start on demand., xrefs: 001E6B38
wuauserv, xrefs: 001E6A5A
Failed to open service control manager., xrefs: 001E6A46
msuengine.cpp, xrefs: 001E6A3C, 001E6A90, 001E6AD4
Failed to query status of WU service., xrefs: 001E6ADE
Failed to open WU service., xrefs: 001E6A9A
Failed to read configuration for WU service., xrefs: 001E6B17

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
API String ID: 971853308-301359130
Opcode ID: 1183dabb01ff227515f5ff5b45b6dd118e2003d4a3066c9a84d94c331560e83e
Instruction ID: 731953f179209b746559a10c021e5c04bd1dd627c4a2afb01e8bd8a0393c3f53
Opcode Fuzzy Hash: 1183dabb01ff227515f5ff5b45b6dd118e2003d4a3066c9a84d94c331560e83e
Instruction Fuzzy Hash: 2841E672F40B65ABD721DBA69C89EAFB7E8AF64750F558025FD01FB241D770DC008AA0

Uniqueness

Uniqueness Score: -1.00%

Function 001CA28B, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001CA2B3
_MREFOpen@16.MSPDB140-MSVCRT ref: 001CA30E
RegQueryValueExW.ADVAPI32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 001CA32F
RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 001CA405

Strings

Failed to format key string., xrefs: 001CA2BE
Failed to query registry key value., xrefs: 001CA36A
Failed to set variable., xrefs: 001CA3BD
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 001CA3DD
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 001CA37A
search.cpp, xrefs: 001CA360
Registry key not found. Key = '%ls', xrefs: 001CA396
Failed to format value string., xrefs: 001CA319
Failed to open registry key. Key = '%ls', xrefs: 001CA3C7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: cf104c5b0c0e30368ddd7bd0fa399e56330074061d34896346bb9df98204dca9
Instruction ID: fa2c7db993026c5a0b928af2dae34f66f5faa7c4ef7a5228b7df7c9276eab7f4
Opcode Fuzzy Hash: cf104c5b0c0e30368ddd7bd0fa399e56330074061d34896346bb9df98204dca9
Instruction Fuzzy Hash: B541E232D50228BBDF235A94CC4AFAEBA64FF24710F514259F814B6192D771DE20EB92

Uniqueness

Uniqueness Score: -1.00%

Function 001CB208, Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 137COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,001CBAFB,00000008,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB210
GetLastError.KERNEL32(?,001CBAFB,00000008,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 001CB21C

Strings

Failed to read section info, unsupported version: %08x, xrefs: 001CB35E
Failed to get module handle to process., xrefs: 001CB24A
.wixburn, xrefs: 001CB2BE
Bundle guid didn't match the guid in the PE Header in memory., xrefs: 001CB39B
Failed to read section info, data to short: %u, xrefs: 001CB314
Failed to find valid NT image header in buffer., xrefs: 001CB2A8
Failed to find Burn section., xrefs: 001CB332
Failed to find valid DOS image header in buffer., xrefs: 001CB27D
.wix, xrefs: 001CB2E3
burn, xrefs: 001CB2EB
section.cpp, xrefs: 001CB240, 001CB271, 001CB29C, 001CB305, 001CB326, 001CB34F, 001CB38F

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 4242514867-926796631
Opcode ID: 4a1c8c6e204886d3b0e51e91db5efe7ee5dd502f04ef7e3f864c3a036dfb50b2
Instruction ID: f2f2570cb7ff47f190ad9a8f905521c69404ee8dd2fa7e72462a84f6c8facb1b
Opcode Fuzzy Hash: 4a1c8c6e204886d3b0e51e91db5efe7ee5dd502f04ef7e3f864c3a036dfb50b2
Instruction Fuzzy Hash: 38413632298320A7DB301A818CC7F6E6255BBA2B30F36852DFC01DF1C3D765D89282E5

Uniqueness

Uniqueness Score: -1.00%

Function 001C694B, Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 001C699B
GetLastError.KERNEL32 ref: 001C69A5
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 001C69E8
GetLastError.KERNEL32 ref: 001C69F2
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 001C6B03

Strings

Failed to set variant value., xrefs: 001C6AE7
ntdll, xrefs: 001C6995
Failed to locate RtlGetVersion., xrefs: 001C6A20
Failed to locate NTDLL., xrefs: 001C69D3
Failed to get OS info., xrefs: 001C6A43
RtlGetVersion, xrefs: 001C69DD
variable.cpp, xrefs: 001C69C9, 001C6A16

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
API String ID: 3057421322-109962352
Opcode ID: b9ca349a3b158c9e9930eed86493bda3549ecc4f0ddc126209d764d8749376b0
Instruction ID: 7f0ac674976fb3ad17e3090ff0d88c2eb01886045f15ce8c39e0f09dde50a33e
Opcode Fuzzy Hash: b9ca349a3b158c9e9930eed86493bda3549ecc4f0ddc126209d764d8749376b0
Instruction Fuzzy Hash: FB41B472D413399BDB319B658C49FEEBAA4EB28710F014199E908B7191E771CE50CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 001C48EF, Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,001C5466,?,?,?,?), ref: 001C4920
GetLastError.KERNEL32(?,?,?,001C5466,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001C4931
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001C4A6E
CloseHandle.KERNEL32(?,?,?,?,001C5466,?,?,?,?,?,?,?,?,?,?,?), ref: 001C4A77

Strings

Failed to set elevated pipe into thread local storage for logging., xrefs: 001C49A8
comres.dll, xrefs: 001C49DD
Failed to allocate thread local storage for logging., xrefs: 001C495F
Failed to create the message window., xrefs: 001C49CC
Failed to connect to unelevated process., xrefs: 001C4916
engine.cpp, xrefs: 001C4955, 001C499E
Failed to pump messages from parent process., xrefs: 001C4A42

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
API String ID: 687263955-1790235126
Opcode ID: f3c644a70a6952383cdcdaae747b88315db0fdc2e74424f9c94481285f0fcebe
Instruction ID: 729aba0a7c2e7ad3786dda6f10386e91cda6e27c8f5a1500983ef51d664f228e
Opcode Fuzzy Hash: f3c644a70a6952383cdcdaae747b88315db0fdc2e74424f9c94481285f0fcebe
Instruction Fuzzy Hash: 6941A873954726BBD7269BA0CC49FDFFA6CBF15710F01021ABA15A7141DB31E9108AE0

Uniqueness

Uniqueness Score: -1.00%

Function 001D3B4E, Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 130COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 001D3BA2
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 001D3BAC
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 001D3C15
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 001D3C1C
CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 001D3CA6

Strings

logging.cpp, xrefs: 001D3BD0
Failed to get length of temp folder., xrefs: 001D3C06
crypt32.dll, xrefs: 001D3B61
%u\, xrefs: 001D3C36
Failed to format session id as a string., xrefs: 001D3C4A
Failed to copy temp folder., xrefs: 001D3CCF
Failed to get length of session id string., xrefs: 001D3C71
Failed to get temp folder., xrefs: 001D3BDA

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
API String ID: 2407829081-3274134579
Opcode ID: 9fa9de4e2fea77ec158094588258cd4b8fd19f048ea9528534c5d17f75c8af4e
Instruction ID: 72ec6aacd3172fb3d6897ee006520d53041146821ce7ee203de05ec6fc0f8a6a
Opcode Fuzzy Hash: 9fa9de4e2fea77ec158094588258cd4b8fd19f048ea9528534c5d17f75c8af4e
Instruction Fuzzy Hash: 63418172D9123DABCB319B549C4DFDAB7B8AB20710F110196F918B7281EB709F858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 001FFCAE, Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SystemFunction040,AdvApi32.dll), ref: 001FFCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 001FFCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 001FFD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 001FFD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 001FFD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 001FFD8B

Strings

AdvApi32.dll, xrefs: 001FFCB5
cryputil.cpp, xrefs: 001FFD60
CryptUnprotectMemory, xrefs: 001FFD6C
CryptProtectMemory, xrefs: 001FFD20
Crypt32.dll, xrefs: 001FFD0C
SystemFunction040, xrefs: 001FFCCB
SystemFunction041, xrefs: 001FFCD8

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: 6ab7cb3c2d12234164a7134f208f1241ee80d68cc1bb010fae3c5ff5a256d69d
Instruction ID: 4927a53915e6c8792ae0546c39c1f45edc36d2a3b4c92c13ce96f327543a136c
Opcode Fuzzy Hash: 6ab7cb3c2d12234164a7134f208f1241ee80d68cc1bb010fae3c5ff5a256d69d
Instruction Fuzzy Hash: 7521CB3695033AB7C3329BD1BD0DB666A90AF10F50F460139FE00AE161E7B49C23CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 001C7FA5, Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 216COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000,00000000,00000000,00000001,00000000,00000002,000000B9), ref: 001C7FC2
LeaveCriticalSection.KERNEL32(?), ref: 001C81EA

Strings

Failed to get version., xrefs: 001C819B
Failed to write variable count., xrefs: 001C7FDD
feclient.dll, xrefs: 001C809D, 001C80F3, 001C8134
Failed to write variable value as number., xrefs: 001C8194
Failed to write variable value type., xrefs: 001C81CA
Failed to write variable value as string., xrefs: 001C81AE
Failed to write included flag., xrefs: 001C81D8
Failed to get string., xrefs: 001C81B5
Unsupported variable type., xrefs: 001C81A7
Failed to get numeric., xrefs: 001C81BC
Failed to write literal flag., xrefs: 001C81C3
Failed to write variable name., xrefs: 001C81D1

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: 2ddd4fa8874c557bddac7a46184091368856fc6bbadb06b1572287da26370aa1
Instruction ID: b7676268cda3755afbc500629b844b60148e6b14be22998cdcabb9e6603bc824
Opcode Fuzzy Hash: 2ddd4fa8874c557bddac7a46184091368856fc6bbadb06b1572287da26370aa1
Instruction Fuzzy Hash: B771A172D1072AEFCB129EA4C881FAEBBA5BF24350F15416AF90467191CB70DD229B91

Uniqueness

Uniqueness Score: -1.00%

Function 002002F8, Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0020033C
GetComputerNameW.KERNEL32 ref: 00200394

Strings

Hd", xrefs: 0020043D
Computer : %ls, xrefs: 00200402
Td", xrefs: 00200435
\d", xrefs: 0020042D
@d", xrefs: 00200445
dd", xrefs: 0020044D
Executable: %ls v%d.%d.%d.%d, xrefs: 002003F0
8d", xrefs: 0020030D
--- logging level: %hs ---, xrefs: 00200454
=== Logging started: %ls ===, xrefs: 002003BF

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$8d"$=== Logging started: %ls ===$@d"$Computer : %ls$Executable: %ls v%d.%d.%d.%d$Hd"$Td"$\d"$dd"
API String ID: 2577110986-564698964
Opcode ID: ad7550d1c32d3951b18815d6464c7d510aec2d474f4be1340b0eca4fc3a0349e
Instruction ID: e7320e96fd7631a34f7570d54a5d8baac731aab816808a312c7fe301b2785526
Opcode Fuzzy Hash: ad7550d1c32d3951b18815d6464c7d510aec2d474f4be1340b0eca4fc3a0349e
Instruction Fuzzy Hash: 044189B2D10219ABDB21DF64EC89BEEB3BCE744300F4041E5F609A3183D6705E958F69

Uniqueness

Uniqueness Score: -1.00%

Function 001D97B2, Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,001DA843,00000000,00000000,00000000,?,00000000), ref: 001D97CD
GetLastError.KERNEL32(?,001DA843,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 001D97DD

Part of subcall function 00204102: Sleep.KERNEL32(?,00000000,?,001D85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,001C4DBC), ref: 00204119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 001D98E9

Strings

cache.cpp, xrefs: 001D9801
Failed to copy %ls to %ls, xrefs: 001D98D7
Failed to verify payload signature: %ls, xrefs: 001D9838
Failed to move %ls to %ls, xrefs: 001D98C1
Failed to verify payload hash: %ls, xrefs: 001D9875
Moving, xrefs: 001D987F
%ls payload from working path '%ls' to path '%ls', xrefs: 001D9894
Copying, xrefs: 001D9888, 001D9893
Failed to open payload in working path: %ls, xrefs: 001D980C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 1275171361-1604654059
Opcode ID: f916d95b09cf44101b247b6c2e31e7bf6f11b4456d70f6566c87a78efcec6e29
Instruction ID: f9d7735f22dedd7ffd5e23f6ff1af785958d6c585a5df8f4891c4354bca2c838
Opcode Fuzzy Hash: f916d95b09cf44101b247b6c2e31e7bf6f11b4456d70f6566c87a78efcec6e29
Instruction Fuzzy Hash: 87312E72A503387BDB322A559C4AFAF2A6CDF52F50F010166FD147B392D361DC10A6E1

Uniqueness

Uniqueness Score: -1.00%

Function 001C65C0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 001C65FC

Part of subcall function 00200ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,001C5EB2,00000000), ref: 00200AE0
Part of subcall function 00200ACC: GetProcAddress.KERNEL32(00000000), ref: 00200AE7
Part of subcall function 00200ACC: GetLastError.KERNEL32(?,?,?,001C5EB2,00000000), ref: 00200AFE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 001C6628
GetLastError.KERNEL32 ref: 001C6636
GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 001C666E
GetLastError.KERNEL32 ref: 001C6678
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 001C66BB
GetLastError.KERNEL32 ref: 001C66C5

Strings

Failed to get 32-bit system folder., xrefs: 001C66A6
Failed to get 64-bit system folder., xrefs: 001C6664
Failed to backslash terminate system folder., xrefs: 001C6708
Failed to set system folder variant value., xrefs: 001C6724
variable.cpp, xrefs: 001C665A, 001C669C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 325818893-1590374846
Opcode ID: c93c6b5c96fe112b5201ddb1181d3f71eff42135d1f9d25e28021e03152f6ab3
Instruction ID: 5ef45465453b0d8d81951ce3d767dfc0e4c8d432f25fe7da978c2079b7b6d756
Opcode Fuzzy Hash: c93c6b5c96fe112b5201ddb1181d3f71eff42135d1f9d25e28021e03152f6ab3
Instruction Fuzzy Hash: 14312372D42335A7DB3197A18C4DF9F77A8AF20750F014169BD04BB282DB74DD408AE1

Uniqueness

Uniqueness Score: -1.00%

Function 001D3F9B, Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001D3AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,001D3FB5,feclient.dll,?,00000000,?,?,?,001C4B12), ref: 001D3B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,001C4B12,?,?,0020B488,?,00000001,00000000,00000000), ref: 001D404C

Strings

Failed to get current directory., xrefs: 001D402E
log, xrefs: 001D3FF3
feclient.dll, xrefs: 001D3FAF, 001D405C
Failed to copy full log path to prefix., xrefs: 001D41AF
crypt32.dll, xrefs: 001D3FF2, 001D4057, 001D405F, 001D40C6, 001D4100, 001D4141, 001D4160, 001D419E, 001D41C8
Setup, xrefs: 001D3FF9
Failed to get non-session specific TEMP folder., xrefs: 001D40F6
Failed to copy log extension to extension., xrefs: 001D4191
msasn1.dll, xrefs: 001D4162, 001D41A3
Failed to copy log path to prefix., xrefs: 001D416E
Failed to open log: %ls, xrefs: 001D40C8
clbcatq.dll, xrefs: 001D4185

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: d2f6362853f6a728ebd0349f3e005b9b934e6892487639bca03adabc05709392
Instruction ID: a703305abfa416f797617fff31515f4e2c6852395e143c09f88515b6ee2afbc5
Opcode Fuzzy Hash: d2f6362853f6a728ebd0349f3e005b9b934e6892487639bca03adabc05709392
Instruction Fuzzy Hash: 9261D471A10215ABDF259F64CC86BAA7BE8EF21340F054166FD00DB381E771EEA08B91

Uniqueness

Uniqueness Score: -1.00%

Function 001C6DB9, Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,001C5445,00000006,?,001C82B9,?,?,?,00000000,00000000,00000001), ref: 001C6DC8

Part of subcall function 001C56A9: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,001C6595,001C6595,?,001C563D,?,?,00000000), ref: 001C56E5
Part of subcall function 001C56A9: GetLastError.KERNEL32(?,001C563D,?,?,00000000,?,?,001C6595,?,001C7F02,?,?,?,?,?), ref: 001C5714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,001C82B9), ref: 001C6F59

Strings

Setting hidden variable '%ls', xrefs: 001C6E86
Unsetting variable '%ls', xrefs: 001C6F15
Attempt to set built-in variable value: %ls, xrefs: 001C6E56
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 001C6ED0
Failed to set value of variable: %ls, xrefs: 001C6F41
Setting numeric variable '%ls' to value %lld, xrefs: 001C6EFA
Failed to find variable value '%ls'., xrefs: 001C6DE3
Failed to insert variable '%ls'., xrefs: 001C6E0D
variable.cpp, xrefs: 001C6E4B
Setting string variable '%ls' to value '%ls', xrefs: 001C6EED
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 001C6F6B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: fc36e8d27de4e26c14eb857fa46e852b522c0ba8ed112e1633b3e5448ebcc6d4
Instruction ID: 3b59152caa05af4a8b02d1d4d49e58762c5d480992b9e055a6941b09119f5515
Opcode Fuzzy Hash: fc36e8d27de4e26c14eb857fa46e852b522c0ba8ed112e1633b3e5448ebcc6d4
Instruction Fuzzy Hash: 9E51E1B1A00325ABDB349F59DC8AF7B7BA8EF66710F21011EF84596282C375DC50CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D2C1C, Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 299COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 001D2C8A

Strings

Failed to add dependent bundle provider key to ignore dependents., xrefs: 001D2DF4
wininet.dll, xrefs: 001D2ED7
Failed to allocate registration action., xrefs: 001D2CF3
Failed to add self-dependent to ignore dependents., xrefs: 001D2D0E
Failed to check for remaining dependents during planning., xrefs: 001D2E30
crypt32.dll, xrefs: 001D2CD5, 001D2DCF, 001D2EC4, 001D2F39
Failed to add registration action for self dependent., xrefs: 001D2F57
Failed to add registration action for dependent related bundle., xrefs: 001D2F8E
Failed to create the string dictionary., xrefs: 001D2CC3
Failed to add dependents ignored from command-line., xrefs: 001D2D3F

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: a5490f1944a362a596c2e36883f3ff4ce4a7c029317b11feb7fbb0d078cd5745
Instruction ID: 7a09c2abd7e6c52126b6d15cf20aff9f8333d86eaf94255523497c31dd919a0c
Opcode Fuzzy Hash: a5490f1944a362a596c2e36883f3ff4ce4a7c029317b11feb7fbb0d078cd5745
Instruction Fuzzy Hash: 23B19E70A00616EFDF299F64C881BAEBBB5FF24311F10856AF824AB351C730D960CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001DF90B, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 001DF947
UuidCreate.RPCRT4(?), ref: 001DFA2A
StringFromGUID2.OLE32(?,?,00000027), ref: 001DFA4B
LeaveCriticalSection.KERNEL32(?,?), ref: 001DFAF4

Strings

EngineForApplication.cpp, xrefs: 001DFA60
Failed to default local update source, xrefs: 001DF9B7
update\%ls, xrefs: 001DF9A3
Failed to recreate command-line for update bundle., xrefs: 001DFA12
Failed to set update bundle., xrefs: 001DFACE
Failed to create bundle update guid., xrefs: 001DFA37
Failed to convert bundle update guid into string., xrefs: 001DFA6A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$CreateEnterFromLeaveStringUuid
String ID: EngineForApplication.cpp$Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 171215650-2594647487
Opcode ID: bf177ef29c166ad3131c279352502a954301f0dfd39c412428d7ea81b241becc
Instruction ID: 3fc9bfd48e692e0de51133cfd75ca014b96d2ecec34a49c123f76542a204c83c
Opcode Fuzzy Hash: bf177ef29c166ad3131c279352502a954301f0dfd39c412428d7ea81b241becc
Instruction Fuzzy Hash: 6B619F31940215BBCF258FA4C845FAEBBB4EF18714F11417EF80AAB252D7719E52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C4AE5, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 001C4C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001C4C75

Strings

Failed to check global conditions, xrefs: 001C4B49
Failed to set action variables., xrefs: 001C4BC4
Failed to set registration variables., xrefs: 001C4BDE
Failed to create the message window., xrefs: 001C4B98
Failed to set layout directory variable to value provided from command-line., xrefs: 001C4C06
WixBundleLayoutDirectory, xrefs: 001C4BF5
Failed to open log., xrefs: 001C4B18
Failed to query registration., xrefs: 001C4BAE
Failed while running , xrefs: 001C4C2A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 3c4b0526c18e04d80cc8b320857b47f0af15a4f5a7dea4510931175d09c50633
Instruction ID: 5008f468f6d5d65608288313f2b8dc790284584aaaa3ed4c9616a4deafe24452
Opcode Fuzzy Hash: 3c4b0526c18e04d80cc8b320857b47f0af15a4f5a7dea4510931175d09c50633
Instruction Fuzzy Hash: AD410731609B1ABBDB3B5A60CD65FBAB66CFF21750F01421AF80496261EB70ED2097D4

Uniqueness

Uniqueness Score: -1.00%

Function 001DF051, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 001DF06E
LeaveCriticalSection.KERNEL32(?), ref: 001DF19B

Strings

EngineForApplication.cpp, xrefs: 001DF17C
Failed to post launch approved exe message., xrefs: 001DF186
UX requested unknown approved exe with id: %ls, xrefs: 001DF0CE
Failed to copy the id., xrefs: 001DF100
Failed to copy the arguments., xrefs: 001DF12D
Engine is active, cannot change engine state., xrefs: 001DF089

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: f288cb5fd044493c2928016d185a34c13123c2737c18460b13a5bbaa30387a4d
Instruction ID: 0d7aecdffb86de55e8dd65111d5a2aeabf0b5572015199d79160da8a98e47c90
Opcode Fuzzy Hash: f288cb5fd044493c2928016d185a34c13123c2737c18460b13a5bbaa30387a4d
Instruction Fuzzy Hash: C431D232A51225EFDB219F64DC49E9B77E8AF14720B01852AFC05EB352EB30DE1186D0

Uniqueness

Uniqueness Score: -1.00%

Function 001D969D, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,001DA7D4,00000000,00000000,00000000,?,00000000), ref: 001D96B8
GetLastError.KERNEL32(?,001DA7D4,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 001D96C6

Part of subcall function 00204102: Sleep.KERNEL32(?,00000000,?,001D85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,001C4DBC), ref: 00204119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 001D97A4

Strings

cache.cpp, xrefs: 001D96EA
Failed to open container in working path: %ls, xrefs: 001D96F5
Failed to copy %ls to %ls, xrefs: 001D9792
Failed to move %ls to %ls, xrefs: 001D977C
Moving, xrefs: 001D973A
Failed to verify container hash: %ls, xrefs: 001D9727
Copying, xrefs: 001D9743, 001D974E
%ls container from working path '%ls' to path '%ls', xrefs: 001D974F

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 1275171361-1187406825
Opcode ID: 8923933583df316c5f432d8c21b04c5b877a6060ca438cb19176e631a9e35dd1
Instruction ID: e4d764a68961597784c33f9cd48346b68a02a62cdba866ac74d2f7cfb6f39616
Opcode Fuzzy Hash: 8923933583df316c5f432d8c21b04c5b877a6060ca438cb19176e631a9e35dd1
Instruction Fuzzy Hash: DD213A72AA03247BE73219548C8AFEB356CDFA1B60F110116FE14BF3C1D3A59C218AE1

Uniqueness

Uniqueness Score: -1.00%

Function 001C6F85, Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 001C6FB2
LeaveCriticalSection.KERNEL32(?), ref: 001C71BE

Strings

Failed to set variable value., xrefs: 001C7171
Failed to read variable literal flag., xrefs: 001C7199
Failed to read variable value type., xrefs: 001C71A0
Failed to set variable., xrefs: 001C7192
Failed to read variable value as number., xrefs: 001C7178
Failed to read variable name., xrefs: 001C71A7
Failed to read variable count., xrefs: 001C6FD2
Failed to read variable included flag., xrefs: 001C71AE
Unsupported variable type., xrefs: 001C7184
Failed to read variable value as string., xrefs: 001C718B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: 2e669e9c932c3b5061cc186c191901f8a97acccf4a4a4b1796c5dc51fd8c512c
Instruction ID: e655e7df189b442683a7267320756be7782ff7b94d749f15ba7203632cc6ed29
Opcode Fuzzy Hash: 2e669e9c932c3b5061cc186c191901f8a97acccf4a4a4b1796c5dc51fd8c512c
Instruction Fuzzy Hash: FB719E71C0525EABDF12DEA4CC46FAEBBB9EF25710F154129F900A6191D7B0DE209FA0

Uniqueness

Uniqueness Score: -1.00%

Function 002044D1, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 00204550
GetLastError.KERNEL32 ref: 00204566
GetFileSizeEx.KERNEL32(00000000,?), ref: 002045BF
GetLastError.KERNEL32 ref: 002045C9
SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 0020461D
GetLastError.KERNEL32 ref: 00204628
ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 00204717
CloseHandle.KERNEL32(?), ref: 0020478A

Strings

fileutil.cpp, xrefs: 002044F1, 002045A8, 002045E9, 0020476D

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
String ID: fileutil.cpp
API String ID: 3286166115-2967768451
Opcode ID: 4d4bd340e0370eb21df8859d1b4e9714511d17dd772dd1d2cf5c979ae8b23037
Instruction ID: 96e0828f0a0f77598b20ae5c1fcb7dc1ab1b38c4db6d60c0624a78991bb39b6e
Opcode Fuzzy Hash: 4d4bd340e0370eb21df8859d1b4e9714511d17dd772dd1d2cf5c979ae8b23037
Instruction Fuzzy Hash: E58147F2A60327EBDB21AE559C45F6A7698AB11720F11C219FF15EB2D2E770CD2086D0

Uniqueness

Uniqueness Score: -1.00%

Function 001C3076, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 001C30C1
GetLastError.KERNEL32 ref: 001C30C7
ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 001C3121
GetLastError.KERNEL32 ref: 001C3127
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001C31DB
GetLastError.KERNEL32 ref: 001C31E5
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 001C323B
GetLastError.KERNEL32 ref: 001C3245

Strings

pathutil.cpp, xrefs: 001C30EB
@, xrefs: 001C309B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: @$pathutil.cpp
API String ID: 1547313835-3022285739
Opcode ID: 4c350979a0c8d1d2b053b412aec8dfde44682ff3a238192ab3696c79933ac40c
Instruction ID: 4cc9ccef8315cb5448e0f148c8451175a44c16254845364a223e72c38fe53782
Opcode Fuzzy Hash: 4c350979a0c8d1d2b053b412aec8dfde44682ff3a238192ab3696c79933ac40c
Instruction Fuzzy Hash: E261B573D00229BBDF219AD48845FDEB7A5AB24750F158159EE21BB250E735DF0087D0

Uniqueness

Uniqueness Score: -1.00%

Function 001D4D8D, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 001D4DC0
StringFromGUID2.OLE32(?,?,00000027), ref: 001D4DEF
UuidCreate.RPCRT4(?), ref: 001D4E3A
StringFromGUID2.OLE32(?,?,00000027), ref: 001D4E66

Strings

Failed to convert pipe guid into string., xrefs: 001D4E0C
Failed to create pipe guid., xrefs: 001D4DCD
Failed to allocate pipe name., xrefs: 001D4E2F
Failed to allocate pipe secret., xrefs: 001D4E8F
pipe.cpp, xrefs: 001D4E00, 001D4E4D
BurnPipe.%s, xrefs: 001D4E1B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: ef17d2666b3252334d10beb58add2200ee72261eff87b10b6bc84fb54437cd69
Instruction ID: a8fb98536d72b943ee6cc1b6ed05c9bb04c61ae9cbdb6e5ceea195a60f778e6c
Opcode Fuzzy Hash: ef17d2666b3252334d10beb58add2200ee72261eff87b10b6bc84fb54437cd69
Instruction Fuzzy Hash: ED419A72D00308BBDB21EBE4CD45EDEB7F8AB65710F20012AF909BB241D7749A55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001DEA7D, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,001C548E,?,?), ref: 001DEA9D
GetLastError.KERNEL32(?,001C548E,?,?), ref: 001DEAAA
CreateThread.KERNEL32 ref: 001DEB03
GetLastError.KERNEL32(?,001C548E,?,?), ref: 001DEB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,001C548E,?,?), ref: 001DEB4B
CloseHandle.KERNEL32(00000000,?,001C548E,?,?), ref: 001DEB6A
CloseHandle.KERNEL32(?,?,001C548E,?,?), ref: 001DEB77

Strings

Failed to create the UI thread., xrefs: 001DEB3B
Failed to create initialization event., xrefs: 001DEAD5
uithread.cpp, xrefs: 001DEACB, 001DEB31

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 3b231b71fc2236c94dee7bfe84da67a9e8945c16baf0bc4ab05cfc11cc44ef71
Instruction ID: 7c5cf48df041cd6e7dc75891e03c52fff133417c0697757a08aa6effbab6d1bd
Opcode Fuzzy Hash: 3b231b71fc2236c94dee7bfe84da67a9e8945c16baf0bc4ab05cfc11cc44ef71
Instruction Fuzzy Hash: 25319676D01219BBD711AF999D85A9FBAE8FF14751F110166BD04FB341E7309E0086A0

Uniqueness

Uniqueness Score: -1.00%

Function 001DE645, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,001C548E,?,?), ref: 001DE666
GetLastError.KERNEL32(?,?,001C548E,?,?), ref: 001DE673
CreateThread.KERNEL32 ref: 001DE6D2
GetLastError.KERNEL32(?,?,001C548E,?,?), ref: 001DE6DF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,001C548E,?,?), ref: 001DE71A
CloseHandle.KERNEL32(?,?,?,001C548E,?,?), ref: 001DE72E
CloseHandle.KERNEL32(?,?,?,001C548E,?,?), ref: 001DE73B

Strings

Failed to create modal event., xrefs: 001DE69E
splashscreen.cpp, xrefs: 001DE694, 001DE700
Failed to create UI thread., xrefs: 001DE70A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: 22e0a45a52d12fced223bd0ff760bee7af67d88c08a342fd4472a84481151811
Instruction ID: 9ab9df2bed3e784b4d2e1f9f241ad8b3cb084cbccb09eda155d3438e84549521
Opcode Fuzzy Hash: 22e0a45a52d12fced223bd0ff760bee7af67d88c08a342fd4472a84481151811
Instruction Fuzzy Hash: D4319576D00229BBDB21AB99DC49A9FBBF8EF54711F114167FD10FA341E77099408AE0

Uniqueness

Uniqueness Score: -1.00%

Function 001E14E1, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74B5F5E0,?,?,001C5405,001C53BD,00000000,001C5445), ref: 001E1506
GetLastError.KERNEL32 ref: 001E1519
GetExitCodeThread.KERNEL32(0020B488,?), ref: 001E155B
GetLastError.KERNEL32 ref: 001E1569
ResetEvent.KERNEL32(0020B460), ref: 001E15A4
GetLastError.KERNEL32 ref: 001E15AE

Strings

Failed to get extraction thread exit code., xrefs: 001E159A
cabextract.cpp, xrefs: 001E1540, 001E1590, 001E15D5
Failed to wait for operation complete event., xrefs: 001E154A
Failed to reset operation complete event., xrefs: 001E15DF

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: b4724edb09d8dae13618bcc923988f2e0ee210ccb219f5f15325a2a6b1dbb283
Instruction ID: 123b82fcf635bff904a780875bf23ac819579f32cd942683877e8d84ab86e98d
Opcode Fuzzy Hash: b4724edb09d8dae13618bcc923988f2e0ee210ccb219f5f15325a2a6b1dbb283
Instruction Fuzzy Hash: 0131D471A01745BBD7119F669D05BAF77F8EF55700B10812AF902DA160E731CA409B51

Uniqueness

Uniqueness Score: -1.00%

Function 001E15FE, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0020B478,?,00000000,?,001CC1D3,?,001C53BD,00000000,?,001D784D,?,001C566D,001C5479,001C5479,00000000,?), ref: 001E161B
GetLastError.KERNEL32(?,001CC1D3,?,001C53BD,00000000,?,001D784D,?,001C566D,001C5479,001C5479,00000000,?,001C5489,FFF9E89D,001C5489), ref: 001E1625
WaitForSingleObject.KERNEL32(0020B488,000000FF,?,001CC1D3,?,001C53BD,00000000,?,001D784D,?,001C566D,001C5479,001C5479,00000000,?,001C5489), ref: 001E165F
GetLastError.KERNEL32(?,001CC1D3,?,001C53BD,00000000,?,001D784D,?,001C566D,001C5479,001C5479,00000000,?,001C5489,FFF9E89D,001C5489), ref: 001E1669
CloseHandle.KERNEL32(00000000,001C5489,?,00000000,?,001CC1D3,?,001C53BD,00000000,?,001D784D,?,001C566D,001C5479,001C5479,00000000), ref: 001E16B4
CloseHandle.KERNEL32(00000000,001C5489,?,00000000,?,001CC1D3,?,001C53BD,00000000,?,001D784D,?,001C566D,001C5479,001C5479,00000000), ref: 001E16C3
CloseHandle.KERNEL32(00000000,001C5489,?,00000000,?,001CC1D3,?,001C53BD,00000000,?,001D784D,?,001C566D,001C5479,001C5479,00000000), ref: 001E16D2

Strings

cabextract.cpp, xrefs: 001E1649, 001E168D
Failed to wait for thread to terminate., xrefs: 001E1697
Failed to set begin operation event., xrefs: 001E1653

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-226982402
Opcode ID: 324377f8232f92f662cc65a60539fecd86990e5d0a1c4a8f728ac9dfa6bf7699
Instruction ID: 35797679ae57b86ebc9a6a95ca87d80aa548ec3b8c17051a6cd990ce6ab0eb97
Opcode Fuzzy Hash: 324377f8232f92f662cc65a60539fecd86990e5d0a1c4a8f728ac9dfa6bf7699
Instruction Fuzzy Hash: 33214733511E22BBC7325B63CC0DB5AB6A0BF1C721F090224F804659A0D3B4ECA0CED8

Uniqueness

Uniqueness Score: -1.00%

Function 001D41EC, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00200523: EnterCriticalSection.KERNEL32(0022B5FC,00000000,?,?,?,001D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,001C54FA,?), ref: 00200533
Part of subcall function 00200523: LeaveCriticalSection.KERNEL32(0022B5FC,?,?,0022B5F4,?,001D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,001C54FA,?), ref: 0020067A

OpenEventLogW.ADVAPI32(00000000,Application), ref: 001D4212
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 001D421E
ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,002139D4,00000000), ref: 001D426B
CloseEventLog.ADVAPI32(00000000), ref: 001D4272

Strings

logging.cpp, xrefs: 001D4242
Application, xrefs: 001D420C
txt, xrefs: 001D41F2
Failed to open Application event log, xrefs: 001D424C
Setup, xrefs: 001D41FC
_Failed, xrefs: 001D41F7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
API String ID: 1844635321-1389066741
Opcode ID: c70706aa21d178b5e2fc9e5870e46e53f46c94b8b010ae12f682a83b54930fae
Instruction ID: 51f03382573d6cded0dc01e2818d7babb604ccce2fea002ea2132354505e8a65
Opcode Fuzzy Hash: c70706aa21d178b5e2fc9e5870e46e53f46c94b8b010ae12f682a83b54930fae
Instruction Fuzzy Hash: 87F0D632A553713BA73262622C0DEBB1CADDAA3F357010119BC10F1281E7548A5144F4

Uniqueness

Uniqueness Score: -1.00%

Function 001D93FE, Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 226COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 001D949E
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 001D94C6

Strings

Failed to get file hash., xrefs: 001D94F0
cache.cpp, xrefs: 001D94E6, 001D95FA, 001D964B
Failed to allocate memory, xrefs: 001D946F
Failed to encode file hash., xrefs: 001D9551
Could not verify file %ls., xrefs: 001D9607
0, xrefs: 001D955E
$, xrefs: 001D959D
Failed to allocate string., xrefs: 001D9534
Could not close verify handle., xrefs: 001D9655

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-4263581490
Opcode ID: 3e8188dbb008683153eac4c5a1ce9b2080e66e69117402eccd9d611c83c5c078
Instruction ID: 24b1bdfba979028728a18bde8d9fd83734493216bb33b6014ec9bf24a11891ba
Opcode Fuzzy Hash: 3e8188dbb008683153eac4c5a1ce9b2080e66e69117402eccd9d611c83c5c078
Instruction Fuzzy Hash: 76718172D00229ABDB21DFD4C845FEEB7B8AF18710F11012AF915BB391E7759D418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001DE56C, Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 001DE577
DefWindowProcW.USER32(?,00000082,?,?), ref: 001DE5B5
SetWindowLongW.USER32 ref: 001DE5C2
SetWindowLongW.USER32 ref: 001DE5D1
DefWindowProcW.USER32(?,?,?,?), ref: 001DE5DF
CreateCompatibleDC.GDI32(?), ref: 001DE5EB
SelectObject.GDI32(00000000,00000000), ref: 001DE5FC
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 001DE61E
SelectObject.GDI32(00000000,00000000), ref: 001DE626
DeleteDC.GDI32(00000000), ref: 001DE629
PostQuitMessage.USER32(00000000), ref: 001DE637

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: 8222bccf431bd3062d1920f4849c2ad3ca5fe804050328556724d6a1c00fed13
Instruction ID: d269faa1f279fa81a793ff3e5bc19055232b55e57e8bcdaab9b1566da8c30347
Opcode Fuzzy Hash: 8222bccf431bd3062d1920f4849c2ad3ca5fe804050328556724d6a1c00fed13
Instruction Fuzzy Hash: AE219D32100204BFDB266F78EC0CD7B3FA9EF49362F164559FA169A2B1D7319810DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001DA13A, Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

Failed to combine last source with source., xrefs: 001DA210
WixBundleOriginalSource, xrefs: 001DA1B7
WixBundleLayoutDirectory, xrefs: 001DA26C
Failed to copy source path., xrefs: 001DA31A
WixBundleLastUsedSource, xrefs: 001DA1A1
Failed to combine layout source with source., xrefs: 001DA2A4
Failed to get bundle layout directory property., xrefs: 001DA287
Failed to get current process directory., xrefs: 001DA1F3

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: 5c73278313a0a17aaea85b40a8227870b71c3c3d264a5a4722504ccd11412165
Instruction ID: 611fbca367e5d641eb44990347e40ccde39a4096a0346e4981a869e7467a9d41
Opcode Fuzzy Hash: 5c73278313a0a17aaea85b40a8227870b71c3c3d264a5a4722504ccd11412165
Instruction Fuzzy Hash: 9C718D71D01229ABCF16DFA8D845AEEB7B9BF18310F95012AE911B7390D771AD40CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001C2DBF, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 001C2E5F
GetLastError.KERNEL32 ref: 001C2E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 001C2F09
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 001C2F96
GetLastError.KERNEL32 ref: 001C2FA3
Sleep.KERNEL32(00000064), ref: 001C2FB7
CloseHandle.KERNEL32(?), ref: 001C301F

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 001C2F66
pathutil.cpp, xrefs: 001C2E8D

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-1101990113
Opcode ID: ee818dd7a5584c69d4c226c48622a394fca7bb3d702f524b99e4aa532ea2f037
Instruction ID: 9df8f0c9f01a026af1a9fd9543d3dd7b523c9ad6a3c9f5bf50c7a879d67c470c
Opcode Fuzzy Hash: ee818dd7a5584c69d4c226c48622a394fca7bb3d702f524b99e4aa532ea2f037
Instruction Fuzzy Hash: 01717372D01229ABDB319F94DC49FAEB7B8AB28710F104199F914B7291D774DE90CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00206D50, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 165COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,74B04160,?,002072C8,?,?), ref: 00206DA6
SysFreeString.OLEAUT32(00000000), ref: 00206E11
SysFreeString.OLEAUT32(00000000), ref: 00206E89
SysFreeString.OLEAUT32(00000000), ref: 00206EC8

Strings

label, xrefs: 00206D98
scheme, xrefs: 00206DB9
term, xrefs: 00206DD9

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$Free$Compare
String ID: label$scheme$term
API String ID: 1324494773-4117840027
Opcode ID: 1453c35226ee641d7614278e1159e153e07ce8733c437d4361ebc25559ea2643
Instruction ID: c8721400e41720bb2c09b84288c045ed62de1fc2197d5872edae5bcec4d53c17
Opcode Fuzzy Hash: 1453c35226ee641d7614278e1159e153e07ce8733c437d4361ebc25559ea2643
Instruction Fuzzy Hash: 3E515E3592131AFBDB25DF94C848FAEBBB8EF04711F244295E511A61E2D7319E20DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001CCBC5, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,001C53BD,00000000,001C5489,001C5445,WixBundleUILevel,840F01E8,?,00000001), ref: 001CCC1C

Strings

Failed to concat file paths., xrefs: 001CCCFC
Failed to get directory portion of local file path, xrefs: 001CCCF5
Failed to find embedded payload: %ls, xrefs: 001CCC48
Payload was not found in container: %ls, xrefs: 001CCD29
Failed to extract file., xrefs: 001CCCE7
Failed to ensure directory exists, xrefs: 001CCCEE
Failed to get next stream., xrefs: 001CCD03
payload.cpp, xrefs: 001CCD1D

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: 0dd768ca6b21f8dcee2fb9658d12173d4f6813baeb4b16140c5e4ac6afc4f074
Instruction ID: b8e5874e36afc7aed5fd726c84c188ddd88614b3e38b8d32bd65dd5f515aaadb
Opcode Fuzzy Hash: 0dd768ca6b21f8dcee2fb9658d12173d4f6813baeb4b16140c5e4ac6afc4f074
Instruction Fuzzy Hash: 6641BF31940215ABCF299F88CD81FAEBB65AF20710B11816DE81DAB292D770DD50DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001C4796, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 001C47BB
GetCurrentThreadId.KERNEL32 ref: 001C47C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001C484F

Strings

Failed to start bootstrapper application., xrefs: 001C481D
wininet.dll, xrefs: 001C47EE
Failed to create engine for UX., xrefs: 001C47DB
Failed to load UX., xrefs: 001C4804
engine.cpp, xrefs: 001C489B
Unexpected return value from message pump., xrefs: 001C48A5

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: b12153d81a8bebb56d9db1f7da2f5d72ae4899de7a2696fd264a517c4016b052
Instruction ID: 02f1cc4817020809a798bd0a69b406f514ad3b9437d30acba60a6e8666d6d03c
Opcode Fuzzy Hash: b12153d81a8bebb56d9db1f7da2f5d72ae4899de7a2696fd264a517c4016b052
Instruction Fuzzy Hash: B541C171A04655BFEB259BA0DC99FBAB7ACEF24314F100229F905E7291DB20ED1187A0

Uniqueness

Uniqueness Score: -1.00%

Function 001E9C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,001EB03E,?,00000001,00000000), ref: 001E9D0F
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,001EB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 001E9D19
CopyFileExW.KERNEL32(00000000,00000000,001E9B69,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 001E9D67
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,001EB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 001E9D96

Strings

BA aborted copy of payload from: '%ls' to: %ls., xrefs: 001E9D8F
Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 001E9DC8
copy, xrefs: 001E9CDD
apply.cpp, xrefs: 001E9D3D, 001E9D81, 001E9DBA
Failed to clear readonly bit on payload destination path: %ls, xrefs: 001E9D48

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: a972c687aca46bf44fccf41e6d666995f55acb5a5e45ef667bf715a0bf3ada79
Instruction ID: 41d4091e37b51b520f438d430bd7b228d92e19b189e590f9123b80ced29bf57a
Opcode Fuzzy Hash: a972c687aca46bf44fccf41e6d666995f55acb5a5e45ef667bf715a0bf3ada79
Instruction Fuzzy Hash: 9D314A72B41A61B7DB209A93CC45EAF77A8FF52B10B258118BC09EB241E321CD10C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 001D8EBC, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 001D9007

Strings

cache.cpp, xrefs: 001D8FB0
Failed to allocate access for Administrators group to path: %ls, xrefs: 001D8F0F
Failed to create ACL to secure cache path: %ls, xrefs: 001D8FBB
Failed to allocate access for Users group to path: %ls, xrefs: 001D8F72
Failed to secure cache path: %ls, xrefs: 001D8FEA
Failed to allocate access for Everyone group to path: %ls, xrefs: 001D8F51
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 001D8F30

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 2826327444-4113288589
Opcode ID: 0f0a021c01beddb7c013f5aba29e92432c233586d4b85d76821e389bc69ae829
Instruction ID: 091670a2f0099b5f23e6197a3aafa4f66ee4ca7a31333c20b60b6e4a9951c3a9
Opcode Fuzzy Hash: 0f0a021c01beddb7c013f5aba29e92432c233586d4b85d76821e389bc69ae829
Instruction Fuzzy Hash: 3341E432A40729B7DB3197508C46FEA766DEB61B10F1141A6FA04BB2C1DF71AE548BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001D492F, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,crypt32.dll,00000008,?,00000000,?,00000000,00000000,crypt32.dll,00000000,?,?,?,00000000,?,00000000), ref: 001D495A
GetLastError.KERNEL32 ref: 001D4967
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 001D4A12
GetLastError.KERNEL32 ref: 001D4A1C

Strings

crypt32.dll, xrefs: 001D4956
Failed to read message from pipe., xrefs: 001D49E7
pipe.cpp, xrefs: 001D49C6, 001D49DD, 001D4A40
Failed to allocate data for message., xrefs: 001D49D0
Failed to read data for message., xrefs: 001D4A4A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$crypt32.dll$pipe.cpp
API String ID: 1948546556-773887359
Opcode ID: 42f25a8dee2ae490d7d7cd72f97d8ea93ded1c89c49aa96e6102e4cf94e8c413
Instruction ID: 47e1b796e3fc473368b7c60cb5e7d55f8ec63c2f25f979aa94e3566cd426b802
Opcode Fuzzy Hash: 42f25a8dee2ae490d7d7cd72f97d8ea93ded1c89c49aa96e6102e4cf94e8c413
Instruction Fuzzy Hash: F4310B32D8022ABBDB25ABA58C45BAFF768FB14724F11813AFC55A7240D7709D508BD4

Uniqueness

Uniqueness Score: -1.00%

Function 001DE2AF, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 001DE2E5
GetLastError.KERNEL32 ref: 001DE2F1
GetObjectW.GDI32(00000000,00000018,?), ref: 001DE338
GetCursorPos.USER32(?), ref: 001DE359
MonitorFromPoint.USER32(?,?,00000002), ref: 001DE36B
GetMonitorInfoW.USER32 ref: 001DE381

Strings

Failed to load splash screen bitmap., xrefs: 001DE31F
(, xrefs: 001DE378
splashscreen.cpp, xrefs: 001DE315

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: 5c91c64bb87f15cdfcf8ad4f64a1ca5d0bf519da3521c6673313dfbb98b51656
Instruction ID: b099369cf723cd97cbb26fcf138095e759d402d8fef927465d86bc21473c7d41
Opcode Fuzzy Hash: 5c91c64bb87f15cdfcf8ad4f64a1ca5d0bf519da3521c6673313dfbb98b51656
Instruction Fuzzy Hash: 0C314F71A00219AFDB14DFA8D989A9EBBF4FF08711F148159F904EB381DB70E9008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D50CA, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,0020B500), ref: 001D50D3
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 001D5171
CloseHandle.KERNEL32(00000000), ref: 001D518A

Strings

Failed to allocate parameters for elevated process., xrefs: 001D510C
Failed to launch elevated child process: %ls, xrefs: 001D515E
runas, xrefs: 001D5131
open, xrefs: 001D513B, 001D5149
burn.elevated, xrefs: 001D50F3
-q -%ls %ls %ls %u, xrefs: 001D50F8

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: 4d9db10b132b74ab5909e8a646d901f8b5faef85fb30b03977264df237d1b52b
Instruction ID: 6190329e8b12e19644d24636417b4fd9320b7f7dda835146d4017f876811d955
Opcode Fuzzy Hash: 4d9db10b132b74ab5909e8a646d901f8b5faef85fb30b03977264df237d1b52b
Instruction Fuzzy Hash: 892166B5D00609BFDF11AF94DC85AAEBBB9EF18350B10816AF814A2212D7319E609B90

Uniqueness

Uniqueness Score: -1.00%

Function 001C6882, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 001C68AC
GetProcAddress.KERNEL32(00000000), ref: 001C68B3
GetLastError.KERNEL32 ref: 001C68BD

Strings

Failed to set variant value., xrefs: 001C6929
msi, xrefs: 001C68A3
DllGetVersion, xrefs: 001C689E
Failed to get msi.dll version info., xrefs: 001C6905
Failed to find DllGetVersion entry point in msi.dll., xrefs: 001C68EB
variable.cpp, xrefs: 001C68E1

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: 09f3caa06b4fc4dbaf0ff42fa9bdfb945665fbd01b1ea111a48078faec2e901e
Instruction ID: f08c87d30321491f3289a88ded95a8b79e6f465db30da5e9e0a74101d13038fc
Opcode Fuzzy Hash: 09f3caa06b4fc4dbaf0ff42fa9bdfb945665fbd01b1ea111a48078faec2e901e
Instruction Fuzzy Hash: D011E472A0173ABAD7216BA89C46FAFBBA49B28B10F110119FE00F6182D774DC1082E1

Uniqueness

Uniqueness Score: -1.00%

Function 001CD6C9, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,001C47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,001C548E,?), ref: 001CD6DA
GetLastError.KERNEL32(?,001C47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,001C548E,?,?), ref: 001CD6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 001CD71F
GetLastError.KERNEL32(?,001C47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,001C548E,?,?), ref: 001CD72B

Strings

Failed to create UX., xrefs: 001CD76F
userexperience.cpp, xrefs: 001CD708, 001CD74C
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 001CD756
Failed to load UX DLL., xrefs: 001CD712
BootstrapperApplicationCreate, xrefs: 001CD719

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 6d8f2c9fa3b2d812695fb3ce867ab25edd97167f72fa259bd10b416e93d950b8
Instruction ID: c7d9295568efdaa7d05e322c1f196f1dffce0a12113ce2457a922c3f8a210d18
Opcode Fuzzy Hash: 6d8f2c9fa3b2d812695fb3ce867ab25edd97167f72fa259bd10b416e93d950b8
Instruction Fuzzy Hash: 0F110437A90B33ABC73246946D0DF5B7A84AB25B61F02453DBE10EBAC1EB30DC1086D0

Uniqueness

Uniqueness Score: -1.00%

Function 001C1175, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,001C111A,cabinet.dll,00000009,?,?,00000000), ref: 001C1186
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,001C111A,cabinet.dll,00000009,?,?,00000000), ref: 001C1191
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001C119F
GetLastError.KERNEL32(?,?,?,?,?,001C111A,cabinet.dll,00000009,?,?,00000000), ref: 001C11BA
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001C11C2
GetLastError.KERNEL32(?,?,?,?,?,001C111A,cabinet.dll,00000009,?,?,00000000), ref: 001C11D7

Strings

SetDllDirectoryW, xrefs: 001C11BC
SetDefaultDllDirectories, xrefs: 001C1199
kernel32, xrefs: 001C118C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: 9f452fbe4b69c94dcaf3703f7c2e0e0fa4dbc861623e91646841f85697fcd06b
Instruction ID: 2a641b6222bd8b96850ca1c20d3a55039be6424fbf3d92bd8300d656ec243e1d
Opcode Fuzzy Hash: 9f452fbe4b69c94dcaf3703f7c2e0e0fa4dbc861623e91646841f85697fcd06b
Instruction Fuzzy Hash: 8C019E3125031ABBD7226BA6AC49E6F7F5CFB62760B048019BA1592142EB70DA01CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 001DF639, Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 001DF64E
LeaveCriticalSection.KERNEL32(?), ref: 001DF7C9

Strings

Failed to set download URL., xrefs: 001DF728
Failed to set download password., xrefs: 001DF777
UX requested unknown container with id: %ls, xrefs: 001DF6F3
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 001DF6B9
Failed to set download user., xrefs: 001DF751
UX requested unknown payload with id: %ls, xrefs: 001DF6A3
UX did not provide container or payload id., xrefs: 001DF7B8
Engine is active, cannot change engine state., xrefs: 001DF668

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: 8135d1b47ebb214d6a9bb3c0cff5c57c1f34431ded5c6aeda78aca82eea71ff3
Instruction ID: 1d05e257358a3e5a02e85bdc9b635a06815963682ede89917ef57bf8a8a31cd3
Opcode Fuzzy Hash: 8135d1b47ebb214d6a9bb3c0cff5c57c1f34431ded5c6aeda78aca82eea71ff3
Instruction Fuzzy Hash: 3D41F832A11611ABCB219F24C845FEAB3A8AF11710F15417FF816EB391EB35DE51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00205A5E, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 00205A9B
GetLastError.KERNEL32 ref: 00205AA9
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00205AEA
GetLastError.KERNEL32 ref: 00205AF7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00205C6A
CloseHandle.KERNEL32(?), ref: 00205C79

Strings

GET, xrefs: 00205B9E
dlutil.cpp, xrefs: 00205ACD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$dlutil.cpp
API String ID: 2028584396-3303425918
Opcode ID: 8a74274312d4620377c0144cecfdb6b61415b41c7ebdfe1f10fe5d136f26fb1c
Instruction ID: edf454fee85bfe86a19a2e5c9457a440795c705ee5775ff82e2cab9f6f188467
Opcode Fuzzy Hash: 8a74274312d4620377c0144cecfdb6b61415b41c7ebdfe1f10fe5d136f26fb1c
Instruction Fuzzy Hash: 45617E72A1072AABDF21CFA4CC85BAF7BB8AF48754F110119FD15A7281D770D9608F90

Uniqueness

Uniqueness Score: -1.00%

Function 001D0C50, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 001D1020: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,001D0C6F,?,00000000,?,00000000,00000000), ref: 001D104F

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 001D0DF3
GetLastError.KERNEL32 ref: 001D0E00

Strings

Failed to append package start action., xrefs: 001D0C95
Failed to append payload cache action., xrefs: 001D0DAA
plan.cpp, xrefs: 001D0E24
Failed to append rollback cache action., xrefs: 001D0CCF
Failed to append cache action., xrefs: 001D0D4A
Failed to create syncpoint event., xrefs: 001D0E2E

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-2489563283
Opcode ID: d6214984b0f1154a3d634c7b52ef0d198037017d65c1e97ec1b11955631de264
Instruction ID: 39d928a58f9622260144fcecc15a245fb35843d10d0e949bdb4d40fdcac72fd4
Opcode Fuzzy Hash: d6214984b0f1154a3d634c7b52ef0d198037017d65c1e97ec1b11955631de264
Instruction Fuzzy Hash: B5616F75500605EFCB16DF59C980AAABBFAFF98310F22845BE9059B311EB31EE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D05A2, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,0020B500,00000000,?), ref: 001D06D3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,0020B500,00000000,?), ref: 001D06E2

Part of subcall function 00200BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,001D061A,?,00000000,00020006), ref: 00200C0E

Strings

Failed to write volatile reboot required registry key., xrefs: 001D061E
crypt32.dll, xrefs: 001D05AC
%ls.RebootRequired, xrefs: 001D05F0
Failed to update resume mode., xrefs: 001D06B7
Failed to delete registration key: %ls, xrefs: 001D0681
Failed to open registration key., xrefs: 001D071A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.$crypt32.dll
API String ID: 359002179-3398658923
Opcode ID: aad890353cd48b0de9463a67eb6d1d3a73437f49c1bc70f4156e6107b9cda9c8
Instruction ID: 71ac6ad1b6a4d55a042ebe8f5bfe1af0da00712ed7854d4ba65265c8d3ef512b
Opcode Fuzzy Hash: aad890353cd48b0de9463a67eb6d1d3a73437f49c1bc70f4156e6107b9cda9c8
Instruction Fuzzy Hash: FC418F31810718FBDF22AEA0DC46FAF7BBAEFA5310F10441AF91562262D771DA70DA51

Uniqueness

Uniqueness Score: -1.00%

Function 0020159E, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 117stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 002015DA
lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 0020163C
lstrlenW.KERNEL32(?), ref: 00201648
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 0020168B

Strings

@f", xrefs: 002015B8
BundleUpgradeCode, xrefs: 002015A7
@f", xrefs: 00201633, 0020161C
regutil.cpp, xrefs: 002016B3

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: lstrlen$Value
String ID: @f"$@f"$BundleUpgradeCode$regutil.cpp
API String ID: 198323757-570920703
Opcode ID: 35b60de575d6fcaeafe0dc38bed55722f81601df5af4e205e88ed7b954d5478b
Instruction ID: 7ad0c6554bb7aad36cf0281414eb94dd21572196d0ecc687886893d6ab84a506
Opcode Fuzzy Hash: 35b60de575d6fcaeafe0dc38bed55722f81601df5af4e205e88ed7b954d5478b
Instruction Fuzzy Hash: E241917291032AAFDB219F989C85AAEBBBCFB54750F050159FD10AB252C771DD318BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00206C29, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,74B04160), ref: 00206C88
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 00206CA5
SysFreeString.OLEAUT32(00000000), ref: 00206CE3
SysFreeString.OLEAUT32(00000000), ref: 00206D27

Strings

name, xrefs: 00206C7A
uri, xrefs: 00206CB3
email, xrefs: 00206C97

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$CompareFree
String ID: email$name$uri
API String ID: 3589242889-1168628755
Opcode ID: ff88ad233fb4f7b8a2e958616f95622058036938759b41e3eac7f8253b72e422
Instruction ID: 7cd0935c5a91478ccdb72b4bf201efaba3807b2cdf0d6ec74ebe3c0bc591624c
Opcode Fuzzy Hash: ff88ad233fb4f7b8a2e958616f95622058036938759b41e3eac7f8253b72e422
Instruction Fuzzy Hash: F7416E32A21319BBDB219B94CD4DFADB775EF04721F2042A5E910AB1E2C7719E20DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001CF451, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001CF48A

Part of subcall function 001C4115: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,001DA0E8,00000000,00000000,?,00000000,001C53BD,00000000,?,?,001CD5B5,?), ref: 001C4123
Part of subcall function 001C4115: GetLastError.KERNEL32(?,001DA0E8,00000000,00000000,?,00000000,001C53BD,00000000,?,?,001CD5B5,?,00000000,00000000), ref: 001C4131

lstrlenA.KERNEL32(0020B500,00000000,00000094,00000000,00000094,?,?,001D04BF,swidtag,00000094,?,0020B518,001D04BF,00000000,?,00000000), ref: 001CF4DD

Part of subcall function 00204DB3: CreateFileW.KERNEL32(0020B500,40000000,00000001,00000000,00000002,00000080,00000000,001D04BF,00000000,?,001CF4F4,?,00000080,0020B500,00000000), ref: 00204DCB
Part of subcall function 00204DB3: GetLastError.KERNEL32(?,001CF4F4,?,00000080,0020B500,00000000,?,001D04BF,?,00000094,?,?,?,?,?,00000000), ref: 00204DD8

Strings

swidtag, xrefs: 001CF49D
Failed to write tag xml to file: %ls, xrefs: 001CF51B
Failed to create regid folder: %ls, xrefs: 001CF525
Failed to allocate regid file path., xrefs: 001CF535
Failed to format tag folder path., xrefs: 001CF543
Failed to allocate regid folder path., xrefs: 001CF53C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: 91b2068d62e8be0f8f0e29877a012a5623ab7bc369fa664ce0fea7a4597399bd
Instruction ID: f5f86064158f6f64013596171428e6e283781b6b9245ccfae38634f19b85bc2d
Opcode Fuzzy Hash: 91b2068d62e8be0f8f0e29877a012a5623ab7bc369fa664ce0fea7a4597399bd
Instruction Fuzzy Hash: 11316D71D00229FBCB119E94CC45FADBBB6AF24710F10816EFA10B6251D771DEA19F90

Uniqueness

Uniqueness Score: -1.00%

Function 001D53E2, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,001C548E,00000000,00000000,?,00000000), ref: 001D548B
GetLastError.KERNEL32(?,?,?,001C4C61,?,?,00000000,?,?,?,?,?,?,0020B4A0,?,?), ref: 001D5496

Strings

Failed to wait for child process exit., xrefs: 001D54C4
Failed to write restart to message buffer., xrefs: 001D542E
Failed to post terminate message to child process cache thread., xrefs: 001D545A
pipe.cpp, xrefs: 001D54BA
Failed to write exit code to message buffer., xrefs: 001D5406
Failed to post terminate message to child process., xrefs: 001D5476

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: 91faac3e4e6a3a34618b04f78f5d9b39157c7aa409c7074ec40a0a4af4a1e25a
Instruction ID: 884ddae4293a09555a9bd843a9ba84bd9b99e3af5d76cba3f12e1143dc088ef9
Opcode Fuzzy Hash: 91faac3e4e6a3a34618b04f78f5d9b39157c7aa409c7074ec40a0a4af4a1e25a
Instruction Fuzzy Hash: C1212833950A29BBDF225B54DC05EDE77AAAF10731F114213F904B6390E730ADA096E1

Uniqueness

Uniqueness Score: -1.00%

Function 001D9098, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,001D9F04,00000003,000007D0,00000003,?,000007D0), ref: 001D90B2
GetLastError.KERNEL32(?,001D9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 001D90BF
CloseHandle.KERNEL32(00000000,?,001D9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 001D9187

Strings

Failed to verify catalog signature of payload: %ls, xrefs: 001D914E
cache.cpp, xrefs: 001D90F6
Failed to open payload at path: %ls, xrefs: 001D9103
Failed to verify signature of payload: %ls, xrefs: 001D912F
Failed to verify hash of payload: %ls, xrefs: 001D9172

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: 5f7c044d3450fc887e79e256f61288fe0c74fbb7494d6ab41d247d5bace17684
Instruction ID: 67e747b819eaf30252c47a5212d3a97c3a0fd200d420af90b677a132a4f5f48e
Opcode Fuzzy Hash: 5f7c044d3450fc887e79e256f61288fe0c74fbb7494d6ab41d247d5bace17684
Instruction Fuzzy Hash: 02212136540627BBCB331AA88C4DFEE7A29AF507B0F114313FC102A3A093359C61EAD0

Uniqueness

Uniqueness Score: -1.00%

Function 001C6B1E, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 001C6B69
GetLastError.KERNEL32 ref: 001C6B73
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 001C6BB7
GetLastError.KERNEL32 ref: 001C6BC1

Strings

Failed to set variant value., xrefs: 001C6C0B
Failed to get volume path name., xrefs: 001C6BEF
Failed to get windows directory., xrefs: 001C6BA1
variable.cpp, xrefs: 001C6B97, 001C6BE5

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 124030351-4026719079
Opcode ID: 0f8f64f565daa20fab68eda9774f92fc7e39db4cff9ef63e06d7465cd508d1fe
Instruction ID: b31a98f4f265e1b286259c02c410e5669ccd12f0bd085b21f9d4ad68d9c870fe
Opcode Fuzzy Hash: 0f8f64f565daa20fab68eda9774f92fc7e39db4cff9ef63e06d7465cd508d1fe
Instruction Fuzzy Hash: 6621D373E4133967D73096949D0AF9F72AC9B60B10F114169BD04F7282EB34EE408AE5

Uniqueness

Uniqueness Score: -1.00%

Function 001C9C6D, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001C9C88
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,000002C0,?,001CA895,00000100,000002C0,000002C0,?,000002C0), ref: 001C9CA0
GetLastError.KERNEL32(?,001CA895,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 001C9CAB

Strings

File search: %ls, did not find path: %ls, xrefs: 001C9CFD
Failed to set variable., xrefs: 001C9D2B
Failed to format variable string., xrefs: 001C9C93
search.cpp, xrefs: 001C9CDB
Failed get to file attributes. '%ls', xrefs: 001C9CE8

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: 1ab26ee690dff73db731e86c64e7fda7eae2625ae90f830296db368591c9cc30
Instruction ID: 531402b65f0909456d420e9b60bf1dc9da51b9ca5241f819849ab68f53f59e7b
Opcode Fuzzy Hash: 1ab26ee690dff73db731e86c64e7fda7eae2625ae90f830296db368591c9cc30
Instruction Fuzzy Hash: AA214633950224BAEB2116D48C8EFAEF668EF31761F210219FD15761E1D721DD2096D1

Uniqueness

Uniqueness Score: -1.00%

Function 001DAD40, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 001DAD57
GetLastError.KERNEL32 ref: 001DAD61
CoInitializeEx.OLE32(00000000,00000000), ref: 001DADA0
CoUninitialize.OLE32(?,001DC721,?,?), ref: 001DADDD

Strings

Failed to pump messages in child process., xrefs: 001DADCB
Failed to initialize COM., xrefs: 001DADAC
elevation.cpp, xrefs: 001DAD85
Failed to set elevated cache pipe into thread local storage for logging., xrefs: 001DAD8F

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: c3c4b5a886977a7d0f3c504cc33809f804a5fee2b0ea1439675b65bb4d06f286
Instruction ID: d2cc362dab95548daaae0933a2ccc9912250401241d5220c956524f2c02c58d1
Opcode Fuzzy Hash: c3c4b5a886977a7d0f3c504cc33809f804a5fee2b0ea1439675b65bb4d06f286
Instruction Fuzzy Hash: 88115072951B35BBCB3297849C09D9FBEA9EF11B62B110217FD00B3340EB20AD0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 001C5CE2, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 001C5D68

Part of subcall function 002010B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0020112B
Part of subcall function 002010B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00201163

Strings

CommonFilesDir, xrefs: 001C5CF0, 001C5D24, 001C5D33
Failed to ensure path was backslash terminated., xrefs: 001C5D52
Failed to read folder path for '%ls'., xrefs: 001C5D34
+, xrefs: 001C5CEA
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 001C5D05
Failed to open Windows folder key., xrefs: 001C5D1A
ProgramFilesDir, xrefs: 001C5CF7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: QueryValue$Close
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1979452859-3209209246
Opcode ID: f0aecc5574470d89adb211f7fab4476b02953a2d3991bf60430769a9263ff66b
Instruction ID: 81c097b1aba55911736259d7f5eb249c91e1c7b3209d1d11e0e8da529b5640c4
Opcode Fuzzy Hash: f0aecc5574470d89adb211f7fab4476b02953a2d3991bf60430769a9263ff66b
Instruction Fuzzy Hash: AD014532A15728B7CB2256D48C0AFAE7B29CB21720F150219FC01762A3CB70DE609690

Uniqueness

Uniqueness Score: -1.00%

Function 001EA271, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 001EA33E
GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 001EA348

Strings

:, xrefs: 001EA3C1
download, xrefs: 001EA308
apply.cpp, xrefs: 001EA36C
Failed attempt to download URL: '%ls' to: '%ls', xrefs: 001EA425
Failed to clear readonly bit on payload destination path: %ls, xrefs: 001EA377

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-1905830404
Opcode ID: f2a34ee5a2d516c278eaff47249bc5f0ece35cfed8f6dc41d5076a1377a24f40
Instruction ID: 90a985b4a4857169a819838f1729a3b5c33074315fc103f1c19274ddbd0cd3c7
Opcode Fuzzy Hash: f2a34ee5a2d516c278eaff47249bc5f0ece35cfed8f6dc41d5076a1377a24f40
Instruction Fuzzy Hash: C551B171A00A1AAFDB11DF9AC885EEEB7B5FF14710F548059F904EB241E371EA40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00206EFF, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,74B04160,000000FF,type,000000FF,?,74B04160,74B04160,74B04160), ref: 00206F55
SysFreeString.OLEAUT32(00000000), ref: 00206FA0
SysFreeString.OLEAUT32(00000000), ref: 0020701C
SysFreeString.OLEAUT32(00000000), ref: 00207068

Strings

url, xrefs: 00206F68
type, xrefs: 00206F47

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$Free$Compare
String ID: type$url
API String ID: 1324494773-1247773906
Opcode ID: 6ef60fb7402615878f9b3f78e0be5b38a8568a17b9d402f6e9db040a9c7e3f1f
Instruction ID: 077341c94e64883e4f171baace6078de1d7aa66744cdffc02948e8656d9599f4
Opcode Fuzzy Hash: 6ef60fb7402615878f9b3f78e0be5b38a8568a17b9d402f6e9db040a9c7e3f1f
Instruction Fuzzy Hash: 1D516035D1531AEFCF25DF94C888EAEBBB9AF04711F104299E511EB1A2D731AE20DB50

Uniqueness

Uniqueness Score: -1.00%

Function 002084C7, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,001E9063,000002C0,00000100), ref: 002084F5
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,001E9063,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 00208510

Strings

apuputil.cpp, xrefs: 002085AB
type, xrefs: 00208537
application, xrefs: 00208502
http://appsyndication.org/2006/appsyn, xrefs: 002084E8

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: 45fa92798c76445be0ef15a57f481ead64e009c9bc54178ae283d4e0656b7fc1
Instruction ID: 82ffe2b257e8de5a28dce0b1d023a66b963be0b25202934ae998448600274da5
Opcode Fuzzy Hash: 45fa92798c76445be0ef15a57f481ead64e009c9bc54178ae283d4e0656b7fc1
Instruction Fuzzy Hash: 1851B531654302AFDB219F54CC85F1B7BA9AB10720F218518FAA5EB2D3DBB1ED608B50

Uniqueness

Uniqueness Score: -1.00%

Function 002064B7, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00206513
DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 0020660A
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00206619

Strings

DownloadTimeout, xrefs: 0020654C
Burn, xrefs: 00206502
WiX\Burn, xrefs: 00206551
dlutil.cpp, xrefs: 00206537

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-1704223933
Opcode ID: 3328eaecd8a3572b303f5fddc5fd7f2108ab23cb064527c0e3547d995209fb90
Instruction ID: 07d47d139822559b71cf3dfbc8f9600335f32846c214ccc45f5593a0610eb570
Opcode Fuzzy Hash: 3328eaecd8a3572b303f5fddc5fd7f2108ab23cb064527c0e3547d995209fb90
Instruction Fuzzy Hash: 1B512E72D1022ABBDF11DFA4CC49EEFBBBDEB08710F044155FA14E6191E7358A219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C9EC7, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001C9EED
_MREFOpen@16.MSPDB140-MSVCRT ref: 001C9F12

Strings

Failed to get component path: %d, xrefs: 001C9F76
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 001CA006
Failed to format product code string., xrefs: 001C9F1D
Failed to set variable., xrefs: 001C9FF6
Failed to format component id string., xrefs: 001C9EF8

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: a82bb3a47c8e61cfbe110e4e4f93bf3db700150cd7bb0e09fffb196a5987e314
Instruction ID: 6ef0f8475b21d9ae8884484de1e7439fbfc789d8b36bc9a4a592477ebb5dd084
Opcode Fuzzy Hash: a82bb3a47c8e61cfbe110e4e4f93bf3db700150cd7bb0e09fffb196a5987e314
Instruction Fuzzy Hash: C041E732900215BACF259AA88C8AFBEBB68EF35310F24461EF514E61D1D731DE50DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001CF812, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 001CF942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 001CF94F

Strings

Failed to format pending restart registry key to read., xrefs: 001CF846
%ls.RebootRequired, xrefs: 001CF82F
Resume, xrefs: 001CF8B6
Failed to read Resume value., xrefs: 001CF8D8
Failed to open registration key., xrefs: 001CF8AB

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 2b9daf145f77eb0aa67f33b0d3370159066746f9997bfb713ac2071c4b3f8e28
Instruction ID: af3264e75bb86779c4caa1d00c65381cb58b6be50c81cde59bcf8bad99bd7b8d
Opcode Fuzzy Hash: 2b9daf145f77eb0aa67f33b0d3370159066746f9997bfb713ac2071c4b3f8e28
Instruction Fuzzy Hash: CD415971900259FBDF119F98C880FA9BBA6EB25714F16817EF910AB250C372EE52DB40

Uniqueness

Uniqueness Score: -1.00%

Function 001DAA00, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to determine length of source path., xrefs: 001DAA30
Failed to determine length of relative path., xrefs: 001DAA4D
Failed to trim source folder., xrefs: 001DAA95
WixBundleLastUsedSource, xrefs: 001DAA9F, 001DAAA5, 001DAAE1
Failed to set last source., xrefs: 001DAAF0

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: 4c8a78ac1594495a3bde4e905ea9c95c40b74d457886611847ea65fbddda1afc
Instruction ID: 368a2c01cd842368b2db3e5bf665d36f10876b96ac480a2abe21319d51112a6b
Opcode Fuzzy Hash: 4c8a78ac1594495a3bde4e905ea9c95c40b74d457886611847ea65fbddda1afc
Instruction Fuzzy Hash: EA31B232904229BBCF22DA94CC45FAEBAB9AF11720F610356F820A73D1DB719D50DA91

Uniqueness

Uniqueness Score: -1.00%

Function 001ED8B0, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00220C4C,00000000,00000017,00220C5C,?,?,00000000,00000000,?,?,?,?,?,001EDEE7,00000000,00000000), ref: 001ED8E8

Strings

WixBurn, xrefs: 001ED913
Failed to set progress timeout., xrefs: 001ED952
Failed to create BITS job., xrefs: 001ED922
Failed to set notification flags for BITS job., xrefs: 001ED93A
Failed to create IBackgroundCopyManager., xrefs: 001ED8F4
Failed to set BITS job to foreground., xrefs: 001ED969

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: 34ef86d1ca2e432b65961d528c72d751caa32945303888123ea7c03c746bf2db
Instruction ID: 28cad1936d8ed7aa746f63192b334a61f5f89a53a9069429d9289b959211d369
Opcode Fuzzy Hash: 34ef86d1ca2e432b65961d528c72d751caa32945303888123ea7c03c746bf2db
Instruction Fuzzy Hash: E631A471F4075AAFD714DBA9E885EAFBBB4AF49710B11015AEA01EB352CB309C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00205DAE, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00205DF8
GetLastError.KERNEL32 ref: 00205E05
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00205E4C
GetLastError.KERNEL32 ref: 00205E80
CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 00205EB4

Strings

%ls.R, xrefs: 00205DCC
dlutil.cpp, xrefs: 00205E29, 00205EA4

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %ls.R$dlutil.cpp
API String ID: 3160720760-657863730
Opcode ID: e89fe0751f69e933f26c50fd5f3dbfb6a4e6f6f3724f6f4bed25a84da43c32ea
Instruction ID: a4ef80e0698f7fcf5d56de3cc1c16685b717eedf8507afce4fb1bcdb83694e17
Opcode Fuzzy Hash: e89fe0751f69e933f26c50fd5f3dbfb6a4e6f6f3724f6f4bed25a84da43c32ea
Instruction Fuzzy Hash: 57310472D61735BBE7308F94DC49B6F7AA8AB01721F114219FE54AB2C2D7709E108AE0

Uniqueness

Uniqueness Score: -1.00%

Function 001CC8E6, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001CCD5E: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,001CE444,000000FF,00000000,00000000,001CE444,?,?,001CDBEB,?,?,?,?), ref: 001CCD89

CreateFileW.KERNEL32(E90020BA,80000000,00000005,00000000,00000003,08000000,00000000,001C53C5,?,00000000,840F01E8,14680A79,00000001,001C53BD,00000000,001C5489), ref: 001CC956
GetLastError.KERNEL32(?,?,?,001D7809,001C566D,001C5479,001C5479,00000000,?,001C5489,FFF9E89D,001C5489,001C54BD,001C5445,?,001C5445), ref: 001CC99B

Strings

catalog.cpp, xrefs: 001CC9BC
Failed to verify catalog signature: %ls, xrefs: 001CC994
Failed to find payload for catalog file., xrefs: 001CC9E0
Failed to open catalog in working path: %ls, xrefs: 001CC9C9
Failed to get catalog local file path, xrefs: 001CC9D9

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 1774366664-48089280
Opcode ID: 8617fa0317bba7e00c17d7cbadf14ae9a7d922aff7d6cd415e84f79f64ab27fa
Instruction ID: aded85315cfae920a92fd1812cd43f963796e7c611f91bc5cd46006161afbc32
Opcode Fuzzy Hash: 8617fa0317bba7e00c17d7cbadf14ae9a7d922aff7d6cd415e84f79f64ab27fa
Instruction Fuzzy Hash: 3131E472940725BFD7219B54CC46F99BBA4EF24720F21826EF908EB281E771ED109BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001ED33E, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,74B5F730,00000000,?,?,?,?,001ED642,?), ref: 001ED357
ReleaseMutex.KERNEL32(?,?,?,?,001ED642,?), ref: 001ED375
WaitForSingleObject.KERNEL32(?,000000FF), ref: 001ED3B6
ReleaseMutex.KERNEL32(?), ref: 001ED3CD
SetEvent.KERNEL32(?), ref: 001ED3D6

Strings

Failed to get message from netfx chainer., xrefs: 001ED3F7
Failed to send files in use message from netfx chainer., xrefs: 001ED41C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: 3d206cecf5c1234a5b2bdb6386a5e87ea23d26c3e53b783ef6083ec089ab6f01
Instruction ID: f2eaa652cde9504d4c32b6b26493aa7d0d2415d053a3c36a9736f0951822025f
Opcode Fuzzy Hash: 3d206cecf5c1234a5b2bdb6386a5e87ea23d26c3e53b783ef6083ec089ab6f01
Instruction Fuzzy Hash: 1431E931900755BFCB229F95EC48EEEBBF8EF54320F108655F965E22A1C730D9508B90

Uniqueness

Uniqueness Score: -1.00%

Function 0020093B, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 002009AB
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 002009B5
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 002009FE
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00200A0B

Strings

"%ls" %ls, xrefs: 00200974
procutil.cpp, xrefs: 002009D9
D, xrefs: 00200993

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$procutil.cpp
API String ID: 161867955-2732225242
Opcode ID: a7042cfb7f0205829e3d86303979a9fd7c00022972fdc9b20992491160b721e3
Instruction ID: 275faaab06423d0a35375af72e92a6fe3e5e901417d31a501467de958ee465bb
Opcode Fuzzy Hash: a7042cfb7f0205829e3d86303979a9fd7c00022972fdc9b20992491160b721e3
Instruction Fuzzy Hash: 9C215372D1135EABEB11DFD5DD85AAFBBB8EF04710F100129EA04B7252D3719E108AA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C9B9A, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001C9BB3
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,001CA8AB,00000100,000002C0,000002C0,00000100), ref: 001C9BD3
GetLastError.KERNEL32(?,001CA8AB,00000100,000002C0,000002C0,00000100), ref: 001C9BDE

Strings

Failed to format variable string., xrefs: 001C9BBE
Failed while searching directory search: %ls, for path: %ls, xrefs: 001C9C34
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 001C9C4A
Failed to set directory search path variable., xrefs: 001C9C0F

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: f2d78f023a694c119617ab10bbe590916cbf7648fc545c6f898d59a3e56cada9
Instruction ID: 4a0f870485009ff8ed7991ea86bd1374230054c8e2b476e0821507d2588cb79b
Opcode Fuzzy Hash: f2d78f023a694c119617ab10bbe590916cbf7648fc545c6f898d59a3e56cada9
Instruction Fuzzy Hash: 29210833940225F7CF2226D49D4AF9DBB69AF30320F210209FD10761A2D776DE60AACD

Uniqueness

Uniqueness Score: -1.00%

Function 001C9D4B, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001C9D64
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,001CA883,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 001C9D84
GetLastError.KERNEL32(?,001CA883,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 001C9D8F

Strings

File search: %ls, did not find path: %ls, xrefs: 001C9DF3
Failed to format variable string., xrefs: 001C9D6F
Failed to set variable to file search path., xrefs: 001C9DE7
Failed while searching file search: %ls, for path: %ls, xrefs: 001C9DBD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: e9dc1f998c328076a5b185aebb1353731b86230d539240c4109f5aa3ce2062fe
Instruction ID: c694cc6f50228feb51a899ccad1ee8c1d5887cff450f48ec95c77c99f538b63b
Opcode Fuzzy Hash: e9dc1f998c328076a5b185aebb1353731b86230d539240c4109f5aa3ce2062fe
Instruction Fuzzy Hash: E711EB33950625B7DF2266D4CD4AFADBB259F30720F210209FD15761A2E732DE60E6D1

Uniqueness

Uniqueness Score: -1.00%

Function 001DCF25, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,001DD365,00000000,?,?,001DC7C9,00000001,?,?,?,?,?), ref: 001DCF37
GetLastError.KERNEL32(?,?,001DD365,00000000,?,?,001DC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001DCF41
GetExitCodeThread.KERNEL32(00000001,?,?,?,001DD365,00000000,?,?,001DC7C9,00000001,?,?,?,?,?,00000000), ref: 001DCF7D
GetLastError.KERNEL32(?,?,001DD365,00000000,?,?,001DC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001DCF87

Strings

Failed to get cache thread exit code., xrefs: 001DCFB5
Failed to wait for cache thread to terminate., xrefs: 001DCF6F
elevation.cpp, xrefs: 001DCF65, 001DCFAB

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: b5e730773044fe7a0d8fd29d31974eb7e8d10e4473e6b9a58f07c67379d39bf4
Instruction ID: df7d1559d51735efbd539db935df9326a21f959204f65e5714107f586f637bbe
Opcode Fuzzy Hash: b5e730773044fe7a0d8fd29d31974eb7e8d10e4473e6b9a58f07c67379d39bf4
Instruction Fuzzy Hash: 10014973A957366BD73157859C0DADF7A99AF15B61B020516BE04FB381E750CD00C1E4

Uniqueness

Uniqueness Score: -1.00%

Function 001D69AE, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,001D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 001D69BB
GetLastError.KERNEL32(?,001D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 001D69C5
GetExitCodeThread.KERNEL32(00000001,00000000,?,001D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 001D6A04
GetLastError.KERNEL32(?,001D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 001D6A0E

Strings

core.cpp, xrefs: 001D69EC, 001D6A35
Failed to get cache thread exit code., xrefs: 001D6A3F
Failed to wait for cache thread to terminate., xrefs: 001D69F6

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 624edf356aba28b99633fcd8993ba9e29470071b88a955d90e97ad6e5dbd7810
Instruction ID: 177a28c3046d2fefdd366f4dfd73961389c7ede952662b60878f240cff9cf4bd
Opcode Fuzzy Hash: 624edf356aba28b99633fcd8993ba9e29470071b88a955d90e97ad6e5dbd7810
Instruction Fuzzy Hash: 0611A570740216FFEB109F619D06BAE36E8EB10710F10416AB904EA291EB31DE509764

Uniqueness

Uniqueness Score: -1.00%

Function 001DF7D9, Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 001DF7EE
LeaveCriticalSection.KERNEL32(?), ref: 001DF8FB

Strings

Failed to set source path for payload., xrefs: 001DF88A
UX requested unknown container with id: %ls, xrefs: 001DF8BA
Failed to set source path for container., xrefs: 001DF8E0
UX denied while trying to set source on embedded payload: %ls, xrefs: 001DF870
UX requested unknown payload with id: %ls, xrefs: 001DF85A
Engine is active, cannot change engine state., xrefs: 001DF808

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: dcdc2c95a27f4a084af9112159a808a19f460de4a93f07547fb15a5d43b873cd
Instruction ID: 8156fe667f03b1f5c3e5fda98d757e5eeef535f8f449faab8b9775ad82b9e9a0
Opcode Fuzzy Hash: dcdc2c95a27f4a084af9112159a808a19f460de4a93f07547fb15a5d43b873cd
Instruction Fuzzy Hash: A8310632A00255AFCB219F58CC45E9AB3ACAF24720B15412FFC06EB341DB75EE51A792

Uniqueness

Uniqueness Score: -1.00%

Function 001C71FD, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 001C7210

Strings

Failed to format escape sequence., xrefs: 001C72AA
[]{}, xrefs: 001C723A
Failed to allocate buffer for escaped string., xrefs: 001C7227
Failed to append escape sequence., xrefs: 001C72A3
Failed to append characters., xrefs: 001C729C
[\%c], xrefs: 001C726F
Failed to copy string., xrefs: 001C72C4

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: 18b78b77e93c001f1e151d9bd7e30dc56aa2be2adf5898f8450a7d38936d3ca8
Instruction ID: 4a3be4bc611af15392fe486c09d6e76dff2e38588341eb10bde1c92e4d16fa1e
Opcode Fuzzy Hash: 18b78b77e93c001f1e151d9bd7e30dc56aa2be2adf5898f8450a7d38936d3ca8
Instruction Fuzzy Hash: F121E972948319BBDB216690CC46FAE7B6D9F31721F31011AF901B61C2DBB1DE10DAD1

Uniqueness

Uniqueness Score: -1.00%

Function 001E5BDC, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0020B500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,001E67DE,?,00000001,?,0020B4A0), ref: 001E5C45

Strings

feclient.dll, xrefs: 001E5C3B, 001E5D65
Failed to insert execute action., xrefs: 001E5C9A
Failed to plan action for target product., xrefs: 001E5CF0
Failed grow array of ordered patches., xrefs: 001E5CDE
Failed to copy target product code., xrefs: 001E5D78

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: d48d3b378b4672501b63e48da5679886f9a6a2d0c2857685e05ccd693f336f11
Instruction ID: 2ae05d396bb8b85de2373bf6f049e8d8833b766a9fe9b24e143ce23d3c3c6f21
Opcode Fuzzy Hash: d48d3b378b4672501b63e48da5679886f9a6a2d0c2857685e05ccd693f336f11
Instruction Fuzzy Hash: B38127B5600B8A9FCB15CF59C890AAA77EABF08318F218569EC158B352C730E851CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001FCAED, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,001FD262,00000000,00000000,00000000,00000000,00000000,001F2F1D), ref: 001FCB2F
__fassign.LIBCMT ref: 001FCBAA
__fassign.LIBCMT ref: 001FCBC5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 001FCBEB
WriteFile.KERNEL32(?,00000000,00000000,001FD262,00000000,?,?,?,?,?,?,?,?,?,001FD262,00000000), ref: 001FCC0A
WriteFile.KERNEL32(?,00000000,00000001,001FD262,00000000,?,?,?,?,?,?,?,?,?,001FD262,00000000), ref: 001FCC43

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4af7d490ab5880d7a5df343db885cf135d15a045f5ef5ad7695e9b43d3d86230
Instruction ID: 60809f8dfad96457257c4cf0200337c1789247b0197793fb13fa8e9bcbc0a286
Opcode Fuzzy Hash: 4af7d490ab5880d7a5df343db885cf135d15a045f5ef5ad7695e9b43d3d86230
Instruction Fuzzy Hash: 78519271A0024DAFDB14CFA8DD95AFEBBF4EF09310F14415AEA59E7291D730A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E9279, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,001D7113,000000B8,0000001C,00000100), ref: 001E92A4
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,0020B4B8,000000FF,?,?,?,001D7113,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 001E932E

Strings

comres.dll, xrefs: 001E93B0
Failed to initialize update bundle., xrefs: 001E93D1
detect.cpp, xrefs: 001E938E
BA aborted detect forward compatible bundle., xrefs: 001E9398

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: ae2a8677f70714f34f40f20c44904c1fb2827244b6cb515f90abae6637914540
Instruction ID: 881d636fb39cbe139d8023c03087135a97952dc812c5539cfefe77b791b7ae3d
Opcode Fuzzy Hash: ae2a8677f70714f34f40f20c44904c1fb2827244b6cb515f90abae6637914540
Instruction Fuzzy Hash: 0D51C071600A51BFDF169F66CC81EAEB7A6FF15310F104269F9249A2A1C771ECA0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001DAB9E, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(001C5479,000000FF,00AAC56B,E90020BA,001C53BD,00000000,?,E90020BA,00000000), ref: 001DAC94
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,001C5479,000000FF,00AAC56B,E90020BA,001C53BD,00000000,?,E90020BA,00000000), ref: 001DACD8

Strings

cache.cpp, xrefs: 001DAC6A, 001DACB8, 001DACFC
Failed to get provider state from authenticode certificate., xrefs: 001DACC2
Failed authenticode verification of payload: %ls, xrefs: 001DAC75
Failed to get signer chain from authenticode certificate., xrefs: 001DAD06
Failed to verify expected payload against actual certificate chain., xrefs: 001DAD1E

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast
String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp
API String ID: 1452528299-2590768268
Opcode ID: d33a9e3f6b59834b587db3e360b7e69aa38763444bacc8dd7a19269a8ea7cd52
Instruction ID: a6181180abc962ca53742be92d1f14bb288444be7469920fe4820ad9042d2ab2
Opcode Fuzzy Hash: d33a9e3f6b59834b587db3e360b7e69aa38763444bacc8dd7a19269a8ea7cd52
Instruction Fuzzy Hash: 6541A572D11629ABDB21DBD4DC46BDEBBB8EF14720F01012AFD10BB381D77499008AE1

Uniqueness

Uniqueness Score: -1.00%

Function 001DD437, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,0020B500,?,00000001,000000FF,?,?,7743A770,00000000,00000001,00000000,?,001D74E6), ref: 001DD560

Strings

Failed to connect to elevated child process., xrefs: 001DD549
Failed to create pipe and cache pipe., xrefs: 001DD4BD
Failed to elevate., xrefs: 001DD542
UX aborted elevation requirement., xrefs: 001DD475
elevation.cpp, xrefs: 001DD46B
Failed to create pipe name and client token., xrefs: 001DD4A1

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: efe1dc45712e2e22f114f97ce2be601e7162717c3c5be56e9dc947c5196b1547
Instruction ID: 26ba34d41e8de5c3b845f1eb71f4bc1b683e3a86fc8370ee14d7983492c337fe
Opcode Fuzzy Hash: efe1dc45712e2e22f114f97ce2be601e7162717c3c5be56e9dc947c5196b1547
Instruction Fuzzy Hash: 47316B72648725BBE72596A4EC43FFAB37D9F20334F10421BF904AA381DB61AD5082D5

Uniqueness

Uniqueness Score: -1.00%

Function 001DD24B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 118threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 001DD2E9
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001DD2F5

Part of subcall function 001DCF25: WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,001DD365,00000000,?,?,001DC7C9,00000001,?,?,?,?,?), ref: 001DCF37
Part of subcall function 001DCF25: GetLastError.KERNEL32(?,?,001DD365,00000000,?,?,001DC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001DCF41

CloseHandle.KERNEL32(00000000,00000000,?,?,001DC7C9,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 001DD376

Strings

Failed to pump messages in child process., xrefs: 001DD34D
Failed to create elevated cache thread., xrefs: 001DD323
elevation.cpp, xrefs: 001DD319

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
API String ID: 3606931770-4134175193
Opcode ID: 426473522aad5684d350bf06e661e9f91b11ac884e02c01cdb4bc9e6aa3a5b52
Instruction ID: 30c401d100f506af6bf6a4448c7073fe0e6db2d9e1e1f5b7c2d3ef942e802121
Opcode Fuzzy Hash: 426473522aad5684d350bf06e661e9f91b11ac884e02c01cdb4bc9e6aa3a5b52
Instruction Fuzzy Hash: 2D41F4B6D01219AFCB15DFA9D8859DEBBF8FF48710F10412AF918E7340E770A9418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00200523, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0022B5FC,00000000,?,?,?,001D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,001C54FA,?), ref: 00200533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,0022B5F4,?,001D4207,00000000,Setup), ref: 002005D7
GetLastError.KERNEL32(?,001D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,001C54FA,?,?,?), ref: 002005E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,001D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,001C54FA,?), ref: 00200621

Part of subcall function 001C2DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 001C2F09

LeaveCriticalSection.KERNEL32(0022B5FC,?,?,0022B5F4,?,001D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,001C54FA,?), ref: 0020067A

Strings

logutil.cpp, xrefs: 00200606

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: 8b530558ae07cd4f5cfc519a3b5b1c82c4e149340e1f1dee51e5bc9bdf6b47f6
Instruction ID: 53fb23e1bc7597fb73a87e4dc1e3a291b7484bb46a616b443eb2ea9f2040f697
Opcode Fuzzy Hash: 8b530558ae07cd4f5cfc519a3b5b1c82c4e149340e1f1dee51e5bc9bdf6b47f6
Instruction Fuzzy Hash: FA31B63191072AFBEB225FE0ADC9F6E776DEB01750F440124F911AA1A2DB72DD309B90

Uniqueness

Uniqueness Score: -1.00%

Function 001E398D, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001E39F4

Strings

Failed to format property value., xrefs: 001E3A7D
Failed to escape string., xrefs: 001E3A76
Failed to append property string part., xrefs: 001E3A68
%s%="%s", xrefs: 001E3A27
Failed to format property string part., xrefs: 001E3A6F

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: b594d179eb5cd319afa5e1af44a582147adcebb582545db689fc5a733d3915e9
Instruction ID: b88229043e4074138cde3425a235feee837a48ee203ce9ca2a36028d2d6123d3
Opcode Fuzzy Hash: b594d179eb5cd319afa5e1af44a582147adcebb582545db689fc5a733d3915e9
Instruction Fuzzy Hash: D931E532904659AFCB159E99CC49EEEB7B8EF20704F10416AF821A7241D7709F60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 002041E5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,0020432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,001DA063,00000001), ref: 00204203
GetLastError.KERNEL32(00000002,?,0020432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,001DA063,00000001,000007D0,00000001,00000001,00000003), ref: 00204212
MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,0020432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,001DA063,00000001), ref: 002042A6
GetLastError.KERNEL32(?,0020432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,001DA063,00000001,000007D0,00000001), ref: 002042B0

Part of subcall function 00204440: FindFirstFileW.KERNEL32(001E923A,?,00000100,00000000,00000000), ref: 0020447B
Part of subcall function 00204440: FindClose.KERNEL32(00000000), ref: 00204487

Strings

\, xrefs: 00204265
fileutil.cpp, xrefs: 002042CF

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: File$ErrorFindLastMove$CloseFirst
String ID: \$fileutil.cpp
API String ID: 3479031965-1689471480
Opcode ID: 1f3e6f8410f7ecf3ed2d6903db105352f6ef4b94837569befa0188aa183c3f9a
Instruction ID: de24870e60d87e190b0575aa1ffbf9274e43f7bfd826abdacfc5cfdc3c53c42d
Opcode Fuzzy Hash: 1f3e6f8410f7ecf3ed2d6903db105352f6ef4b94837569befa0188aa183c3f9a
Instruction Fuzzy Hash: 3C31D4B6B21327AFDB217E95DC04A6F7669BF61760B11C139FE049B292D3708D6086D0

Uniqueness

Uniqueness Score: -1.00%

Function 001C732C, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,001C5932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 001C733E
LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,001C5932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 001C741D

Strings

*****, xrefs: 001C73D9, 001C73E6
Failed to get value as string for variable: %ls, xrefs: 001C740C
Failed to get unformatted string., xrefs: 001C73AE
Failed to get variable: %ls, xrefs: 001C737F
Failed to format value '%ls' of variable: %ls, xrefs: 001C73E7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 883b3f4cc64a5c63c9e3e22c16298f3e4a6a7b6a656dda6f41804d01355c6e19
Instruction ID: 2a350c5614bf599b81c91ddf055c1365978db7ff35abaa666dc8b1b1731f4a7b
Opcode Fuzzy Hash: 883b3f4cc64a5c63c9e3e22c16298f3e4a6a7b6a656dda6f41804d01355c6e19
Instruction Fuzzy Hash: 69319E72A0465AFBDF225B90CC09F9E7A64FF34361F104269FC0466191D3B1EAA0AFD0

Uniqueness

Uniqueness Score: -1.00%

Function 001D8DEC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 001D8E37
GetLastError.KERNEL32 ref: 001D8E41
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 001D8EA1

Strings

cache.cpp, xrefs: 001D8E65
Failed to allocate administrator SID., xrefs: 001D8E1D
Failed to initialize ACL., xrefs: 001D8E6F

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: 7ba01325ce7e0f4b0dce3575ec513a35aa45bdd7e3aa278bc2602d10fc5b953b
Instruction ID: 3c675bd353fceb0d15b63080245e272b487d0d39f315a139dabd2104d89947e7
Opcode Fuzzy Hash: 7ba01325ce7e0f4b0dce3575ec513a35aa45bdd7e3aa278bc2602d10fc5b953b
Instruction Fuzzy Hash: 9221A872E40224BBDB319AD59C89F9FF76DEB54B10F51416ABD14FB381EB709D008A90

Uniqueness

Uniqueness Score: -1.00%

Function 001C4212, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,001D4028,00000001,feclient.dll,?,00000000,?,?,?,001C4B12), ref: 001C424D
GetLastError.KERNEL32(?,?,001D4028,00000001,feclient.dll,?,00000000,?,?,?,001C4B12,?,?,0020B488,?,00000001), ref: 001C4259
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,001D4028,00000001,feclient.dll,?,00000000,?,?,?,001C4B12,?), ref: 001C4294
GetLastError.KERNEL32(?,?,001D4028,00000001,feclient.dll,?,00000000,?,?,?,001C4B12,?,?,0020B488,?,00000001), ref: 001C429E

Strings

dirutil.cpp, xrefs: 001C42C2
crypt32.dll, xrefs: 001C4216

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: crypt32.dll$dirutil.cpp
API String ID: 152501406-1104880720
Opcode ID: c8311d827f253a36bf3d3b1b9b8e0cd8d37c50a46e2925a70c556b49d125967b
Instruction ID: bccc50b8476927dd66db508f6c1e003213234fba012f0af1a50e8ff650c7ff52
Opcode Fuzzy Hash: c8311d827f253a36bf3d3b1b9b8e0cd8d37c50a46e2925a70c556b49d125967b
Instruction Fuzzy Hash: 0D11B777E05737AB97319AD9A896F6BBA68EF25760711012DFD00E7351E720DC0086E4

Uniqueness

Uniqueness Score: -1.00%

Function 001E0B8E, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 001E0BDE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 001E0BFD
GetLastError.KERNEL32 ref: 001E0C07

Strings

Unexpected call to CabWrite()., xrefs: 001E0BC1
cabextract.cpp, xrefs: 001E0C2B
Failed to write during cabinet extraction., xrefs: 001E0C35

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: 0880c54348441b93ce2bcd86157bed7446701670139836d7a8e4327cd7caa586
Instruction ID: 1f1610a76dae369b305fef920310e73c91216286c55923b3b7738280f4574436
Opcode Fuzzy Hash: 0880c54348441b93ce2bcd86157bed7446701670139836d7a8e4327cd7caa586
Instruction Fuzzy Hash: 6A212376510605ABCB16CF5ED885E9E37B9FF88720B224299FE14C7242E7B2DD50CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001C9AE0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001C9AFB
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,00000000,?,001CA8B4,00000100,000002C0,000002C0,00000100), ref: 001C9B10
GetLastError.KERNEL32(?,001CA8B4,00000100,000002C0,000002C0,00000100), ref: 001C9B1B

Strings

Failed to set variable., xrefs: 001C9B7A
Failed while searching directory search: %ls, for path: %ls, xrefs: 001C9B54
Failed to format variable string., xrefs: 001C9B06

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: 3999e8d818e59ddbc3155c3987079e6474b788f3a718909fb016d2e8ca2e3a85
Instruction ID: 8b32e3981cd70a130e613b4b1f96bf3bb7164241f88ea205ad7af9bd705caf44
Opcode Fuzzy Hash: 3999e8d818e59ddbc3155c3987079e6474b788f3a718909fb016d2e8ca2e3a85
Instruction Fuzzy Hash: 7B11E932940635FBDB221698AC8AFAEF619DF31760F110319FD1076191C771DD60A6D4

Uniqueness

Uniqueness Score: -1.00%

Function 001E0C57, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 001E0CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001E0CD6
SetFileTime.KERNEL32(?,?,?,?), ref: 001E0CE9
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,001E08B1,?,?), ref: 001E0CF8

Strings

cabextract.cpp, xrefs: 001E0C93
Invalid operation for this state., xrefs: 001E0C9D

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: e8c0f7d0f6ab73d502a8effd887587dfbfc7d1beb6afe5523a228c63b8d15ff5
Instruction ID: d0b1688b7b52e270c098d37417efac7668d9c6cbf80efe232dab9c7c0fb838cc
Opcode Fuzzy Hash: e8c0f7d0f6ab73d502a8effd887587dfbfc7d1beb6afe5523a228c63b8d15ff5
Instruction Fuzzy Hash: 4C21D172810A19ABC721DFA9DC499BEBBACFF083207104256F825D6191D3B0E991CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D4A77, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,crypt32.dll,00000000,00000000,00000000,?,001D539D), ref: 001D4AC3

Strings

Failed to write message type to pipe., xrefs: 001D4B05
crypt32.dll, xrefs: 001D4A7D
Failed to allocate message to write., xrefs: 001D4AA2
pipe.cpp, xrefs: 001D4AFB

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$crypt32.dll$pipe.cpp
API String ID: 3934441357-606776022
Opcode ID: 2a0248957a838655fff5ee0fb4415c6b325f09e4cba553cf3b3d8946a8efa026
Instruction ID: d28be1e65ab71a2aa6b13335ff0d79824f82541b34ef7ea63b83baca5229535a
Opcode Fuzzy Hash: 2a0248957a838655fff5ee0fb4415c6b325f09e4cba553cf3b3d8946a8efa026
Instruction Fuzzy Hash: 5B11CA72A80229BBCB219F84DD49EDFBBA8EB50750F110166FD00B7240E730DE50DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D4642, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

_memcpy_s.LIBCMT ref: 001D4693
_memcpy_s.LIBCMT ref: 001D46A6
_memcpy_s.LIBCMT ref: 001D46C1

Strings

feclient.dll, xrefs: 001D465B, 001D4691
Failed to allocate memory for message., xrefs: 001D467C
pipe.cpp, xrefs: 001D4672

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-766083570
Opcode ID: cab1b07ecb4886708e58e51c0fe346a70c34305ede335fd804731ae22c156dd8
Instruction ID: 1f32a8a918cf01eb63f6bad7392761a3fc9355e59c874b493f01969c7285eb9a
Opcode Fuzzy Hash: cab1b07ecb4886708e58e51c0fe346a70c34305ede335fd804731ae22c156dd8
Instruction Fuzzy Hash: 461173B654430AABDB01EE94CC82EDB77ACEF25B10B00452AFA15DB151D771EA54C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 002096CD, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

ReleaseSRWLockExclusive, xrefs: 0020970C
AcquireSRWLockExclusive, xrefs: 002096FC
KERNEL32.DLL, xrefs: 002096E7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 69e8d77fb1aeb6525a463d9d293a68c02d545d5ea3ed98afc216af8010dc64ca
Instruction ID: 78e2dae5f0fadb7b4989d2c5d5fb68023975798a8139dfa78cbc998663a4e9c0
Opcode Fuzzy Hash: 69e8d77fb1aeb6525a463d9d293a68c02d545d5ea3ed98afc216af8010dc64ca
Instruction Fuzzy Hash: DA01A9B66B23336BCF320EA57CDCAA7638C56023513105176E563D31D3DB52C8E59690

Uniqueness

Uniqueness Score: -1.00%

Function 00200ACC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,001C5EB2,00000000), ref: 00200AE0
GetProcAddress.KERNEL32(00000000), ref: 00200AE7
GetLastError.KERNEL32(?,?,?,001C5EB2,00000000), ref: 00200AFE

Strings

kernel32, xrefs: 00200AD8
procutil.cpp, xrefs: 00200B1F
IsWow64Process, xrefs: 00200AD1

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: 8b0a3fa60ecec24cd064aa6217b96ec84527ff54e4ebd98aaca03b57011f7338
Instruction ID: 01b924a7ed02ae4011ce01fba49d0e05c79a09cbfda63577e1b05995f3a77815
Opcode Fuzzy Hash: 8b0a3fa60ecec24cd064aa6217b96ec84527ff54e4ebd98aaca03b57011f7338
Instruction Fuzzy Hash: 43F0F432A2033AA7D3219FD19C8DE9BBB68AB04B54F414144BD04A7281EB70DE2087D0

Uniqueness

Uniqueness Score: -1.00%

Function 001FA20B, Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001F3479,001F3479,?,?,?,001FA45C,00000001,00000001,ECE85006), ref: 001FA265
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001FA45C,00000001,00000001,ECE85006,?,?,?), ref: 001FA2EB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,ECE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001FA3E5
__freea.LIBCMT ref: 001FA3F2

Part of subcall function 001F521A: RtlAllocateHeap.NTDLL(00000000,?,?,?,001F1F87,?,0000015D,?,?,?,?,001F33E0,000000FF,00000000,?,?), ref: 001F524C

__freea.LIBCMT ref: 001FA3FB
__freea.LIBCMT ref: 001FA420

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3af8c8c43ccb6a8dd020096d8b1835de5922829b8d1b8efc47edf452dcf6df2f
Instruction ID: 07029fdd3e59224642b30bcfae30ccb8d75fd38563669a1eaaaaa25277e542c1
Opcode Fuzzy Hash: 3af8c8c43ccb6a8dd020096d8b1835de5922829b8d1b8efc47edf452dcf6df2f
Instruction Fuzzy Hash: CD5136B261021AAFDB298F64CC41EBF77A9EF54750F554228FE08D6140EB38EC81D651

Uniqueness

Uniqueness Score: -1.00%

Function 001D8CAC, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 001D8D18

Strings

Failed to get %hs package cache root directory., xrefs: 001D8D78
Failed to calculate cache path., xrefs: 001D8CD5
per-user, xrefs: 001D8D72, 001D8D77, 001D8DB2, 001D8DB7
Failed to get old %hs package cache root directory., xrefs: 001D8DB8
per-machine, xrefs: 001D8D69, 001D8DA9

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: ccb40d93e8e5a1ecd50deaee3ad772c88ad8f7ec962aef4c74dbe3cae28e27cf
Instruction ID: a25be0c831cd5fe64a62d66ba74517d4a06bf71979a8da41fdc34e0f48a6320d
Opcode Fuzzy Hash: ccb40d93e8e5a1ecd50deaee3ad772c88ad8f7ec962aef4c74dbe3cae28e27cf
Instruction Fuzzy Hash: 6731E572A50A24BBEB22AA948C46FFF626EDF30710F114026FD00F63C2DB75DD5056A1

Uniqueness

Uniqueness Score: -1.00%

Function 001DE956, Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 001DE985
SetWindowLongW.USER32 ref: 001DE994
SetWindowLongW.USER32 ref: 001DE9A8
DefWindowProcW.USER32(?,?,?,?), ref: 001DE9B8
GetWindowLongW.USER32(?,000000EB), ref: 001DE9D2
PostQuitMessage.USER32(00000000), ref: 001DEA31

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 10934f1c8ec56b2f2b79fe2645080f8cc9a3cb98f277b50cdedf49dba895eb0a
Instruction ID: 24cde998fbf82fb6c281443cd0198824646c1f3a08bbd6d28c435b8f73a28347
Opcode Fuzzy Hash: 10934f1c8ec56b2f2b79fe2645080f8cc9a3cb98f277b50cdedf49dba895eb0a
Instruction Fuzzy Hash: 7E21D331104215BFDF16AFA8DC4CE6A3BA6FF58311F144619FA1A9B2A5C731DD10DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001DC7C9, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 001DC811
CloseHandle.KERNEL32(?), ref: 001DC819

Strings

elevation.cpp, xrefs: 001DC9B8
Unexpected elevated message sent to child process, msg: %u, xrefs: 001DC9C4
Failed to save state., xrefs: 001DC891

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: b96094de2ec729d8e6b436317b618bdff23269c7fadacf15b58285c5158c961f
Instruction ID: a79f3b42d6d57efcb7d5087b5ae26efaee31314a116d0ac5d942c96af987f89e
Opcode Fuzzy Hash: b96094de2ec729d8e6b436317b618bdff23269c7fadacf15b58285c5158c961f
Instruction Fuzzy Hash: 6561D87A104615EFCF165F84CD41C56BBB2FF18314712C95AFA9A9A632C732E821EF81

Uniqueness

Uniqueness Score: -1.00%

Function 00201217, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0020123F
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00201276
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 0020136E

Strings

BundleUpgradeCode, xrefs: 0020121E
regutil.cpp, xrefs: 002012BF

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 55caddeb40ec2f568fb75c024fa69c7bd027ce26d4fe7ba696fc32ac271af5d1
Instruction ID: dbbc03cbf00a9f1cf8132ae71dc8e973cdd57acff1333e976a7e6ef73868f2b8
Opcode Fuzzy Hash: 55caddeb40ec2f568fb75c024fa69c7bd027ce26d4fe7ba696fc32ac271af5d1
Instruction Fuzzy Hash: DA41D631A2032AEFDB219F94C844ABE77B9AF44714F1541A9FD01EBA82D7309D308B90

Uniqueness

Uniqueness Score: -1.00%

Function 00206357, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0020490D: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,001D8770,00000000,00000000,00000000,00000000,00000000), ref: 00204925
Part of subcall function 0020490D: GetLastError.KERNEL32(?,?,?,001D8770,00000000,00000000,00000000,00000000,00000000), ref: 0020492F

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00205C09,?,?,?,?,?,?,?,00010000,?), ref: 002063C0
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,00205C09,?,?,?,?), ref: 00206412
GetLastError.KERNEL32(?,00205C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00206458
GetLastError.KERNEL32(?,00205C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 0020647E

Strings

dlutil.cpp, xrefs: 002064A2

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: dlutil.cpp
API String ID: 133221148-2067379296
Opcode ID: 81260050e6373dd9ca117f3bebbb99eb096b199be1eac01fbc6dcda6b3261c6b
Instruction ID: ee7b92fbb465017caf8f2f7854fc51d3331161c56ddc4107d015e1a13d0e93a9
Opcode Fuzzy Hash: 81260050e6373dd9ca117f3bebbb99eb096b199be1eac01fbc6dcda6b3261c6b
Instruction Fuzzy Hash: D4418E7292032ABFEB218E94DD89BAA7B69FF04720F154225BD00A61D1D371DD30DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C2428, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,001FFFEF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,001FFFEF,001E12CF,?,00000000), ref: 001C246E
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,001FFFEF,001E12CF,?,00000000,0000FDE9,?,001E12CF), ref: 001C247A

Part of subcall function 001C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,001C21CC,000001C7,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3BDB
Part of subcall function 001C3BD3: HeapSize.KERNEL32(00000000,?,001C21CC,000001C7,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3BE2

Strings

strutil.cpp, xrefs: 001C249E

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 2f14f073fbfa721c1440b6a410592595fd13527cbf3979df4b455d3c0a5c0a8b
Instruction ID: 6ad26fc51b9cab7c0313763a584d3708082ba5cc9d08755ceccb59d67fab5509
Opcode Fuzzy Hash: 2f14f073fbfa721c1440b6a410592595fd13527cbf3979df4b455d3c0a5c0a8b
Instruction Fuzzy Hash: 2331E33030021AAFE7199E698CD4FB7779DAB75364B20422DFE259B2A0E771CC0197A0

Uniqueness

Uniqueness Score: -1.00%

Function 001EAD44, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 001EADB3

Strings

Failed to extract all payloads from container: %ls, xrefs: 001EADF7
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 001EAE4A
Failed to open container: %ls., xrefs: 001EAD85
Failed to extract payload: %ls from container: %ls, xrefs: 001EAE3E

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareString
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1825529933-3891707333
Opcode ID: 0fe126332727b6b84dbb16883f847394afc4e898c79d848ab4fc3c95e89f2ece
Instruction ID: 82ccac3db59f25bda21f041aa9eea865719d17a23fbb8aa7bbf44e565094595c
Opcode Fuzzy Hash: 0fe126332727b6b84dbb16883f847394afc4e898c79d848ab4fc3c95e89f2ece
Instruction Fuzzy Hash: BC31E332C00A55BBCF21AAE5CC86EDE77A8AF14720F514211FD10A7191E731AA65DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 001CF005, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,001D0654,00000001,00000001,00000001,001D0654,00000000), ref: 001CF07D
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,001D0654,00000001,00000001,00000001,001D0654,00000000,00000001,00000000,?,001D0654,00000001), ref: 001CF09A

Strings

Failed to format key for update registration., xrefs: 001CF033
PackageVersion, xrefs: 001CF05E
Failed to remove update registration key: %ls, xrefs: 001CF0C7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: 96e15a2e9a5b451cc9571a32893bdb86c19e93fffab3f30edc6a13b81de5831c
Instruction ID: 106765deb7743851c8201d3b453f703160fe9f0d5440fef5a9a6f2e6e4497177
Opcode Fuzzy Hash: 96e15a2e9a5b451cc9571a32893bdb86c19e93fffab3f30edc6a13b81de5831c
Instruction Fuzzy Hash: B9219A31910225BADB219BA5CC49FAFBEBADF11710F100279BD14A2192E7318A61DA90

Uniqueness

Uniqueness Score: -1.00%

Function 0020433D, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00204440: FindFirstFileW.KERNEL32(001E923A,?,00000100,00000000,00000000), ref: 0020447B
Part of subcall function 00204440: FindClose.KERNEL32(00000000), ref: 00204487

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00204430

Part of subcall function 00200F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0022AAA0,00000000,?,002057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00200F80

Part of subcall function 00201217: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0020123F
Part of subcall function 00201217: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00201276

Strings

\, xrefs: 002043B9
PendingFileRenameOperations, xrefs: 0020439B
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0020436F
crypt32.dll, xrefs: 00204368

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 7ed6ccbddbb25822ba44ccd83ec5a2f070ac9bbda5f54e41fd90d8ccb7ddd0fa
Instruction ID: fb329e2a7a35d866809c78f211749e8f77f2a8afc30c058a332c0647bfe5684c
Opcode Fuzzy Hash: 7ed6ccbddbb25822ba44ccd83ec5a2f070ac9bbda5f54e41fd90d8ccb7ddd0fa
Instruction Fuzzy Hash: A03191B192031AFBDF21BFD1DC41AAEB775EB10750F54C1BAEA04A6192D7319E60CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00204019, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,001C4DBC,00000000,?,?,00000000,?,0020412D,00000000,001C4DBC,00000000,00000000,?,001D85EE,?,?), ref: 00204033
GetLastError.KERNEL32(?,0020412D,00000000,001C4DBC,00000000,00000000,?,001D85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 00204041
CopyFileW.KERNEL32(00000000,001C4DBC,00000000,001C4DBC,00000000,?,0020412D,00000000,001C4DBC,00000000,00000000,?,001D85EE,?,?,00000001), ref: 002040AC
GetLastError.KERNEL32(?,0020412D,00000000,001C4DBC,00000000,00000000,?,001D85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 002040B6

Strings

fileutil.cpp, xrefs: 002040D5

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: 33fb5135b447458239717ffb3bc4a42353bff03a8a8d715d52a38f72f80299d0
Instruction ID: f3596f8deaa69d1360eae1731917dc679514f0d9927d8a9b8c65ff093f306431
Opcode Fuzzy Hash: 33fb5135b447458239717ffb3bc4a42353bff03a8a8d715d52a38f72f80299d0
Instruction Fuzzy Hash: 952107F662033397EB352EA65C44B3B6699EF10B60B148235FF04FB593D7A18C6082E0

Uniqueness

Uniqueness Score: -1.00%

Function 001CEF1B, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001CEF56

Part of subcall function 00204153: SetFileAttributesW.KERNEL32(001E923A,00000080,00000000,001E923A,000000FF,00000000,?,?,001E923A), ref: 00204182
Part of subcall function 00204153: GetLastError.KERNEL32(?,?,001E923A), ref: 0020418C

Part of subcall function 001C3C6B: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,001CEFA1,00000001,00000000,00000095,00000001,001D0663,00000095,00000000,swidtag,00000001), ref: 001C3C88

Strings

swidtag, xrefs: 001CEF65
Failed to allocate regid file path., xrefs: 001CEFB5
Failed to format tag folder path., xrefs: 001CEFC3
Failed to allocate regid folder path., xrefs: 001CEFBC

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: c19e693d6571d5bfbb47b696b317fd3e25c0fc16cf3349783c180e3383f71143
Instruction ID: 023bf3080310d979d77d170006899447946e1371a8c2838b8204a398d6d5c63b
Opcode Fuzzy Hash: c19e693d6571d5bfbb47b696b317fd3e25c0fc16cf3349783c180e3383f71143
Instruction Fuzzy Hash: 48216931D00628BBCB15AB99C841F9DFBF5AF64710F1080A9F514A62A2D771DEA1AF90

Uniqueness

Uniqueness Score: -1.00%

Function 001E8DB6, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00200F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0022AAA0,00000000,?,002057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00200F80

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 001E8E3A
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,001CF7E0,00000001,00000100,000001B4,00000000), ref: 001E8E88

Strings

Failed to enumerate uninstall key for related bundles., xrefs: 001E8E99
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 001E8DD7
Failed to open uninstall registry key., xrefs: 001E8DFD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: 297bd331c63989b9cb49f57dd86624e6692fb49b4066a54387970e25b5731f99
Instruction ID: 838c6c398782b72e325b554ff17e1ef6c837e3fb134df910506d6865296affd0
Opcode Fuzzy Hash: 297bd331c63989b9cb49f57dd86624e6692fb49b4066a54387970e25b5731f99
Instruction Fuzzy Hash: 6C210B32910668FFDF25AB91CC8AFEEBA79EF04720F144164F81476091DB310E90E690

Uniqueness

Uniqueness Score: -1.00%

Function 001ED259, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001ED2EE
ReleaseMutex.KERNEL32(?), ref: 001ED31C
SetEvent.KERNEL32(?), ref: 001ED325

Strings

NetFxChainer.cpp, xrefs: 001ED293
Failed to allocate buffer., xrefs: 001ED29D

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: 5994d9df3f45b0f2e5697bb054b0f0df71a80a62af787d1f6c47494f2db39883
Instruction ID: d05d9c6de50845c1434759a4ad10bcc9ea5616f67390597789abdc914c86b1e4
Opcode Fuzzy Hash: 5994d9df3f45b0f2e5697bb054b0f0df71a80a62af787d1f6c47494f2db39883
Instruction Fuzzy Hash: 6C21A3B4600746BFDB109F68E884A5DB7F5FF58320F108629F964A7352C771E9508B90

Uniqueness

Uniqueness Score: -1.00%

Function 00205907, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,001E6B11,00000000,?), ref: 0020591D
GetLastError.KERNEL32(?,?,001E6B11,00000000,?,?,?,?,?,?,?,?,?,001E6F28,?,?), ref: 0020592B

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,001E6B11,00000000,?), ref: 00205965
GetLastError.KERNEL32(?,?,001E6B11,00000000,?,?,?,?,?,?,?,?,?,001E6F28,?,?), ref: 0020596F

Strings

svcutil.cpp, xrefs: 0020594E, 00205990

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: f3b652b35f339339de90ca0e513794486d550c6bb500a23cbc807608082fdd5a
Instruction ID: 5d4e85ba5357e93f9ac379fd2a6fc9659b6c9c1f316d1fa21befcaea80cb020e
Opcode Fuzzy Hash: f3b652b35f339339de90ca0e513794486d550c6bb500a23cbc807608082fdd5a
Instruction Fuzzy Hash: 4A212632961B3EF7E7315A918D08FAF7E6D9B50B70F114014BC04AB282E761CD209AE0

Uniqueness

Uniqueness Score: -1.00%

Function 001C9839, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 001C98C8

Strings

Failed to parse condition '%ls' at position: %u, xrefs: 001C987A
Failed to read next symbol., xrefs: 001C98E4
Failed to find variable., xrefs: 001C98B5
condition.cpp, xrefs: 001C986A, 001C98AB

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: f273649b97896a4ea2a8ecb317126973378e752c1729671ca9efd886f039eeb1
Instruction ID: be0d1603e152ff8f5d08fa18027880e336fa0d4d1ce01f8d703a3adbf55604aa
Opcode Fuzzy Hash: f273649b97896a4ea2a8ecb317126973378e752c1729671ca9efd886f039eeb1
Instruction Fuzzy Hash: 031194335913297AEB2539AC9C8AF963A54EF37720F044159FD006B1D2CB62C920D6E1

Uniqueness

Uniqueness Score: -1.00%

Function 001C9E16, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 001C9E38

Strings

File search: %ls, did not find path: %ls, xrefs: 001C9EA3
Failed to format path string., xrefs: 001C9E43
Failed get file version., xrefs: 001C9E78
Failed to set variable., xrefs: 001C9E97

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: 389b941b0925c3263c117dd0e4ab6b4b37a8ba55ee0b4856dd9b6eca1ef218de
Instruction ID: abe9867aa9f51e52470c48d5170c38caffbbead30584bbae7537814eb9a32ca8
Opcode Fuzzy Hash: 389b941b0925c3263c117dd0e4ab6b4b37a8ba55ee0b4856dd9b6eca1ef218de
Instruction Fuzzy Hash: 56118172D40228BBDF02AAD48C85EEEFB68EF34750F11416AFD0066262D7319E609B91

Uniqueness

Uniqueness Score: -1.00%

Function 001D820F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,001D8E17,0000001A,00000000,?,00000000,00000000), ref: 001D8258
GetLastError.KERNEL32(?,?,001D8E17,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 001D8262

Strings

cache.cpp, xrefs: 001D8236, 001D8286
Failed to allocate memory for well known SID., xrefs: 001D8240
Failed to create well known SID., xrefs: 001D8290

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: 90634d52ddce28be38f0ee76913a5777504c904aa02f13c38d588b1da91bd97f
Instruction ID: d4bca495b3d32b0a32c21aaea89217c5a65b918142392486360cbc2031383971
Opcode Fuzzy Hash: 90634d52ddce28be38f0ee76913a5777504c904aa02f13c38d588b1da91bd97f
Instruction Fuzzy Hash: AF012533656621BBD63166995C4AF9B6AACCFA1B70B22401BFD10AB281EF74CD4085E0

Uniqueness

Uniqueness Score: -1.00%

Function 001EDDA0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 001EDDCE
PeekMessageW.USER32 ref: 001EDDF8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,001EDFC8,00000000,?,?,?,?,00000000), ref: 001EDE00

Strings

Failed while waiting for download., xrefs: 001EDE2E
bitsengine.cpp, xrefs: 001EDE24

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsengine.cpp
API String ID: 435350009-228655868
Opcode ID: fd286c5dd943f35f572e4fe6fa74bbe2609c1726e72fef5e9d32a30e943965cc
Instruction ID: e9fbec21d52e8cdf262237d006605f0b5915c47ecdd635504cab69aa5a493fa5
Opcode Fuzzy Hash: fd286c5dd943f35f572e4fe6fa74bbe2609c1726e72fef5e9d32a30e943965cc
Instruction Fuzzy Hash: 2F110273A4137577D7209AEAAC4DEEFBAACEB15B20F110125FE05FB181D760990082E0

Uniqueness

Uniqueness Score: -1.00%

Function 00203C72, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00203CC0
GetLastError.KERNEL32(?,?,00000000), ref: 00203CCA
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00203CFD

Strings

shelutil.cpp, xrefs: 00203CEB
<, xrefs: 00203CB2

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$shelutil.cpp
API String ID: 3023784893-3991740012
Opcode ID: 1543119e2e577bd7d480e701fc6dd57cb0a40ef19268745d6fb60447579c9aaf
Instruction ID: 069e85890147d3f8e467feaed024c3601cc8ee769aeb61bf814ba81f48137c05
Opcode Fuzzy Hash: 1543119e2e577bd7d480e701fc6dd57cb0a40ef19268745d6fb60447579c9aaf
Instruction Fuzzy Hash: DA11EA75E11329ABDB11DFA9E845A8E7BF8AF08750F10411AFD15F7341E7309A10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001C5F2E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 001C5F5C
GetLastError.KERNEL32 ref: 001C5F66

Strings

Failed to set variant value., xrefs: 001C5FAD
Failed to get computer name., xrefs: 001C5F94
variable.cpp, xrefs: 001C5F8A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: 01199fa898b94bdb46a3de44927c2f174cd5db1a3ef5a3a832f4348c841db5a3
Instruction ID: c65053bc0a255bf98a3713a7d83ffe480079128d23e0175564928669b4dbd76b
Opcode Fuzzy Hash: 01199fa898b94bdb46a3de44927c2f174cd5db1a3ef5a3a832f4348c841db5a3
Instruction Fuzzy Hash: 9E11E533A41A286BD7259BA49C05FDEB7E8AB18720F11011AFD00FB281DB70EE4486E1

Uniqueness

Uniqueness Score: -1.00%

Function 001C9A4D, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 001C9AC4

Strings

Condition, xrefs: 001C9A5F
Failed to copy condition string from BSTR, xrefs: 001C9AAE
Failed to select condition node., xrefs: 001C9A7B
Failed to get Condition inner text., xrefs: 001C9A94

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FreeString
String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.
API String ID: 3341692771-3600577998
Opcode ID: dc320ee11972057c11db91b4137aa013f5fbf52bbb19358c7d39f27a870adb04
Instruction ID: db299afd3d1e229c868cadd560471f0213fbe0f6d3f6205e3997c1eb0b396db2
Opcode Fuzzy Hash: dc320ee11972057c11db91b4137aa013f5fbf52bbb19358c7d39f27a870adb04
Instruction Fuzzy Hash: 6111C432A11368BBDB16EB94CD0AFADBB68EF20711F114159FC01BB191C7B1DE50D680

Uniqueness

Uniqueness Score: -1.00%

Function 001C67AA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 001C67E3
GetLastError.KERNEL32 ref: 001C67ED

Strings

Failed to set variant value., xrefs: 001C6837
Failed to get temp path., xrefs: 001C681B
variable.cpp, xrefs: 001C6811

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-2915113195
Opcode ID: 8bd5261b14feba7950529d2996970ca4b20429699a2480c673275e7b3651bec3
Instruction ID: 79f0c29fc04e65a61e3f5808e550f6a1e42db72b58b0171c047a2e61181f4fa3
Opcode Fuzzy Hash: 8bd5261b14feba7950529d2996970ca4b20429699a2480c673275e7b3651bec3
Instruction Fuzzy Hash: 8A01F972E4173967D731AB949C4AFAE77989F24B10F110269FD04FB2C2EB60DE008AD5

Uniqueness

Uniqueness Score: -1.00%

Function 00200A28, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,001C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00200A38
GetLastError.KERNEL32(?,?,001C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00200A46
GetExitCodeProcess.KERNEL32 ref: 00200A8B
GetLastError.KERNEL32(?,?,001C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00200A95

Strings

procutil.cpp, xrefs: 00200A6A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectProcessSingleWait
String ID: procutil.cpp
API String ID: 590199018-1178289305
Opcode ID: 51dc27749695d2fc20d5e66f81d67152b1b7cae11491a58ec8f01c2b59255845
Instruction ID: 5a6f13ce4881da8ce43572f70bab14ea86b4754962d464b77c55a3ea5373b9ff
Opcode Fuzzy Hash: 51dc27749695d2fc20d5e66f81d67152b1b7cae11491a58ec8f01c2b59255845
Instruction Fuzzy Hash: 5311C637E21336EBEB318F909948B9E7AA4EB04760F124255FE14AB3C2D3708D2096D0

Uniqueness

Uniqueness Score: -1.00%

Function 001C5E94, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 001C5EA6

Part of subcall function 00200ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,001C5EB2,00000000), ref: 00200AE0
Part of subcall function 00200ACC: GetProcAddress.KERNEL32(00000000), ref: 00200AE7
Part of subcall function 00200ACC: GetLastError.KERNEL32(?,?,?,001C5EB2,00000000), ref: 00200AFE

Part of subcall function 00203D1F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00203D4C

Strings

Failed to get 64-bit folder., xrefs: 001C5EF0
Failed to set variant value., xrefs: 001C5F0A
Failed to get shell folder., xrefs: 001C5EDA
variable.cpp, xrefs: 001C5ED0

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: a268e7564a5c19f8b423529b3720457a249738b8e2165f20ca642c7428e07817
Instruction ID: 4be42e62853ca4bcc1871cae1c386747944a8083299c349a8ecf47089f2cffdd
Opcode Fuzzy Hash: a268e7564a5c19f8b423529b3720457a249738b8e2165f20ca642c7428e07817
Instruction Fuzzy Hash: 3501C831911728B7DF16A790CC06FEE7A6DAF21720F204159F800B6182DB70EE909BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00204153, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00204440: FindFirstFileW.KERNEL32(001E923A,?,00000100,00000000,00000000), ref: 0020447B
Part of subcall function 00204440: FindClose.KERNEL32(00000000), ref: 00204487

SetFileAttributesW.KERNEL32(001E923A,00000080,00000000,001E923A,000000FF,00000000,?,?,001E923A), ref: 00204182
GetLastError.KERNEL32(?,?,001E923A), ref: 0020418C
DeleteFileW.KERNEL32(001E923A,00000000,001E923A,000000FF,00000000,?,?,001E923A), ref: 002041AC
GetLastError.KERNEL32(?,?,001E923A), ref: 002041B6

Strings

fileutil.cpp, xrefs: 002041D1

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: 3d0f1a6554b9c066ad377be54e9772c2cbc0e48c4f7df1ac3b282ab631cc56fb
Instruction ID: e708de3a6cbbf9396d6b1fd56af30fd3ee9583a144651ce1623bbfbe94777a25
Opcode Fuzzy Hash: 3d0f1a6554b9c066ad377be54e9772c2cbc0e48c4f7df1ac3b282ab631cc56fb
Instruction Fuzzy Hash: 7901FEF2A51736B7D7326AA59C08B5BFE98AF24750F018611FE4CE61D2D721CD7085D0

Uniqueness

Uniqueness Score: -1.00%

Function 001EDA05, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 001EDA1A
LeaveCriticalSection.KERNEL32(?), ref: 001EDA5F
SetEvent.KERNEL32(?,?,?,?), ref: 001EDA73

Strings

Failure while sending progress during BITS job modification., xrefs: 001EDA4E
Failed to get state during job modification., xrefs: 001EDA33

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: 6513fa69a7598b1ef45cf183d0616351b8f67109f99aba13dd4df2662bf84616
Instruction ID: 0143939013f0c9cf8914a1bfee55eacd2c97ba30f7c4ec285d259a0551c84222
Opcode Fuzzy Hash: 6513fa69a7598b1ef45cf183d0616351b8f67109f99aba13dd4df2662bf84616
Instruction Fuzzy Hash: CC01DE72A04B64BFCB22DB56E888AAEB7A8FF55721B004255E809D3601D730AA14CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001EDC7E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,001EDDEE), ref: 001EDC92
LeaveCriticalSection.KERNEL32(00000008,?,001EDDEE), ref: 001EDCD7
SetEvent.KERNEL32(?,?,001EDDEE), ref: 001EDCEB

Strings

Failed to get BITS job state., xrefs: 001EDCAB
Failure while sending progress., xrefs: 001EDCC6

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: 32cc3a8851ec8040d40b0497aef4a8a1b1231c3da136dcd73948eff50b9b4d5d
Instruction ID: 3868900831f60c1f812589ba9b752a2f648f165718f7e27b5da74b8315a28722
Opcode Fuzzy Hash: 32cc3a8851ec8040d40b0497aef4a8a1b1231c3da136dcd73948eff50b9b4d5d
Instruction Fuzzy Hash: D901F172A01B25BBCB269B46F88999EBBA8FF04361B100159F90993641DB70AD10C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 001ED7E8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,001EDF52,?,?,?,?,?,?,00000000,00000000), ref: 001ED802
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,001EDF52,?,?,?,?,?,?,00000000,00000000), ref: 001ED80D
GetLastError.KERNEL32(?,001EDF52,?,?,?,?,?,?,00000000,00000000), ref: 001ED81A

Strings

Failed to create BITS job complete event., xrefs: 001ED848
bitsengine.cpp, xrefs: 001ED83E

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsengine.cpp
API String ID: 3069647169-3441864216
Opcode ID: 82dc6b25af9a9789a8a7318370335691b919ee8b715b49339570c341a84f4346
Instruction ID: 893de04d4d90e1c74d236bdc1220b3c5434a137593f0777ccd0b07af6d4bc7a6
Opcode Fuzzy Hash: 82dc6b25af9a9789a8a7318370335691b919ee8b715b49339570c341a84f4346
Instruction Fuzzy Hash: C1015276951732BBD3219F56E849A8BBAA8FF19760B014116FD08E7641D7709810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 001CD4A8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,001D7040,000000B8,00000000,?,00000000,7743A770), ref: 001CD4B7
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 001CD4C6
LeaveCriticalSection.KERNEL32(000000D0,?,001D7040,000000B8,00000000,?,00000000,7743A770), ref: 001CD4DB

Strings

userexperience.cpp, xrefs: 001CD4F4
Engine active cannot be changed because it was already in that state., xrefs: 001CD4FE

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: 9f6212aab6fc971454fca675415a4c603c26cdd837432b0ddb753fb523abb397
Instruction ID: d9e4925f041c43f458f3b77143b5f0bb2075d5b1cb01e1b86478034c9266a534
Opcode Fuzzy Hash: 9f6212aab6fc971454fca675415a4c603c26cdd837432b0ddb753fb523abb397
Instruction Fuzzy Hash: 55F0AF72344308AFD7219EA6ECC8E97B3BCFBA6761300442EBA05C3681DB70E9058760

Uniqueness

Uniqueness Score: -1.00%

Function 00201C88, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00201CB3
GetLastError.KERNEL32(?,001C49DA,00000001,?,?,001C4551,?,?,?,?,001C5466,?,?,?,?), ref: 00201CC2

Strings

SRSetRestorePointW, xrefs: 00201CA8
srputil.cpp, xrefs: 00201CE3
srclient.dll, xrefs: 00201C91

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 199729137-398595594
Opcode ID: de5c58aab65f0e4bb3db5aedb0278c063961f74b831d1ac56382b567eab9b728
Instruction ID: 3d83249451f4db4c5c355ce5cc6232044a851645f44110157ea8372980c3b248
Opcode Fuzzy Hash: de5c58aab65f0e4bb3db5aedb0278c063961f74b831d1ac56382b567eab9b728
Instruction Fuzzy Hash: 8601A237AB133663E3331AE57C0DB6666485B107A1F014127BD00AB2E2D768DC70CAD6

Uniqueness

Uniqueness Score: -1.00%

Function 001F495D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001F490E,00000000,?,001F48AE,00000000,00227F08,0000000C,001F4A05,00000000,00000002), ref: 001F497D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001F4990
FreeLibrary.KERNEL32(00000000,?,?,?,001F490E,00000000,?,001F48AE,00000000,00227F08,0000000C,001F4A05,00000000,00000002), ref: 001F49B3

Strings

CorExitProcess, xrefs: 001F4988
mscoree.dll, xrefs: 001F4976

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 404d8237904a2cba664fc85c11ce8829920cfdbecb3ac5f1dc8fa16a1ae76011
Instruction ID: b62667fbea6630b921c268dd87875d4848511395943281201e12de66c1192c2b
Opcode Fuzzy Hash: 404d8237904a2cba664fc85c11ce8829920cfdbecb3ac5f1dc8fa16a1ae76011
Instruction Fuzzy Hash: B2F04F34A1021CBBCB219F94EC1DBAEBFB9FB08715F004069F909A2151CBB14A90CA91

Uniqueness

Uniqueness Score: -1.00%

Function 001D9287, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 001D93C9

Part of subcall function 002056CF: GetLastError.KERNEL32(?,?,001D933A,?,00000003,00000000,?), ref: 002056EE

Strings

cache.cpp, xrefs: 001D93ED
Failed to get certificate public key identifier., xrefs: 001D93F7
Failed to read certificate thumbprint., xrefs: 001D93BD
Failed to find expected public key in certificate chain., xrefs: 001D938A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
API String ID: 1452528299-3408201827
Opcode ID: c50bbe89cbc558f6bf22bf021f92d7bb421ca7a3e1b1b4818dac0412d7b9ae63
Instruction ID: 9d0e42a113663fb214da84a98ff3aa9be69461543ca674560b2c7e5350db34f3
Opcode Fuzzy Hash: c50bbe89cbc558f6bf22bf021f92d7bb421ca7a3e1b1b4818dac0412d7b9ae63
Instruction Fuzzy Hash: CB413E72E04619BFDB10DAA9C845AAEB7B8BB18714F01416AF905EB391D774ED40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C21AC, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C21F2
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C21FE

Part of subcall function 001C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,001C21CC,000001C7,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3BDB
Part of subcall function 001C3BD3: HeapSize.KERNEL32(00000000,?,001C21CC,000001C7,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3BE2

Strings

strutil.cpp, xrefs: 001C2222

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 2981cbd64107b7f284715c060bd12bf432c3d2f686cb54849a3b69f6abc37941
Instruction ID: efb6684f328f66775f975cd32bd5ed9b88aee76879340334cb716b2f07652469
Opcode Fuzzy Hash: 2981cbd64107b7f284715c060bd12bf432c3d2f686cb54849a3b69f6abc37941
Instruction Fuzzy Hash: 7A310836601226ABD7258EA5CC48F6B7B99AF75774B22432CFD15AB290EB71CC00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 002094FD, Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00200F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0022AAA0,00000000,?,002057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00200F80

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 002095D5
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 00209610
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 0020962C
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 00209639
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 00209646

Part of subcall function 00200FD5: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,002095C2,00000001), ref: 00200FED

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: 8b3cc4c35c2a048486d146af82b482b7dce9d27d04f16b444ec9888ecebfdba3
Instruction ID: c95f95f2e86722a1a2ec08387ea73f85dc2cb703099494dd1d8a96d94a08fc95
Opcode Fuzzy Hash: 8b3cc4c35c2a048486d146af82b482b7dce9d27d04f16b444ec9888ecebfdba3
Instruction Fuzzy Hash: 86416D72C1172EFFDF21AFD48D819ADFAB9EF04750F11416AE91176163CB324EA09A90

Uniqueness

Uniqueness Score: -1.00%

Function 001C8A07, Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,001C8BC8,001C972D,?,001C972D,?,?,001C972D,?,?), ref: 001C8A27
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,001C8BC8,001C972D,?,001C972D,?,?,001C972D,?,?), ref: 001C8A2F
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,001C8BC8,001C972D,?,001C972D,?), ref: 001C8A7E
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,001C8BC8,001C972D,?,001C972D,?), ref: 001C8AE0
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,001C8BC8,001C972D,?,001C972D,?), ref: 001C8B0D

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: 7f67c6b49e3b72b62e260ab1fbead37cdaa78857613203a590241177204cf316
Instruction ID: f8410866dcdd03a6750e2f2ac6f2e70f17046490e3f1d3d677fcf93616d2f8b5
Opcode Fuzzy Hash: 7f67c6b49e3b72b62e260ab1fbead37cdaa78857613203a590241177204cf316
Instruction Fuzzy Hash: 4E314172600108BFCF268E58DCC5FAE7F6AEB68790F15441AF90987251CB71DD90DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C74B7, Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(001C53BD,WixBundleOriginalSource,?,?,001DA623,840F01E8,WixBundleOriginalSource,?,0022AA90,?,00000000,001C5445,00000001,?,?,001C5445), ref: 001C74C3
LeaveCriticalSection.KERNEL32(001C53BD,001C53BD,00000000,00000000,?,?,001DA623,840F01E8,WixBundleOriginalSource,?,0022AA90,?,00000000,001C5445,00000001,?), ref: 001C752A

Strings

Failed to get value as string for variable: %ls, xrefs: 001C7519
WixBundleOriginalSource, xrefs: 001C74BF
Failed to get value of variable: %ls, xrefs: 001C74FD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 513f3cb99cc41be1f6efd992fb959a276f73f25c499a80c49366c794a112649b
Instruction ID: 63a26e5b3bbdd27c1c4032a43e03b0f13050e5a3daf9398f8aab1a2168ba32a2
Opcode Fuzzy Hash: 513f3cb99cc41be1f6efd992fb959a276f73f25c499a80c49366c794a112649b
Instruction Fuzzy Hash: A5019E72944228EBCF225F50CC09F9E7A68EF20361F104168FD04A62A1C376DA209BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001ED152, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,001ED148,00000000), ref: 001ED16D
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,001ED148,00000000), ref: 001ED179
CloseHandle.KERNEL32(0020B518,00000000,?,00000000,?,001ED148,00000000), ref: 001ED186
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,001ED148,00000000), ref: 001ED193
UnmapViewOfFile.KERNEL32(0020B4E8,00000000,?,001ED148,00000000), ref: 001ED1A2

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: e8ff6a0f48596ca2a071e099a9951e80cff08047f617de35619e3a353f3f0313
Instruction ID: 12850c11f687c0ba6e48b0657a40e78aefe6c791272df4b64d0b0ae007e8dd70
Opcode Fuzzy Hash: e8ff6a0f48596ca2a071e099a9951e80cff08047f617de35619e3a353f3f0313
Instruction Fuzzy Hash: AD011976400B55DFCB31AFA6E88081AF7E9FF60711315C93EE1A652931C371A890CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00207B16, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

SysFreeString.OLEAUT32(00000000), ref: 00207C74
SysFreeString.OLEAUT32(00000000), ref: 00207C7F
SysFreeString.OLEAUT32(00000000), ref: 00207C8A

Strings

atomutil.cpp, xrefs: 00207B49

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: atomutil.cpp
API String ID: 2724874077-4059165915
Opcode ID: 95b9484bcea04e2abeb89297588abdbaad1c6826c2e706df6e70d75493a6c131
Instruction ID: 71011551c7b92af71a5baf5a5a090d866110d74751b95758d9096a388e79e6c5
Opcode Fuzzy Hash: 95b9484bcea04e2abeb89297588abdbaad1c6826c2e706df6e70d75493a6c131
Instruction Fuzzy Hash: 3C519231E1432AAFEB21DF64C844FAEB7B8AF00710F154199E905BB192D771EE50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00208713, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00208820
GetLastError.KERNEL32 ref: 0020882A

Strings

timeutil.cpp, xrefs: 0020884E
clbcatq.dll, xrefs: 00208731, 0020873C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: clbcatq.dll$timeutil.cpp
API String ID: 2781989572-961924111
Opcode ID: c9a6cab3bfda790c06bfba6559d8150e94e47e5f444c9d5653e4e63aef0add24
Instruction ID: 168b5901d1c1ae2364db3d979e3d2ed4de6ed82d4a9278ad7d0b8e22a9172c74
Opcode Fuzzy Hash: c9a6cab3bfda790c06bfba6559d8150e94e47e5f444c9d5653e4e63aef0add24
Instruction Fuzzy Hash: 9F41173AE2031A76D7209FB48C05B7FB765AF51700F648529F641B71D6EE31CE1087A1

Uniqueness

Uniqueness Score: -1.00%

Function 002036CC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 002036E6
SysAllocString.OLEAUT32(?), ref: 002036F6
VariantClear.OLEAUT32(?), ref: 002037D5

Strings

xmlutil.cpp, xrefs: 0020370E

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 3a63eb28b25e76742700a8cbdd623b2b18c70e90076be949759f654d8436f63e
Instruction ID: eb4406a3028bc7652bebc68b88afa38188580ec72ae1435a954e3f1a2a39e1a2
Opcode Fuzzy Hash: 3a63eb28b25e76742700a8cbdd623b2b18c70e90076be949759f654d8436f63e
Instruction Fuzzy Hash: 604166B5910325ABDB11DFA5C888EAAF7BCAF45710F1541A4FC01EB292D630DE108B90

Uniqueness

Uniqueness Score: -1.00%

Function 00200E4F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,001E8E1B), ref: 00200EAA
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,001E8E1B,00000000), ref: 00200EC8
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,001E8E1B,00000000,00000000,00000000), ref: 00200F1E

Strings

regutil.cpp, xrefs: 00200EEE

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: 0eec4d01ab1c1cf77d5121b021e644ee0c6a1e6fd3a684b38c2b9c641662c3aa
Instruction ID: a0f57e9abbda6693b1acb023c6081ecf0d08fde7e3b502fa4ccf6a78463436c6
Opcode Fuzzy Hash: 0eec4d01ab1c1cf77d5121b021e644ee0c6a1e6fd3a684b38c2b9c641662c3aa
Instruction Fuzzy Hash: A931A07691122ABBFB318AC4CCC8FAEB76CEF14750F150065BD04AB191DB718E20A6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00207A10, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

SysFreeString.OLEAUT32(00000000), ref: 00207AF4
SysFreeString.OLEAUT32(?), ref: 00207AFF
SysFreeString.OLEAUT32(00000000), ref: 00207B0A

Strings

atomutil.cpp, xrefs: 00207A3D

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: atomutil.cpp
API String ID: 2724874077-4059165915
Opcode ID: 18b35da073f14bde23dc41b26ffd0627cbfe80136ede50feea0ff1c45128af34
Instruction ID: b2098f1d5374aab30fad6eaaa89a293e94f5b04514d13fbc9572444001a81687
Opcode Fuzzy Hash: 18b35da073f14bde23dc41b26ffd0627cbfe80136ede50feea0ff1c45128af34
Instruction Fuzzy Hash: D8318432E15229BBDB12AF94CC45F9EBBA8EF10750F1541A5E901BB192DB70EE109BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001E8B17, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00200F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0022AAA0,00000000,?,002057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00200F80

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,001E8E57,00000000,00000000), ref: 001E8BD4

Strings

Failed to initialize package from related bundle id: %ls, xrefs: 001E8BBA
Failed to open uninstall key for potential related bundle: %ls, xrefs: 001E8B43
Failed to ensure there is space for related bundles., xrefs: 001E8B87

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: 02b4ce02e69f19d948a1afc46c787710b610b871ca7b2a65f765d0ba76115ff3
Instruction ID: 1917c77b478de7c617477b202076216df425792176a0020a71317c1badddcb00
Opcode Fuzzy Hash: 02b4ce02e69f19d948a1afc46c787710b610b871ca7b2a65f765d0ba76115ff3
Instruction Fuzzy Hash: 4521FFB2840A99FBEF168E81CC46FEEBB78EF14310F114055FD04A6190DB719A20EB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C3B15, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,001C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,001C13B8), ref: 001C3B33
HeapReAlloc.KERNEL32(00000000,?,001C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,001C13B8,000001C7,00000100,?,80004005,00000000), ref: 001C3B3A

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

Part of subcall function 001C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,001C21CC,000001C7,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3BDB
Part of subcall function 001C3BD3: HeapSize.KERNEL32(00000000,?,001C21CC,000001C7,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3BE2

_memcpy_s.LIBCMT ref: 001C3B86

Strings

memutil.cpp, xrefs: 001C3BC7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: memutil.cpp
API String ID: 3406509257-2429405624
Opcode ID: c5d757274cb8820be04bc9285efbcf0268a97be8b6d668f8aa02a590e565ce6f
Instruction ID: d8c48cc5cb14152a41f87e769a06a4d4788ab65c1b8a059aac533c98299e9185
Opcode Fuzzy Hash: c5d757274cb8820be04bc9285efbcf0268a97be8b6d668f8aa02a590e565ce6f
Instruction Fuzzy Hash: E711B131604619AFCB226F68DC49FAE3A599F60764B05C21CFC359B262D732CF6096E1

Uniqueness

Uniqueness Score: -1.00%

Function 0020894D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00208991
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 002089B9
GetLastError.KERNEL32 ref: 002089C3

Strings

inetutil.cpp, xrefs: 002089E4

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: inetutil.cpp
API String ID: 1528435940-2900720265
Opcode ID: 683bd5ba674c3c8ba712b17756fceba237fcbba9b53063af012aecc40984a734
Instruction ID: a23d3d1bb4c469ad647e7e3b2491ec07fbdc3a21ce24958a924168f4ea172af0
Opcode Fuzzy Hash: 683bd5ba674c3c8ba712b17756fceba237fcbba9b53063af012aecc40984a734
Instruction Fuzzy Hash: 67119A73A1123E77D7219BE59D49BBFBBA89B44750F010115AE45F7241EA309D0486E2

Uniqueness

Uniqueness Score: -1.00%

Function 001D3AA6, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00200F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0022AAA0,00000000,?,002057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00200F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,001D3FB5,feclient.dll,?,00000000,?,?,?,001C4B12), ref: 001D3B42

Part of subcall function 002010B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0020112B
Part of subcall function 002010B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00201163

Strings

Logging, xrefs: 001D3AD4
feclient.dll, xrefs: 001D3AAB
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 001D3AB7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: c15f2f877b10f79bdba9f260c2fe63afed5e0a8bcffde0ef3e610b56eeba3bbc
Instruction ID: 6df63bd4b4d2ecd0aeaaed777a8898a8af003ae1dbbfb8139f369de5bb28c8e1
Opcode Fuzzy Hash: c15f2f877b10f79bdba9f260c2fe63afed5e0a8bcffde0ef3e610b56eeba3bbc
Instruction Fuzzy Hash: 2011B237B40308BBDB21DB95DC86EBABBB9EB10710F500167E510AB291D7719F91DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00200764, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(001E12CF,00000000,00000000,?,?,?,00200013,001E12CF,001E12CF,?,00000000,0000FDE9,?,001E12CF,8007139F,Invalid operation for this state.), ref: 00200776
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,00200013,001E12CF,001E12CF,?,00000000,0000FDE9,?,001E12CF,8007139F), ref: 002007B2
GetLastError.KERNEL32(?,?,00200013,001E12CF,001E12CF,?,00000000,0000FDE9,?,001E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 002007BC

Strings

logutil.cpp, xrefs: 002007ED

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 7ed27253eb961f9ad5de27af8542904aea659f5d680e6a582f51102ded684d01
Instruction ID: 079aa19a2abde322e23ff8819b24f80b5bea8a4bd1adea51b222bae843fec88c
Opcode Fuzzy Hash: 7ed27253eb961f9ad5de27af8542904aea659f5d680e6a582f51102ded684d01
Instruction Fuzzy Hash: E811CA72A10325BBE3259AA59DC8FAFFA6CEB45760F110225FD04E7291D774AD10C9E0

Uniqueness

Uniqueness Score: -1.00%

Function 001C120A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,001C523F,00000000,?), ref: 001C1248
GetLastError.KERNEL32(?,?,?,001C523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 001C1252

Strings

ignored , xrefs: 001C1217
apputil.cpp, xrefs: 001C1273

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: apputil.cpp$ignored
API String ID: 3459693003-568828354
Opcode ID: dfa1bbfb0ee4bd6975cf15b6c3a1e3ba6054a733e083574919c3241a9d816fed
Instruction ID: 844dbf50dde315f4d5a40b43b01c493e92b947f76e4487a5509f4d26ec5c3bfb
Opcode Fuzzy Hash: dfa1bbfb0ee4bd6975cf15b6c3a1e3ba6054a733e083574919c3241a9d816fed
Instruction Fuzzy Hash: AE11907A941229FBCB21DB99D805E9EBBACEF26750F110199BC00E7252D731DE00DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 001ED1B3, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,001ED3EE,00000000,00000000,00000000,?), ref: 001ED1C3
ReleaseMutex.KERNEL32(?,?,001ED3EE,00000000,00000000,00000000,?), ref: 001ED24A

Part of subcall function 001C394F: GetProcessHeap.KERNEL32(?,000001C7,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3960
Part of subcall function 001C394F: RtlAllocateHeap.NTDLL(00000000,?,001C2274,000001C7,00000001,80004005,8007139F,?,?,00200267,8007139F,?,00000000,00000000,8007139F), ref: 001C3967

Strings

NetFxChainer.cpp, xrefs: 001ED208
Failed to allocate memory for message data, xrefs: 001ED212

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: 8b376d10608a8e82be3e13536a152d9c15704a2ce5f4556eceab8d97416dfa3e
Instruction ID: ab49435fa2eed16377cf13a9552d26c789064ee9c1c9aa46e3bf57d7d0be812e
Opcode Fuzzy Hash: 8b376d10608a8e82be3e13536a152d9c15704a2ce5f4556eceab8d97416dfa3e
Instruction Fuzzy Hash: 97118FB1200616AFCB159F65E885E69B7F4FF49724B104168F9149B392C771A820CB94

Uniqueness

Uniqueness Score: -1.00%

Function 001C1F69, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(001C428F,001C548E,?,00000000,00000000,00000000,?,80070656,?,?,?,001DE75C,00000000,001C548E,00000000,80070656), ref: 001C1F9A
GetLastError.KERNEL32(?,?,?,001DE75C,00000000,001C548E,00000000,80070656,?,?,001D40BF,001C548E,?,80070656,00000001,crypt32.dll), ref: 001C1FA7
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,001DE75C,00000000,001C548E,00000000,80070656,?,?,001D40BF,001C548E), ref: 001C1FEE

Strings

strutil.cpp, xrefs: 001C1FCB

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: f9e48b80787e000ac5d8b90c6fecbc43d21b00d3a2b09512b29ba479d0ef5e49
Instruction ID: debfe819a8bec57290d7f7850de455cdb01ec79d41f806a1c3e661569a769847
Opcode Fuzzy Hash: f9e48b80787e000ac5d8b90c6fecbc43d21b00d3a2b09512b29ba479d0ef5e49
Instruction Fuzzy Hash: C8018BB695022AFBDB219F94DC09EDEBAACEB15710F014169BD10E6251E730CE049AE0

Uniqueness

Uniqueness Score: -1.00%

Function 001D0721, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00200F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0022AAA0,00000000,?,002057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00200F80

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 001D0791

Strings

Failed to update name and publisher., xrefs: 001D077B
Failed to update resume mode., xrefs: 001D0762
Failed to open registration key., xrefs: 001D0748

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
API String ID: 47109696-1865096027
Opcode ID: 8e7213053f7a52affbd22de85dae13e1d59ab6e2b6c7ee3f66d6070c6cee1d58
Instruction ID: f814ca2b610c7ca3a483371d0a2b4be60fe1ce28252919317f2e19fa3937fd6a
Opcode Fuzzy Hash: 8e7213053f7a52affbd22de85dae13e1d59ab6e2b6c7ee3f66d6070c6cee1d58
Instruction Fuzzy Hash: B901FC32950228FBDB235684DC41FEEB779AF14B20F110156F940BA250C771FE20ABD4

Uniqueness

Uniqueness Score: -1.00%

Function 00204DB3, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(0020B500,40000000,00000001,00000000,00000002,00000080,00000000,001D04BF,00000000,?,001CF4F4,?,00000080,0020B500,00000000), ref: 00204DCB
GetLastError.KERNEL32(?,001CF4F4,?,00000080,0020B500,00000000,?,001D04BF,?,00000094,?,?,?,?,?,00000000), ref: 00204DD8
CloseHandle.KERNEL32(00000000,00000000,?,001CF4F4,?,001CF4F4,?,00000080,0020B500,00000000,?,001D04BF,?,00000094), ref: 00204E2C

Strings

fileutil.cpp, xrefs: 00204DFC

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: 1a6c2eecf2941db257e5e90c385c44c2e8f77c58ed69cc627ccc724aa9e87d6e
Instruction ID: 9bd55cf478b30950b994b1318e271d72a57647589365c02f1111def3985a2922
Opcode Fuzzy Hash: 1a6c2eecf2941db257e5e90c385c44c2e8f77c58ed69cc627ccc724aa9e87d6e
Instruction Fuzzy Hash: 9501B173651326A7D7326E69AC09F5B3A55AB41B71F018310FF20AA1D2D7608C2196E0

Uniqueness

Uniqueness Score: -1.00%

Function 0020497A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,001E8C76,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 002049AE
GetLastError.KERNEL32(?,001E8C76,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 002049BB

Strings

fileutil.cpp, xrefs: 0020498F, 002049DF

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: 3125c83dce54f7854dd6abe2d0da1d60fecb0aec8e462bd7e90b1c674943a672
Instruction ID: dc9f17ccc93e0a08fc3533daee6bf48a0f262b489c263f8c70e8790c44f8d46f
Opcode Fuzzy Hash: 3125c83dce54f7854dd6abe2d0da1d60fecb0aec8e462bd7e90b1c674943a672
Instruction Fuzzy Hash: C201DB776A0339B7E33236D56C0DF6B2558AB11B60F11C221FF516A1D1C7659D2095E0

Uniqueness

Uniqueness Score: -1.00%

Function 001E6BEB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(001E6AFD,00000001,?,00000001,00000000,?,?,?,?,?,?,001E6AFD,00000000), ref: 001E6C13
GetLastError.KERNEL32(?,?,?,?,?,?,001E6AFD,00000000), ref: 001E6C1D

Strings

msuengine.cpp, xrefs: 001E6C41
Failed to stop wusa service., xrefs: 001E6C4B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuengine.cpp
API String ID: 4114567744-2259829683
Opcode ID: f1b85175e8932b20da4fb43a4097f00f670dbfb87a1e107dc975b81bb6aaacd3
Instruction ID: c5ea030115c8c0311c697c89a2a5a52cceca0166cbee7fbb5ce080448cb1b1f2
Opcode Fuzzy Hash: f1b85175e8932b20da4fb43a4097f00f670dbfb87a1e107dc975b81bb6aaacd3
Instruction Fuzzy Hash: EE012B73B41678A7D720DBA5AC49BEFB7E4EF18B60F110129FD00BB280DB249D0186E4

Uniqueness

Uniqueness Score: -1.00%

Function 001DECC5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32 ref: 001DECED
GetLastError.KERNEL32 ref: 001DECF7

Strings

EngineForApplication.cpp, xrefs: 001DED1B
Failed to post elevate message., xrefs: 001DED25

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: 89ec126d62e4f2ae41c4634400931b624aae0455379b32983e69b880d0c9cb65
Instruction ID: d1aaf40abb7ad3525f12927c3eb63e4338f9e8448022c6c23961191d35d33993
Opcode Fuzzy Hash: 89ec126d62e4f2ae41c4634400931b624aae0455379b32983e69b880d0c9cb65
Instruction Fuzzy Hash: 64F0F633A50731ABC7306AD89C0DB867BD5AF10B71B21822AFE14AF2C2DB25CC1186D0

Uniqueness

Uniqueness Score: -1.00%

Function 001CD8DC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 001CD903
FreeLibrary.KERNEL32(?,?,001C48D7,00000000,?,?,001C548E,?,?), ref: 001CD912
GetLastError.KERNEL32(?,001C48D7,00000000,?,?,001C548E,?,?), ref: 001CD91C

Strings

BootstrapperApplicationDestroy, xrefs: 001CD8FB

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: 0484083bace183fef699a72c9dc6927c3ab7651ebf5ed00ad084a11b0dd75444
Instruction ID: 4f83d294ce4fc181e6caccda13956f1b96a828ef9d7e2ed589487f51f4b3bafd
Opcode Fuzzy Hash: 0484083bace183fef699a72c9dc6927c3ab7651ebf5ed00ad084a11b0dd75444
Instruction Fuzzy Hash: 68F06236700726ABC3214F6AE808F2AF7B4FF24B62701823DE825D6521D771EC608BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001DF2D9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32 ref: 001DF2EE
GetLastError.KERNEL32 ref: 001DF2F8

Strings

EngineForApplication.cpp, xrefs: 001DF31C
Failed to post plan message., xrefs: 001DF326

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: 0519c194c9bd660ccb60374a27ebc4fcd0a58ad3d0799c92b2016a8241e06264
Instruction ID: a4f8f1e2f798bcd77d29dcf14a95151d1234e66649261ab314e42f148fecdf41
Opcode Fuzzy Hash: 0519c194c9bd660ccb60374a27ebc4fcd0a58ad3d0799c92b2016a8241e06264
Instruction Fuzzy Hash: D8F027336513317BD6312A956C0DE8B7FD4FF14B60B024125BD04AB282D720CC10C1D0

Uniqueness

Uniqueness Score: -1.00%

Function 001DF3E7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32 ref: 001DF3FC
GetLastError.KERNEL32 ref: 001DF406

Strings

EngineForApplication.cpp, xrefs: 001DF42A
Failed to post shutdown message., xrefs: 001DF434

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: ef4603f37ff43ba65cb36923976e1a3e810d6a38d66d253f6fd92c257b78c066
Instruction ID: 2f7f003434f40f74aa2259f74d757e3964908f3f344a0c09ed753a35246e7fd0
Opcode Fuzzy Hash: ef4603f37ff43ba65cb36923976e1a3e810d6a38d66d253f6fd92c257b78c066
Instruction Fuzzy Hash: E7F02033A513317BC7311A956C0EF8B7B94AF00B60B02402ABE14BB282E760CD0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 001E07B5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0020B478,00000000,?,001E1717,?,00000000,?,001CC287,?,001C5405,?,001D75A5,?,?,001C5405,?), ref: 001E07BF
GetLastError.KERNEL32(?,001E1717,?,00000000,?,001CC287,?,001C5405,?,001D75A5,?,?,001C5405,?,001C5445,00000001), ref: 001E07C9

Strings

cabextract.cpp, xrefs: 001E07ED
Failed to set begin operation event., xrefs: 001E07F7

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: b3a7126663f3f82b188280d1a2c1c12f0af04291c5d1f1b01f84c180422619f2
Instruction ID: a624204e46d8adf61b5e44019d0f48185196c3d6b3dfba51123b9525a82a2c35
Opcode Fuzzy Hash: b3a7126663f3f82b188280d1a2c1c12f0af04291c5d1f1b01f84c180422619f2
Instruction Fuzzy Hash: 76F05C33D42B3167D33253965C09FCF76849F19B70B020125FE01BB241E750AC90C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 001DEBCB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32 ref: 001DEBE0
GetLastError.KERNEL32 ref: 001DEBEA

Strings

EngineForApplication.cpp, xrefs: 001DEC0E
Failed to post apply message., xrefs: 001DEC18

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: d7af1b9464a845ed64e3e97a4a295ff9edad195a968a3996df13361b15d21d03
Instruction ID: 172a40107abdd78124cf62b00c8551b31554fe7a625d13e1b892d2e2338d530b
Opcode Fuzzy Hash: d7af1b9464a845ed64e3e97a4a295ff9edad195a968a3996df13361b15d21d03
Instruction Fuzzy Hash: CBF0A033A613357BD7312695AC0DE8BBED8EF15BB1B024015FE18AE282D761DC1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 001DEC5C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32 ref: 001DEC71
GetLastError.KERNEL32 ref: 001DEC7B

Strings

EngineForApplication.cpp, xrefs: 001DEC9F
Failed to post detect message., xrefs: 001DECA9

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 81d85af5da183ff355a7f87a7fcc129336e488fe5d75481cfd443ed650c0213b
Instruction ID: 64a7c214a3f2b3d5dc702ba1f116b06840d3ab2dce5115c6d1b45c139cc8f9a7
Opcode Fuzzy Hash: 81d85af5da183ff355a7f87a7fcc129336e488fe5d75481cfd443ed650c0213b
Instruction Fuzzy Hash: 2BF0823365133167D63166956C0DF877FD4AF14B62B124011BD18AE282D761D810C5D4

Uniqueness

Uniqueness Score: -1.00%

Function 001F6B76, Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001F6C01
__alldvrm.LIBCMT ref: 001F6E02
__alldvrm.LIBCMT ref: 001F6E24

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction ID: f753a5990d6370e561bf2d04336a4ffc8ebd689c71bf6a7fef065c1019838965
Opcode Fuzzy Hash: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction Fuzzy Hash: 2EA14676A0078A9FDB25CF68C8917BEBBE5EF61310F18416DE6C59B282C7388D41C750

Uniqueness

Uniqueness Score: -1.00%

Function 00205EC5, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00205F92
lstrlenW.KERNEL32(00000000), ref: 00205FAA

Strings

dlutil.cpp, xrefs: 00206033

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: lstrlen
String ID: dlutil.cpp
API String ID: 1659193697-2067379296
Opcode ID: 4ea169daf9b2b83441411811fdc3fa4103467be939ae014447e6e8ba7833a7da
Instruction ID: f9e466791063e1edca093567f6215249618a25583cce7f95582232253f70a6d1
Opcode Fuzzy Hash: 4ea169daf9b2b83441411811fdc3fa4103467be939ae014447e6e8ba7833a7da
Instruction Fuzzy Hash: E451CF7291172BABDB219FE48C889AFBBB9FF88710F054114F900A7281D775DD618FA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F922B, Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,ECE85006,001F2444,00000000,00000000,001F3479,?,001F3479,?,00000001,001F2444,ECE85006,00000001,001F3479,001F3479), ref: 001F9278
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001F9301
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001F9313
__freea.LIBCMT ref: 001F931C

Part of subcall function 001F521A: RtlAllocateHeap.NTDLL(00000000,?,?,?,001F1F87,?,0000015D,?,?,?,?,001F33E0,000000FF,00000000,?,?), ref: 001F524C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e4d0fd11496a6c6a70d8f609b729161b8ccd78cbbd8b1398bbdb3cfa4b2bf60a
Instruction ID: a8d641980607b3dfd9beeaabb07e5f666068866eaccd97c60d3e9c3c73d9ed44
Opcode Fuzzy Hash: e4d0fd11496a6c6a70d8f609b729161b8ccd78cbbd8b1398bbdb3cfa4b2bf60a
Instruction Fuzzy Hash: 2B31BC72A0020AABDF25AF64DC85EBE7BB5EB40310F050128FD09D7291EB35CD91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C4FA4, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,001C5552,?,?,?,?,?,?), ref: 001C4FFE
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,001C5552,?,?,?,?,?,?), ref: 001C5012
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,001C5552,?,?), ref: 001C5101
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,001C5552,?,?), ref: 001C5108

Part of subcall function 001C1161: LocalFree.KERNEL32(?,?,001C4FBB,?,00000000,?,001C5552,?,?,?,?,?,?), ref: 001C116B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: b9ae150db59a2048672d722d49c62b6e850bcf4e97ca3f943c94af6c71d1c1fc
Instruction ID: 81897be969c2a742c9d09514fdaceb2ff0b580c1299fae02b999729e1aa9b744
Opcode Fuzzy Hash: b9ae150db59a2048672d722d49c62b6e850bcf4e97ca3f943c94af6c71d1c1fc
Instruction Fuzzy Hash: FF41FC71500B05ABDB31EBB4D889F9B73EDAF24340F44092DB6AAD3092EB34F5558B64

Uniqueness

Uniqueness Score: -1.00%

Function 00206067, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00205FD0,00000000,00000000,00000001), ref: 002060DF
GetLastError.KERNEL32(?,?,00205FD0,00000000,00000000,00000001), ref: 00206130

Strings

8j", xrefs: 002060C3
dlutil.cpp, xrefs: 00206103, 00206154

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast
String ID: 8j"$dlutil.cpp
API String ID: 1452528299-660929049
Opcode ID: ec969199a73067368e3a0f2880e81a654a84a561a6a2cdea522ef5eee81f880a
Instruction ID: 8ca20571f63ae097d0edd877d4dd1b8b9b5ecf673e4cb2a69dab92d8333bf0c0
Opcode Fuzzy Hash: ec969199a73067368e3a0f2880e81a654a84a561a6a2cdea522ef5eee81f880a
Instruction Fuzzy Hash: 8D31F536950326BBD7324F959C4CF5BBAB9AF41B60F120214FD04A7382D731CD3096A0

Uniqueness

Uniqueness Score: -1.00%

Function 00203245, Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00203258
VariantInit.OLEAUT32(?), ref: 00203264
VariantClear.OLEAUT32(?), ref: 002032D8
SysFreeString.OLEAUT32(00000000), ref: 002032E3

Part of subcall function 00203498: SysAllocString.OLEAUT32(?), ref: 002034AD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID:
API String ID: 347726874-0
Opcode ID: a56476216274eab8e465a9753da89e62733b90182ccbbcc9a379b3d46378ca1d
Instruction ID: 143c095f00e2d6af0e588db6d25eb0c9bee64d164fe18ab7c395472f0b926037
Opcode Fuzzy Hash: a56476216274eab8e465a9753da89e62733b90182ccbbcc9a379b3d46378ca1d
Instruction Fuzzy Hash: 3D214F3191131AAFCB15DFA4C858EAEBBBDEF48715F104198EC019B251D7319E15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C4C86, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 001CF96C: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,001C4CA5,?,?,00000001), ref: 001CF9BC

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 001C4D0C

Strings

Unable to get resume command line from the registry, xrefs: 001C4CAB
Failed to re-launch bundle process after RunOnce: %ls, xrefs: 001C4CF6
Failed to get current process path., xrefs: 001C4CCA

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Close$Handle
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 187904097-642631345
Opcode ID: 6de8bed27c6c4164b1761de3d5c163bb30518c10d14a023061346a2279995452
Instruction ID: 9d86d4aefd401ae12bf9b65f5e274ae25949c29f044a194b98de0ae409480644
Opcode Fuzzy Hash: 6de8bed27c6c4164b1761de3d5c163bb30518c10d14a023061346a2279995452
Instruction Fuzzy Hash: 48118171D15618BBCF22AB95DC55EAEBBB8EF60711B10419AF811B3252D731CE20EF80

Uniqueness

Uniqueness Score: -1.00%

Function 001F88B2, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001F8A56,00000000,00000000,?,001F8859,001F8A56,00000000,00000000,00000000,?,001F8A56,00000006,FlsSetValue), ref: 001F88E4
GetLastError.KERNEL32(?,001F8859,001F8A56,00000000,00000000,00000000,?,001F8A56,00000006,FlsSetValue,00222404,0022240C,00000000,00000364,?,001F6230), ref: 001F88F0
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001F8859,001F8A56,00000000,00000000,00000000,?,001F8A56,00000006,FlsSetValue,00222404,0022240C,00000000), ref: 001F88FE

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1f32eb8106a28d8a17afef0a76020d881484648322af5072bcb3206d08007ac1
Instruction ID: c48392980cff3649c5bd3835aaf54dfcc3408719e636a058fbb8ab717aba437f
Opcode Fuzzy Hash: 1f32eb8106a28d8a17afef0a76020d881484648322af5072bcb3206d08007ac1
Instruction Fuzzy Hash: BA01D83274132AABC7324B69AC489777798FF55BA57110524FA19E7141DB70D80187E0

Uniqueness

Uniqueness Score: -1.00%

Function 001F615E, Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,001F1AEC,00000000,80004004,?,001F1DF0,00000000,80004004,00000000,00000000), ref: 001F6162
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 001F61CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 001F61D6
_abort.LIBCMT ref: 001F61DC

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: dce23d0743b4d3d06f464d52fd59768bc6a4da3f3ae9af91e731651e3a6e3a78
Instruction ID: e02037b531efa82e73fd6ab242cc4c2ae57a30829a6d57d360efea31d466b7f3
Opcode Fuzzy Hash: dce23d0743b4d3d06f464d52fd59768bc6a4da3f3ae9af91e731651e3a6e3a78
Instruction Fuzzy Hash: 31F0C236208B1AB7C32237757C0EB3F2B5A9FE1771B260124FF2996293FF6098025121

Uniqueness

Uniqueness Score: -1.00%

Function 001C7435, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 001C7441
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 001C74A8

Strings

Failed to get value as numeric for variable: %ls, xrefs: 001C7497
Failed to get value of variable: %ls, xrefs: 001C747B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: b5f1c77b66483140c726c3392ce198611cc56536090acd78754347e775d066b9
Instruction ID: de22685111ee6d98342dd33cf01802c17f708d1af3a2f7e191affc0a3a2cc060
Opcode Fuzzy Hash: b5f1c77b66483140c726c3392ce198611cc56536090acd78754347e775d066b9
Instruction Fuzzy Hash: 91017172954228FBCF266F54CC09F9E7F64AF24761F118169FC04A62A2C376DE609BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001C75AA, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 001C75B6
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 001C761D

Strings

Failed to get value as version for variable: %ls, xrefs: 001C760C
Failed to get value of variable: %ls, xrefs: 001C75F0

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: 0d87b71d43f20a67385208b471ac083b1ec5205a0015dca826cf1da2ff61befe
Instruction ID: 355696ec3242856601b3f9ee10e3db58b2aaf19f613a5a755c90b881611c5086
Opcode Fuzzy Hash: 0d87b71d43f20a67385208b471ac083b1ec5205a0015dca826cf1da2ff61befe
Instruction Fuzzy Hash: 3B01B172904628FBCF225F84DC09F9E7B24EF20361F104128FC04AA2A2D376DE609BD4

Uniqueness

Uniqueness Score: -1.00%

Function 001C7539, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,001C9897,00000000,?,00000000,00000000,00000000,?,001C96D6,00000000,?,00000000,00000000), ref: 001C7545
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,001C9897,00000000,?,00000000,00000000,00000000,?,001C96D6,00000000,?,00000000), ref: 001C759B

Strings

Failed to get value of variable: %ls, xrefs: 001C756B
Failed to copy value of variable: %ls, xrefs: 001C758A

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: b0482349e6d59d79b7e95bd118908e9e2ffaec3db5cdc10ca0f48d1258f21816
Instruction ID: 5ab913fe4b33903a7bfb58892cd1b6c89bf7833d5055d8431d2db1cc207c0b31
Opcode Fuzzy Hash: b0482349e6d59d79b7e95bd118908e9e2ffaec3db5cdc10ca0f48d1258f21816
Instruction Fuzzy Hash: F5F0A472954228FBCF125F94CC09E9E7F65EF25361F008114FD04A62A1C772DE61ABD0

Uniqueness

Uniqueness Score: -1.00%

Function 001EE776, Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 001EE788
GetCurrentThreadId.KERNEL32 ref: 001EE797
GetCurrentProcessId.KERNEL32 ref: 001EE7A0
QueryPerformanceCounter.KERNEL32(?), ref: 001EE7AD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 894d5d161c58d00584191eb1b911f4ed8f5237ed9e20095a0e972381574f384e
Instruction ID: 8b5f453c8a30e7d13de03212faaf1a863444e1653bc3e74b289cf5b131975571
Opcode Fuzzy Hash: 894d5d161c58d00584191eb1b911f4ed8f5237ed9e20095a0e972381574f384e
Instruction Fuzzy Hash: FAF09D70C1020CEBCB11DBB4E98DA9EBBF8EF08301F614895A405E7111E734AB048B61

Uniqueness

Uniqueness Score: -1.00%

Function 00200C5D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 00200DD7

Strings

regutil.cpp, xrefs: 00200DC4

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Close
String ID: regutil.cpp
API String ID: 3535843008-955085611
Opcode ID: 834ae02d283f045f82cf50d085781faa5400b8088f6be78d84218b54bdf74f12
Instruction ID: 8bf48c1f63d77f9dbfbd8f0f553163f2a5d49a8286662664e47bdd1ce5bd526d
Opcode Fuzzy Hash: 834ae02d283f045f82cf50d085781faa5400b8088f6be78d84218b54bdf74f12
Instruction Fuzzy Hash: 6541C432D2132AEBFB318ED4C884BAE7765EB00710F158265F814AA1D2D7759D609BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0020479B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00200F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0022AAA0,00000000,?,002057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00200F80

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 002048FC

Strings

PendingFileRenameOperations, xrefs: 002047EC, 002048D4
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 002047AC

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: c6a6f609203b7b244b120e65fedf4abafa3f65c337207448002fc5292df9fc63
Instruction ID: f81fffe5e00ca3248fdd154f56a4d4d0d6ad8368f4558d1cbf0e055216ac1111
Opcode Fuzzy Hash: c6a6f609203b7b244b120e65fedf4abafa3f65c337207448002fc5292df9fc63
Instruction Fuzzy Hash: 594195B5E20355EFCB20EF94CC45AADB7B5EB44B10F15C469E600A7292D7319E60DB50

Uniqueness

Uniqueness Score: -1.00%

Function 002010B5, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0020112B
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00201163

Strings

regutil.cpp, xrefs: 002011A9

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: f19dba76b70eb462303cc56a0a95e8a170dc587b2a7dec77f6756d242e6481a3
Instruction ID: e4f0ccdc38be6cd0e609b8eacda66cd9e963d6b72bc1941fcdcd3f8d439357de
Opcode Fuzzy Hash: f19dba76b70eb462303cc56a0a95e8a170dc587b2a7dec77f6756d242e6481a3
Instruction Fuzzy Hash: 4E419232D1022BBBDB259F94CC41AAEFBB9EF14350F104169FA14A7192D7718E319B90

Uniqueness

Uniqueness Score: -1.00%

Function 001F66D0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0020B518,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 001F67A3
GetLastError.KERNEL32 ref: 001F67BF

Strings

comres.dll, xrefs: 001F674A, 001F6798, 001F67D4

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: 6ed9adb3e6f814cf7c40005c1d04db122331b257036f933d18177e8830fadba7
Instruction ID: eb8915793d8ba9247723c24a65f5550a31155d6de05dddbdd84226d7e7eb92cd
Opcode Fuzzy Hash: 6ed9adb3e6f814cf7c40005c1d04db122331b257036f933d18177e8830fadba7
Instruction Fuzzy Hash: 3331393520025DABCB21BF55C885ABB7B68DF91724F140369FB248B191EB70CD01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00208F7A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00208E44: lstrlenW.KERNEL32(00000100,?,?,?,00209217,000002C0,00000100,00000100,00000100,?,?,?,001E7D87,?,?,000001BC), ref: 00208E69

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0020B500,wininet.dll,?), ref: 0020907A
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0020B500,wininet.dll,?), ref: 00209087

Part of subcall function 00200F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0022AAA0,00000000,?,002057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00200F80

Part of subcall function 00200E4F: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,001E8E1B), ref: 00200EAA
Part of subcall function 00200E4F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,001E8E1B,00000000), ref: 00200EC8

Strings

wininet.dll, xrefs: 00208FEF, 0020903C

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: a0372d43685e8e33ebec5147cdc709b905b518300c42323e1f210c4a6f0a749e
Instruction ID: 111be12b387880ed93cf981e597c78a5a64324edc1d3ab56e341de1ae20f459d
Opcode Fuzzy Hash: a0372d43685e8e33ebec5147cdc709b905b518300c42323e1f210c4a6f0a749e
Instruction Fuzzy Hash: 50310B32C1122ABFDF21AF94C9809AFBB7AEF04710F514179EA11761A3D7314EA19F90

Uniqueness

Uniqueness Score: -1.00%

Function 0020939E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00208E44: lstrlenW.KERNEL32(00000100,?,?,?,00209217,000002C0,00000100,00000100,00000100,?,?,?,001E7D87,?,?,000001BC), ref: 00208E69

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00209483
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0020949D

Part of subcall function 00200BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,001D061A,?,00000000,00020006), ref: 00200C0E

Part of subcall function 002014F4: RegSetValueExW.ADVAPI32(00020006,00210D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,001CF335,00000000,?,00020006), ref: 00201527

Part of subcall function 002014F4: RegDeleteValueW.ADVAPI32(00020006,00210D10,00000000,?,?,001CF335,00000000,?,00020006,?,00210D10,00020006,00000000,?,?,?), ref: 00201557

Part of subcall function 002014A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,001CF28D,00210D10,Resume,00000005,?,00000000,00000000,00000000), ref: 002014BB

Strings

%ls\%ls, xrefs: 002093FF

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: 44b37b62ec402149c74f15043ce740bda19331f7739954c040594c8fa9dcb8b8
Instruction ID: e413e495acbad0121472fc079c0943b09a65b590c5465e828daa1d57e13a518a
Opcode Fuzzy Hash: 44b37b62ec402149c74f15043ce740bda19331f7739954c040594c8fa9dcb8b8
Instruction Fuzzy Hash: 9D313972C1022EBFDF229FD4DC8189EFBB9EB04310B41416AF91566162D7328E61EF90

Uniqueness

Uniqueness Score: -1.00%

Function 001C3A4D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 001C3AB0

Strings

wininet.dll, xrefs: 001C3A6E
crypt32.dll, xrefs: 001C3A6D, 001C3AAC, 001C3AAE

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction ID: ae8fc03fb2d2dfa07568b3c01dada7805709497a0593196f3f826ed7e829c78e
Opcode Fuzzy Hash: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction Fuzzy Hash: D0115171600219ABCB08DE19CD85E9FBF69EFA5354B14802AFC158B311D271EA20CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 002014F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,00210D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,001CF335,00000000,?,00020006), ref: 00201527
RegDeleteValueW.ADVAPI32(00020006,00210D10,00000000,?,?,001CF335,00000000,?,00020006,?,00210D10,00020006,00000000,?,?,?), ref: 00201557

Strings

regutil.cpp, xrefs: 0020158B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: a57d5cce997798ac4e7de647f040c62c7648bd734a3574e6487b3bc4fba8429e
Instruction ID: 42ab41d447f1ae839acf46c47039de27137ddaf04a1b15991072954c4227b8bd
Opcode Fuzzy Hash: a57d5cce997798ac4e7de647f040c62c7648bd734a3574e6487b3bc4fba8429e
Instruction Fuzzy Hash: 3F11A336971337B7DB324E949C05BAA7E28AB44B60F550225BE02BE1D2E671CD3097E0

Uniqueness

Uniqueness Score: -1.00%

Function 001CDDB3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,001E7691,00000000,IGNOREDEPENDENCIES,00000000,?,0020B518), ref: 001CDE04

Strings

IGNOREDEPENDENCIES, xrefs: 001CDDBB
Failed to copy the property value., xrefs: 001CDE38

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: a2aa41b7b66c44957b41799e7fb512ec0f1406f86f554a4ebfa1b9a72b889cc0
Instruction ID: e9303a65f4f059b48154354f93b15d837196f73e999397ac271ac658e3ac31e8
Opcode Fuzzy Hash: a2aa41b7b66c44957b41799e7fb512ec0f1406f86f554a4ebfa1b9a72b889cc0
Instruction Fuzzy Hash: 8C11C632604215AFDB115F94EC84FAAB7A6AF64320F26417DFA199F2D1C770D850CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0020563F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,001D8E97,?,00000001,20000004,00000000,00000000,?,00000000), ref: 0020566E
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,001D8E97,?), ref: 00205689

Strings

aclutil.cpp, xrefs: 002056AD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: 07aa82a2288f27c739af76289b69c9e32e09a63de874ecf3c9b5b4a986d31aeb
Instruction ID: d50fbe60ef4f8d0f29c29563a0d5d1bfd3641814707ddc663b329934c7cff230
Opcode Fuzzy Hash: 07aa82a2288f27c739af76289b69c9e32e09a63de874ecf3c9b5b4a986d31aeb
Instruction Fuzzy Hash: BB017C33811639BBDF229E84DD09E9F7B79EB94750F060215BD0466261C6338D609ED0

Uniqueness

Uniqueness Score: -1.00%

Function 001C158C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,001D70E8,00000000,001D70E8,00000000,00000000,001D70E8,00000000,00000000,00000000,?,001C2318,00000000,00000000), ref: 001C15D0
GetLastError.KERNEL32(?,001C2318,00000000,00000000,001D70E8,00000200,?,002052B2,00000000,001D70E8,00000000,001D70E8,00000000,00000000,00000000), ref: 001C15DA

Strings

strutil.cpp, xrefs: 001C15FE

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: 01524a2234d08370bc75e06c89aed1d707a10e877ee7013ddf6cece82878c593
Instruction ID: 3ede5c82192dc83040f3e4a65a373f710ec06dbf3fb3c0de4b6c2c4c795c1cf4
Opcode Fuzzy Hash: 01524a2234d08370bc75e06c89aed1d707a10e877ee7013ddf6cece82878c593
Instruction Fuzzy Hash: 1C01B53398123677CB229E998C44F5B7A69EFA7B60B050218FE14AB252D770DC1087E0

Uniqueness

Uniqueness Score: -1.00%

Function 001D57BD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 001D57D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 001D5833

Strings

Failed to initialize COM on cache thread., xrefs: 001D57E5

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 70b40175e8e463867d4bf479daff09bdecdfbdb021a189a9a6bef0c58b6cf908
Instruction ID: 84e2af335037b727351d05df8f59f6a20002db84557fc8fdaafa97dafde63739
Opcode Fuzzy Hash: 70b40175e8e463867d4bf479daff09bdecdfbdb021a189a9a6bef0c58b6cf908
Instruction Fuzzy Hash: 1501AD72200619BFC7059FA5E884EDAFBADFF08350B108166FA08C7221CB30AD50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00203929, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0020396E
SysFreeString.OLEAUT32(00000000), ref: 002039A1

Strings

xmlutil.cpp, xrefs: 0020393F, 00203985

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 1d8aae0f67adce85adcb0c30ce99e9ea08f57434a45def79e8ca94bc6940b3f5
Instruction ID: 05d277ed23c340bc4b6cf9cdd763368e255fb10c234f8686b0c6adbc0439cf67
Opcode Fuzzy Hash: 1d8aae0f67adce85adcb0c30ce99e9ea08f57434a45def79e8ca94bc6940b3f5
Instruction Fuzzy Hash: 3B018B3166532AABDB319A989C08F7A769CEF51B60F104569FD40AB382C6B0CE2096D1

Uniqueness

Uniqueness Score: -1.00%

Function 002039AF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 002039F4
SysFreeString.OLEAUT32(00000000), ref: 00203A27

Strings

xmlutil.cpp, xrefs: 002039C5, 00203A0B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 28f400be0819f4282c8c8e617aa75e48c22dd0b9aefbf45cee226d84512a7234
Instruction ID: 066f1ca7fb9da8e7456ce07225aba031a73704529443692d74e946c14f1a88e0
Opcode Fuzzy Hash: 28f400be0819f4282c8c8e617aa75e48c22dd0b9aefbf45cee226d84512a7234
Instruction Fuzzy Hash: 6E01DF3566431AB7D7318E99AC09F6B36DCEF55B60B200029B840A7382C6A4CE208290

Uniqueness

Uniqueness Score: -1.00%

Function 00203BF1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00200F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0022AAA0,00000000,?,002057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00200F80

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00203A8E,?), ref: 00203C62

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00203C0C
EnableLUA, xrefs: 00203C34

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: 1dfec58a16c1b1ab4cb60335ffab522751f6cd657269ccc06a9e72ca27a1dff7
Instruction ID: 9cfcbaf3e154dd8b4d5d61d1686be87ca5a72c43c8b47911b277f12ff8900472
Opcode Fuzzy Hash: 1dfec58a16c1b1ab4cb60335ffab522751f6cd657269ccc06a9e72ca27a1dff7
Instruction Fuzzy Hash: 9F017533920339FBE710DAA4D80A7ADF66CDB04721F204165A900F3092D3755E6096D0

Uniqueness

Uniqueness Score: -1.00%

Function 001C5123, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,001C1104,?,?,00000000), ref: 001C5142
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,001C1104,?,?,00000000), ref: 001C5172

Strings

burn.clean.room, xrefs: 001C512F, 001C513C, 001C5169

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 551d3f7a8a5b256e3dda432e573d2b381da62c258f6b1ca761d7c88360fa9597
Instruction ID: bb5c89381201ab80b159f0354f81d49f0249d104d95715bd8f5319a6a00e51cd
Opcode Fuzzy Hash: 551d3f7a8a5b256e3dda432e573d2b381da62c258f6b1ca761d7c88360fa9597
Instruction Fuzzy Hash: E00162729006247F87344B89AD8CF73BBBEEB25760B19511AF909C3A10D370EC81C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 002068B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0020690F

Part of subcall function 00208713: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00208820
Part of subcall function 00208713: GetLastError.KERNEL32 ref: 0020882A

Strings

clbcatq.dll, xrefs: 002068DC
atomutil.cpp, xrefs: 002068FD

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: atomutil.cpp$clbcatq.dll
API String ID: 211557998-3749116663
Opcode ID: 74932ff0fff95db8f1fd82b445c08466ae9a76d62f6186343e9199f91a21a296
Instruction ID: 2ccdc9cb55615900deaea4c5dbc750e6baebbf79fea410cd2a1c1530c084d699
Opcode Fuzzy Hash: 74932ff0fff95db8f1fd82b445c08466ae9a76d62f6186343e9199f91a21a296
Instruction Fuzzy Hash: 5A01A2B192132AFFCB209FC5D84986AFBA8EB14364B60817AF504AB552C3715E30D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 001C6522, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 001C6534

Part of subcall function 00200ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,001C5EB2,00000000), ref: 00200AE0
Part of subcall function 00200ACC: GetProcAddress.KERNEL32(00000000), ref: 00200AE7
Part of subcall function 00200ACC: GetLastError.KERNEL32(?,?,?,001C5EB2,00000000), ref: 00200AFE

Part of subcall function 001C5CE2: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 001C5D68

Strings

Failed to get 64-bit folder., xrefs: 001C6557
Failed to set variant value., xrefs: 001C6571

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: 82878d4706bd277a7f8a48f49c2b44f7ccceecb1c14fc4f75ab4bcd5fa2490ad
Instruction ID: fa6ebeadd93ca6a1eec823ca520728332b88a109fa9f5154ef26a8fafec78412
Opcode Fuzzy Hash: 82878d4706bd277a7f8a48f49c2b44f7ccceecb1c14fc4f75ab4bcd5fa2490ad
Instruction Fuzzy Hash: EE018F32D11328BBCB22AB90CC06E9EBA38EF14760F204159F800A6086D7719F60DAD0

Uniqueness

Uniqueness Score: -1.00%

Function 001C33C7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,001C10DD,?,00000000), ref: 001C33E8
GetLastError.KERNEL32(?,?,?,?,001C10DD,?,00000000), ref: 001C33FF

Strings

pathutil.cpp, xrefs: 001C3423

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: 41846be17e768689eb87f67307b4c330014031f103d3218d04d68f46b5c16170
Instruction ID: 5cc04ae548f9d84255d867364381d6cbc99a32a198cceea0fed7a243390336bb
Opcode Fuzzy Hash: 41846be17e768689eb87f67307b4c330014031f103d3218d04d68f46b5c16170
Instruction Fuzzy Hash: 65F0F673A4063167C73356966C49F8BFA58EB66B70B128129FD64FB251DB61DD0082F0

Uniqueness

Uniqueness Score: -1.00%

Function 001EE30F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001EEBD2

Part of subcall function 001F1380: RaiseException.KERNEL32(?,?,?,001EEBF4,?,00000000,00000000,?,?,?,?,?,001EEBF4,?,00227EC8), ref: 001F13DF

__CxxThrowException@8.LIBVCRUNTIME ref: 001EEBEF

Strings

Unknown exception, xrefs: 001EEBFC

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 14574648e65703aed9cebf005196b9b089862827c1153103df43e2b146d0a526
Instruction ID: 3fa57f242e1c0872bb7c0ffc401cf788743abe2ac4dfaaed876523cc0c727760
Opcode Fuzzy Hash: 14574648e65703aed9cebf005196b9b089862827c1153103df43e2b146d0a526
Instruction Fuzzy Hash: 7AF0463580060CBBCF00BAE6EC46DAD37ECAE21320B604160FE25924C2EB31EA25C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00204A05, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,74B5FB40,?,?,?,001CBA1D,?,?,?,00000000,00000000), ref: 00204A1D
GetLastError.KERNEL32(?,?,?,001CBA1D,?,?,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 00204A27

Strings

fileutil.cpp, xrefs: 00204A4B

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: eeabdcfd7a0f106511cf5321e2f3d058edd6b16ab3002475cbdf9139f7a7d292
Instruction ID: 3bc078cf8a8e4f75b3ef8074ba92a2599a6b0353dd547b214c6a7acb5ff65af6
Opcode Fuzzy Hash: eeabdcfd7a0f106511cf5321e2f3d058edd6b16ab3002475cbdf9139f7a7d292
Instruction Fuzzy Hash: E8F0A4B3A50236BBD7209F85990995AFBACEF54720B01811AFE44A7341E770AD10C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 00203D80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,001C5466,?,00000000,001C5466,?,?,?), ref: 00203DA7
CoCreateInstance.OLE32(00000000,00000000,00000001,0022716C,?), ref: 00203DBF

Strings

Microsoft.Update.AutoUpdate, xrefs: 00203DA2

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate
API String ID: 2151042543-675569418
Opcode ID: 8751b536d72a0c107c7627379e6e7ed4d0d737dd31f50f3b8fa83a0e169e4bf6
Instruction ID: 96a40ee6bf47902c7e3386493726d12ede67ab60a802dec0a67a545e84f9aeb7
Opcode Fuzzy Hash: 8751b536d72a0c107c7627379e6e7ed4d0d737dd31f50f3b8fa83a0e169e4bf6
Instruction Fuzzy Hash: 08F05471711219BBD710DFE9ED09AEFB7BCDB09710F500065FA01E7151D671AE1487A2

Uniqueness

Uniqueness Score: -1.00%

Function 002031EB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00203200
SysFreeString.OLEAUT32(00000000), ref: 00203230

Strings

xmlutil.cpp, xrefs: 00203214

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 70e1b9532478484711da91855f217fa01c4c501e3d92b60cd91775c8632c0b97
Instruction ID: 614743a819fdc28fc417ae84f5df74274850ae9c20068f683b9aef305cad6309
Opcode Fuzzy Hash: 70e1b9532478484711da91855f217fa01c4c501e3d92b60cd91775c8632c0b97
Instruction Fuzzy Hash: 30F0E232112765EBC7328F84AC48F6BB7ACEF80B60F248029FC046B251C771CE2096E0

Uniqueness

Uniqueness Score: -1.00%

Function 00203498, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 002034AD
SysFreeString.OLEAUT32(00000000), ref: 002034DD

Strings

xmlutil.cpp, xrefs: 002034C4

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 15bbdddcdacf5712bb4135d0383deb55c9c5b6acac5ad15d900bdc1ce451b23e
Instruction ID: 78843d033208cc34d5c8470460e32a489610896c40d6984275f265e655adc214
Opcode Fuzzy Hash: 15bbdddcdacf5712bb4135d0383deb55c9c5b6acac5ad15d900bdc1ce451b23e
Instruction Fuzzy Hash: F3F0B435251315A7C7339F44AC08E5B77ECEB81B60F20411AFC045B251C771DE2096E0

Uniqueness

Uniqueness Score: -1.00%

Function 00200E07, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00200E28

Strings

AdvApi32.dll, xrefs: 00200E0D
RegDeleteKeyExW, xrefs: 00200E1D

Memory Dump Source

Source File: 00000003.00000002.470301002.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000003.00000002.470280962.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470490896.000000000020B000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.470536950.000000000022A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.470543956.000000000022D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c0000_MIOffice-1.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: 6129aa670e13728879ae976cdd3df770d803c51b617eaa1f62c235238946833d
Instruction ID: 278c7703a2bff3ba9c6ac2b7e272f43b84a867db083e672f4e010bb639ad2990
Opcode Fuzzy Hash: 6129aa670e13728879ae976cdd3df770d803c51b617eaa1f62c235238946833d
Instruction Fuzzy Hash: C5E0C271511331BBD7338FE0FC0DB217F99A725B08F005224E514AA5B1C3B64861CF80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MIOffice-1.0.20310.2.exe PID: 2996 Parent PID: 2600 MIOffice-1.0.20310.2.exeCOMMON

Executed Functions

Function 00141070, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001433C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,001410DD,?,00000000), ref: 001433E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 001410F6

Part of subcall function 00141175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0014111A,cabinet.dll,00000009,?,?,00000000), ref: 00141186
Part of subcall function 00141175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0014111A,cabinet.dll,00000009,?,?,00000000), ref: 00141191
Part of subcall function 00141175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0014119F
Part of subcall function 00141175: GetLastError.KERNEL32(?,?,?,?,?,0014111A,cabinet.dll,00000009,?,?,00000000), ref: 001411BA
Part of subcall function 00141175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001411C2
Part of subcall function 00141175: GetLastError.KERNEL32(?,?,?,?,?,0014111A,cabinet.dll,00000009,?,?,00000000), ref: 001411D7

CloseHandle.KERNEL32(?,?,?,?,0018B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00141131

Strings

crypt32.dll, xrefs: 001410CA
comres.dll, xrefs: 001410B5
wininet.dll, xrefs: 001410AE
msasn1.dll, xrefs: 001410C3
clbcatq.dll, xrefs: 001410BC
msi.dll, xrefs: 001410A0
feclient.dll, xrefs: 001410D1
version.dll, xrefs: 001410A7
cabinet.dll, xrefs: 00141099, 00141114

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 5e9d9917e640e20de65562eb2c3e5be8b6a0c12e92cd64c59dfd863310c4dbdc
Instruction ID: 67641909a542d8b8f6012e358c5194a7fb1dfdd219510a9e57c645e658107e87
Opcode Fuzzy Hash: 5e9d9917e640e20de65562eb2c3e5be8b6a0c12e92cd64c59dfd863310c4dbdc
Instruction Fuzzy Hash: 7A21307190021CABDB10AFA5DD86BDEBBB9EB09B10F504115FA11B72A2D7705A44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0017FEC6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(001AB5FC,00000000,?,?,?,?,0015E93B,8000FFFF,Unexpected return value from message pump.), ref: 0017FEF4
GetCurrentProcessId.KERNEL32(00000000,?,0015E93B,8000FFFF,Unexpected return value from message pump.), ref: 0017FF04
GetCurrentThreadId.KERNEL32 ref: 0017FF0D
GetLocalTime.KERNEL32(8000FFFF,?,0015E93B,8000FFFF,Unexpected return value from message pump.), ref: 0017FF23
LeaveCriticalSection.KERNEL32(001AB5FC,0015E93B,?,00000000,0000FDE9,?,0015E93B,8000FFFF,Unexpected return value from message pump.), ref: 0018001A

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 0017FFC0

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: 4089f3233f4b954512c77b02ba3c7369840b4eb1f122ccc07bd6a197b30cffad
Instruction ID: bf58c1c01a5c381eb9669f91b3afc5b025c25140077f49817e31562a82de5906
Opcode Fuzzy Hash: 4089f3233f4b954512c77b02ba3c7369840b4eb1f122ccc07bd6a197b30cffad
Instruction Fuzzy Hash: 8D41B232D01219ABCF21DFA4DC44ABFB7B8EB09B51F144029F904E7151DB348E81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0015A0BB, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to copy working folder., xrefs: 0015A116
Failed to calculate working folder to ensure it exists., xrefs: 0015A0D8
Failed create working folder., xrefs: 0015A0EE

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: bc463b5278c0c1de81cac394b6299a5885c5ac580420a284c0c4a8659b0cfb46
Instruction ID: 89e6774313fdb2ab60c0ad85df9f40eac5e38fa0f0da586e320b1477134640df
Opcode Fuzzy Hash: bc463b5278c0c1de81cac394b6299a5885c5ac580420a284c0c4a8659b0cfb46
Instruction Fuzzy Hash: 7E012432941928FB8F226B55CC06C9EBB79DF94B21B500351FC107E220DB319F00E691

Uniqueness

Uniqueness Score: -1.00%

Function 0016E9DC, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0002E9E8,0016E131), ref: 0016E9E1

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0c2a0b6f8e9bb99f65e84d965ed5a5313cae2f07b1e90ce2df80673d0e090c26
Instruction ID: 43eb00e65f0d07f0c07516440c367ba9b593368f85aec7a1aaec891986953ea2
Opcode Fuzzy Hash: 0c2a0b6f8e9bb99f65e84d965ed5a5313cae2f07b1e90ce2df80673d0e090c26
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0014DF33, Relevance: 124.9, APIs: 11, Strings: 60, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0014E058
SysFreeString.OLEAUT32(00000000), ref: 0014E736

Part of subcall function 0014394F: GetProcessHeap.KERNEL32(?,?,?,00142274,?,00000001,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143960
Part of subcall function 0014394F: RtlAllocateHeap.NTDLL(00000000,?,00142274,?,00000001,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143967

Strings

Failed to get next node., xrefs: 0014E708
Failed to get @Size., xrefs: 0014E6D4
Failed to select rollback boundary nodes., xrefs: 0014DF69
yes, xrefs: 0014E187
Failed to get @RollbackLogPathVariable., xrefs: 0014E4EF
Failed to allocate memory for package structs., xrefs: 0014E0EF
Failed to parse MSP package., xrefs: 0014E531
Failed to allocate memory for MSP patch sequence information., xrefs: 0014E4DB
clbcatq.dll, xrefs: 0014E219
feclient.dll, xrefs: 0014E298
Failed to get @RollbackBoundaryForward., xrefs: 0014E510
always, xrefs: 0014E1A7
Failed to get @InstallSize., xrefs: 0014E6CD
Failed to parse dependency providers., xrefs: 0014E6AA
RollbackLogPathVariable, xrefs: 0014E299
Permanent, xrefs: 0014E235
msi.dll, xrefs: 0014E1C8
ExePackage, xrefs: 0014E357
cabinet.dll, xrefs: 0014E1FE
Vital, xrefs: 0014E027, 0014E25B
InstallSize, xrefs: 0014E1FF
Failed to select package nodes., xrefs: 0014E094
Failed to parse MSU package., xrefs: 0014E53B
Failed to get @Id., xrefs: 0014E701
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 0014E081
Size, xrefs: 0014E1E4
LogPathVariable, xrefs: 0014E276
Failed to get @Cache., xrefs: 0014E6FA
Failed to get package node count., xrefs: 0014E0B1
Failed to parse EXE package., xrefs: 0014E389
wininet.dll, xrefs: 0014E25A
Failed to get rollback bundary node count., xrefs: 0014DF8E
Invalid cache type: %ls, xrefs: 0014E6EA
Failed to get @CacheId., xrefs: 0014E6DB
MsiPackage, xrefs: 0014E395
crypt32.dll, xrefs: 0014E2BB
Failed to get @LogPathVariable., xrefs: 0014E4E5
Failed to find forward transaction boundary: %ls, xrefs: 0014E506
Failed to allocate memory for patch sequence information to package lookup., xrefs: 0014E570
CacheId, xrefs: 0014E1C9
PerMachine, xrefs: 0014E21A
Failed to get @PerMachine., xrefs: 0014E6C6
Failed to get @RollbackBoundaryBackward., xrefs: 0014E527
MsuPackage, xrefs: 0014E406
Failed to get @InstallCondition., xrefs: 0014E4F9
InstallCondition, xrefs: 0014E2BC
Failed to parse MSI package., xrefs: 0014E3C1
package.cpp, xrefs: 0014DFBE, 0014E0E3, 0014E4CF, 0014E564
Failed to parse payload references., xrefs: 0014E6B1
Cache, xrefs: 0014E14B
Failed to get @Permanent., xrefs: 0014E6BF
RollbackBoundary, xrefs: 0014DF56
RollbackBoundaryBackward, xrefs: 0014E319
Failed to get @Vital., xrefs: 0014E6B8
comres.dll, xrefs: 0014E234
RollbackBoundaryForward, xrefs: 0014E2DF
Failed to allocate memory for rollback boundary structs., xrefs: 0014DFCA
MspPackage, xrefs: 0014E3CD
Failed to parse target product codes., xrefs: 0014E69B
Failed to find backward transaction boundary: %ls, xrefs: 0014E51D

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-2612374807
Opcode ID: 96688bdd67a5f4b16cb83db9903051bd4eb9b6d217d74f67bf5247cb73e89aec
Instruction ID: 50ada139adb27b3c9273e989fe35e2695b593a167cf41d11fb8ae9e21b3a8244
Opcode Fuzzy Hash: 96688bdd67a5f4b16cb83db9903051bd4eb9b6d217d74f67bf5247cb73e89aec
Instruction Fuzzy Hash: DD329131D44226AFDF269B94CC41FAEB7F5BF14720F164265F921BB2A1D770AE108B90

Uniqueness

Uniqueness Score: -1.00%

Function 0014F9E3, Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Comments, xrefs: 0014FCA9
Registration, xrefs: 0014F9FD
Failed to get @DisplayName., xrefs: 0014FB95
HelpLink, xrefs: 0014FBED
ProductFamily, xrefs: 0014FE9C
Failed to get @Department., xrefs: 0014FE8E
yes, xrefs: 0014FD36
DisplayName, xrefs: 0014FB7E
Classification, xrefs: 0014FEE2
Failed to get @Classification., xrefs: 0014FEF5
Failed to get @Manufacturer., xrefs: 0014FE66
Version, xrefs: 0014FA91
Failed to get @ParentDisplayName., xrefs: 0014FC98
Publisher, xrefs: 0014FBC8
Failed to get @ExecutableName., xrefs: 0014FB07
Failed to set registration paths., xrefs: 0014FF08
Failed to get @HelpTelephone., xrefs: 0014FC29
Contact, xrefs: 0014FCD1
DisableRemove, xrefs: 0014FDC9
Failed to select ARP node., xrefs: 0014FB4F
Failed to get @UpdateUrl., xrefs: 0014FC73
Failed to get @Version., xrefs: 0014FAA4
Manufacturer, xrefs: 0014FE53
Register, xrefs: 0014FB5D
Invalid modify disabled type: %ls, xrefs: 0014FD94
Tag, xrefs: 0014FA57
registration.cpp, xrefs: 0014FD87
Failed to get @DisableRemove., xrefs: 0014FDE0
Failed to get @Id., xrefs: 0014FA49
AboutUrl, xrefs: 0014FC37
Failed to get @ProductFamily., xrefs: 0014FEB3
Failed to select registration node., xrefs: 0014FA1C
Failed to get @Comments., xrefs: 0014FCC0
Failed to get @Contact., xrefs: 0014FCE8
Failed to get @Name., xrefs: 0014FED4
Failed to get @Tag., xrefs: 0014FA6A
ExecutableName, xrefs: 0014FAF4
Update, xrefs: 0014FE1E
Arp, xrefs: 0014FB33
Department, xrefs: 0014FE77
ParentDisplayName, xrefs: 0014FC81
Failed to get @HelpLink., xrefs: 0014FC04
Failed to get @ProviderKey., xrefs: 0014FAE6
Failed to parse @Version: %ls, xrefs: 0014FAC5
Failed to get @Publisher., xrefs: 0014FBDF
PerMachine, xrefs: 0014FB12
ProviderKey, xrefs: 0014FAD3
Failed to get @PerMachine., xrefs: 0014FB25
DisableModify, xrefs: 0014FCF6
UpdateUrl, xrefs: 0014FC5C
Failed to get @DisableModify., xrefs: 0014FDB8
Failed to parse software tag., xrefs: 0014FE10
Failed to get @AboutUrl., xrefs: 0014FC4E
Name, xrefs: 0014FEC1
HelpTelephone, xrefs: 0014FC12
button, xrefs: 0014FD15
Failed to parse related bundles, xrefs: 0014FA83
DisplayVersion, xrefs: 0014FBA3
Failed to get @DisplayVersion., xrefs: 0014FBBA
Failed to get @Register., xrefs: 0014FB70
Failed to select Update node., xrefs: 0014FE3C

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-2956246334
Opcode ID: bf518723e4ac970e6e13331aedadd64d7226bf90eb4653bd04bc3370ce107dbf
Instruction ID: 2ce61c61ebbb36f7666f02f857e4da1bbc240f533bcb3403227fcfd9a8d08f13
Opcode Fuzzy Hash: bf518723e4ac970e6e13331aedadd64d7226bf90eb4653bd04bc3370ce107dbf
Instruction Fuzzy Hash: EFE1EA32E44666BFCF22A6A0CC42EADB6A4BB15B10F160239FD11F73B1C7615E5597C0

Uniqueness

Uniqueness Score: -1.00%

Function 0014B48B, Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,77E49EB0,00000000), ref: 0014B502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B550
GetLastError.KERNEL32(?,?,?,00000000,77E49EB0,00000000), ref: 0014B556
ReadFile.KERNELBASE(00000000,00144461,00000040,?,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B59E
GetLastError.KERNEL32(?,?,?,00000000,77E49EB0,00000000), ref: 0014B5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B7BD

Part of subcall function 0014394F: GetProcessHeap.KERNEL32(?,?,?,00142274,?,00000001,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143960
Part of subcall function 0014394F: RtlAllocateHeap.NTDLL(00000000,?,00142274,?,00000001,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 0014B906

Strings

Failed to find valid NT image header in buffer., xrefs: 0014BBD0
Failed to find Burn section., xrefs: 0014BB32
Failed to read signature offset., xrefs: 0014B747
4, xrefs: 0014B884
PE, xrefs: 0014B698
Failed to seek to section info., xrefs: 0014B6F8, 0014B934
Failed to get total size of bundle., xrefs: 0014BA23
burn, xrefs: 0014B838
Failed to open handle to engine process path., xrefs: 0014B52D
Failed to read complete section info., xrefs: 0014B9C5
Failed to find valid DOS image header in buffer., xrefs: 0014BBEB
Failed to read DOS header., xrefs: 0014B5CF
Failed to allocate buffer for section info., xrefs: 0014B8E4
Failed to seek to start of file., xrefs: 0014B581
Failed to read complete image section header, index: %u, xrefs: 0014BB75
.wix, xrefs: 0014B830
section.cpp, xrefs: 0014B523, 0014B577, 0014B5C5, 0014B628, 0014B677, 0014B6EE, 0014B73D, 0014B78C, 0014B7E1, 0014B898, 0014B8D8, 0014B92A, 0014B98F, 0014B9B9, 0014B9E0, 0014BAC7, 0014BB07, 0014BB26, 0014BB63, 0014BBA1, 0014BBC4, 0014BBDF
Failed to read NT header., xrefs: 0014B681
Failed to read section info., xrefs: 0014B999
Failed to seek past optional headers., xrefs: 0014B7EB
Failed to read section info, unsupported version: %08x, xrefs: 0014B9F5
Failed to seek to NT header., xrefs: 0014B632
(, xrefs: 0014B81D
Failed to allocate memory for container sizes., xrefs: 0014BAD3
PE Header from file didn't match PE Header in memory., xrefs: 0014BB11
Failed to read image section header, index: %u, xrefs: 0014BBAC
Failed to read signature size., xrefs: 0014B796
Failed to read section info, data to short: %u, xrefs: 0014B8AA

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 3411815225-695169583
Opcode ID: a48163909fd25d25349af4c68cb9101eb5a231c140012ca6543fc2ba6750c60a
Instruction ID: 23eeadf074f8758427a832345f83d46f9e7a0db0327a1d354bc04376a2aefa8f
Opcode Fuzzy Hash: a48163909fd25d25349af4c68cb9101eb5a231c140012ca6543fc2ba6750c60a
Instruction Fuzzy Hash: 0512D676A45236ABDB309B54CC85FAABAA4EF04710F1142A5FD14BB2A1D771DE40CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00160D16, Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,001608BC,?,?), ref: 00160D25
GetLastError.KERNEL32(?,?,?,?,001608BC,?,?), ref: 00160D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,001608BC,?,?), ref: 00160D74
GetLastError.KERNEL32(?,?,?,?,001608BC,?,?), ref: 00160D7F
ResetEvent.KERNEL32(?,?,?,?,?,001608BC,?,?), ref: 00160DB7
GetLastError.KERNEL32(?,?,?,?,001608BC,?,?), ref: 00160DC1

Strings

cabextract.cpp, xrefs: 00160D53, 00160DA3, 00160DE5, 00160E11, 00160E94, 00160EDC, 00160F21, 00160F89, 00160FF4, 00161045, 0016108A, 001610CE
Failed to set operation complete event., xrefs: 00160D5D, 00160E9E
Failed to reset begin operation event., xrefs: 00160DEF, 00160F2B
Failed to set file pointer to end of file., xrefs: 0016104F
Invalid operation for this state., xrefs: 00160E1D
Failed to wait for begin operation event., xrefs: 00160DAD, 00160EE6
Failed to copy stream name: %ls, xrefs: 00160E50
Failed to allocate buffer for stream., xrefs: 00160F93
Failed to set end of file., xrefs: 00161094
Failed to create file: %ls, xrefs: 00161001
Failed to set file pointer to beginning of file., xrefs: 001610D8

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: 6c977540fb737e3fe882c21f4cae892339021b2756fcd76bf9f741bf05f361ef
Instruction ID: 2de3d2e46091c0cb9b91ab3de18339c9fbc37953676394741d17f31d8b8ffa9a
Opcode Fuzzy Hash: 6c977540fb737e3fe882c21f4cae892339021b2756fcd76bf9f741bf05f361ef
Instruction Fuzzy Hash: A5913637A85633B7DF3216E54D49B6B7950BF08B20F564321BE20BE6D0D761EC6086D1

Uniqueness

Uniqueness Score: -1.00%

Function 0014A416, Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0014A45A
_MREFOpen@16.MSPDB140-MSVCRT ref: 0014A480
RegCloseKey.KERNELBASE(00000000,?,00000000,?,?,?,?,?), ref: 0014A768

Strings

Failed to format key string., xrefs: 0014A465
Failed to read registry value., xrefs: 0014A6F6
Failed to get expand environment string., xrefs: 0014A6DD
Failed to clear variable., xrefs: 0014A4D8
Failed to query registry key value size., xrefs: 0014A554
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0014A51C
Failed to allocate memory registry value., xrefs: 0014A587
Failed to set variable., xrefs: 0014A72B
Failed to change value type., xrefs: 0014A70F
search.cpp, xrefs: 0014A54A, 0014A57D, 0014A5D0, 0014A6D3
Failed to allocate string buffer., xrefs: 0014A667
Registry key not found. Key = '%ls', xrefs: 0014A4B4
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0014A740
Unsupported registry key value type. Type = '%u', xrefs: 0014A608
Failed to open registry key., xrefs: 0014A4ED
Failed to format value string., xrefs: 0014A48B
Failed to query registry key value., xrefs: 0014A5DA

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: 8b1dc59fa1adf3bf2b899921bebdc00babced63ca35c00881a4ec3a5d57f30bc
Instruction ID: 27a81ffa8d861cddf75242ebcaa83bcdd9563b216b176f2b0c35d1fdd2177600
Opcode Fuzzy Hash: 8b1dc59fa1adf3bf2b899921bebdc00babced63ca35c00881a4ec3a5d57f30bc
Instruction Fuzzy Hash: 26A1C872D80129BBDF22ABE4CC45EEEBB78AF18710F578111F914BA170D7719E109B92

Uniqueness

Uniqueness Score: -1.00%

Function 00145770, Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,0014A8B4,00000100,000002C0,000002C0,00000100), ref: 00145795
lstrlenW.KERNEL32(000002C0,?,0014A8B4,00000100,000002C0,000002C0,00000100), ref: 0014579F
_wcschr.LIBVCRUNTIME ref: 001459A7
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,0014A8B4,00000100,000002C0,000002C0,00000100), ref: 00145C4A

Strings

Failed to allocate string., xrefs: 00145BC1
Failed to allocate buffer for format string., xrefs: 001457BD
Failed to determine variable visibility: '%ls'., xrefs: 00145A3A
Failed to get formatted length., xrefs: 00145B92
*****, xrefs: 00145913
Failed to set record string., xrefs: 00145B60
variable.cpp, xrefs: 001459FE, 00145A1F, 00145A78, 00145ACA, 00145B56, 00145B88, 00145C04
Failed to allocate variable array., xrefs: 00145A85
[%d], xrefs: 00145962
Failed to get variable name., xrefs: 00145A8C
Failed to format record., xrefs: 00145C0E
Failed to format placeholder string., xrefs: 00145A57
Failed to reallocate variable array., xrefs: 00145A2C
Failed to set variable value., xrefs: 00145A61
Failed to copy string., xrefs: 00145C2E
Failed to set record format string., xrefs: 00145AD4
Failed to append placeholder., xrefs: 00145A4D
Failed to append string., xrefs: 0014581B
Failed to allocate record., xrefs: 00145A0B

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 639ee0cfd50e5ba53da84f2b65ef7477a104b7fdaf97dfc9141f7b2e7140eb93
Instruction ID: 2b7d1a32b4ac83999896d5f51352d999350ae6d0b2a61ebce41f2ca493a648f2
Opcode Fuzzy Hash: 639ee0cfd50e5ba53da84f2b65ef7477a104b7fdaf97dfc9141f7b2e7140eb93
Instruction Fuzzy Hash: 38F1977190171AEBCB11DFA48881EAF7BBAEB04B60F154129FD14AB162D7749E41CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00145195, Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00145217

Part of subcall function 001804F8: InitializeCriticalSection.KERNEL32(001AB5FC,?,00145223,00000000,?,?,?,?,?,?), ref: 0018050F

Part of subcall function 0014120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0014523F,00000000,?), ref: 00141248
Part of subcall function 0014120A: GetLastError.KERNEL32(?,?,?,0014523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00141252

CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00145285

Part of subcall function 00180E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00180E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00145317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00145321
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0014558E

Strings

Invalid run mode., xrefs: 001453F9
Failed to run embedded mode., xrefs: 00145444
Failed to run untrusted mode., xrefs: 001454B6
Failed to initialize engine state., xrefs: 0014526C
Failed to initialize Cryputil., xrefs: 001452A6
Failed to run per-user mode., xrefs: 00145494
Failed to initialize core., xrefs: 001453C3
Failed to run per-machine mode., xrefs: 0014546C
3.11.1.2318, xrefs: 00145384
Failed to initialize Wiutil., xrefs: 001452E1
Failed to initialize Regutil., xrefs: 001452C9
Failed to run RunOnce mode., xrefs: 0014541C
Failed to initialize COM., xrefs: 00145291
Failed to parse command line., xrefs: 00145245
Failed to get OS info., xrefs: 0014534F
engine.cpp, xrefs: 00145345
Failed to initialize XML util., xrefs: 001452F9

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
API String ID: 3262001429-510904028
Opcode ID: d874be6ec986a9ea9f073f317298d4deb5c20fd2dc4f9c7c50aa67b09d6880cf
Instruction ID: 6262b21f16925457d45635409232715176de1c988aba48fb0b06763bcd25cf84
Opcode Fuzzy Hash: d874be6ec986a9ea9f073f317298d4deb5c20fd2dc4f9c7c50aa67b09d6880cf
Instruction Fuzzy Hash: ADB1A671D40A299BDB32AF64CC86BED76B6AF14710F050195F908BB262DB709F84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0015752A, Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WixBundleElevated, xrefs: 001576A5, 001576B6
Failed to open attached UX container., xrefs: 0015758E
WixBundleOriginalSource, xrefs: 00157759
Failed to get unique temporary folder for bootstrapper application., xrefs: 001577CE
Failed to extract bootstrapper application payloads., xrefs: 001577EF
WixBundleSourceProcessPath, xrefs: 001576F8
Failed to set original source variable., xrefs: 0015776A
WixBundleUILevel, xrefs: 001576D6, 001576E7
Failed to get source process folder from path., xrefs: 00157725
Failed to get manifest stream from container., xrefs: 001575CC
Failed to set source process folder variable., xrefs: 00157745
WixBundleSourceProcessFolder, xrefs: 00157734
Failed to overwrite the %ls built-in variable., xrefs: 001576BB
Failed to initialize internal cache functionality., xrefs: 0015779F
Failed to initialize variables., xrefs: 00157571
Failed to load catalog files., xrefs: 0015780F
Failed to parse command line., xrefs: 00157667
Failed to open manifest stream., xrefs: 001575AB
Failed to set source process path variable., xrefs: 00157709
Failed to load manifest., xrefs: 001575E8

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: be8371b4c1a8efee4bf7a670cc2433919154cb67817e01b7d4fa3d01cad5ce72
Instruction ID: 8514508d5af82ea269ffb77f12f3a146e3f3f1f4ab2dc3a135cd7dfb49d42f45
Opcode Fuzzy Hash: be8371b4c1a8efee4bf7a670cc2433919154cb67817e01b7d4fa3d01cad5ce72
Instruction Fuzzy Hash: 40A1B872E44615FBDB169AA4EC46EEEB76CBB14701F010125F925FB191E770EA08CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0014762C, Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(0015756B,001453BD,00000000,00145445), ref: 0014764C

Strings

WixBundleElevated, xrefs: 00147E46
WixBundleProviderKey, xrefs: 00147E7E
WixBundleTag, xrefs: 00147EAE
WixBundleSourceProcessPath, xrefs: 00147E8E
LogonUser, xrefs: 00147882
Date, xrefs: 00147770
InstallerName, xrefs: 00147812
$, xrefs: 00147D49
WixBundleExecutePackageCacheFolder, xrefs: 00147D98
WixBundleForcedRestartPackage, xrefs: 00147E14
WixBundleUILevel, xrefs: 00147EBE
InstallerVersion, xrefs: 00147833
WixBundleVersion, xrefs: 00147ECE
WixBundleInstalled, xrefs: 00147E2A
WixBundleAction, xrefs: 00147D76
WixBundleExecutePackageAction, xrefs: 00147DF8
WixBundleSourceProcessFolder, xrefs: 00147E9E
#, xrefs: 001476CB
WixBundleActiveParent, xrefs: 00147E62
', xrefs: 001478EB
0, xrefs: 00147663
Failed to add built-in variable: %ls., xrefs: 00147F19

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 9055b3f14b0a7c6a4f297af984a512524ec47c1baa17ae51a09e7e8762a004ae
Instruction ID: 8f58c16bc9350be3e034d8b9bb612df03918015441c4d180fc6f62ad1b5d5813
Opcode Fuzzy Hash: 9055b3f14b0a7c6a4f297af984a512524ec47c1baa17ae51a09e7e8762a004ae
Instruction Fuzzy Hash: 2F325BB0D116299BDB65DF5ADA887CDFBB5BB49304F5081EED20CB6211C7B00B888F95

Uniqueness

Uniqueness Score: -1.00%

Function 001582BA, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00145489), ref: 00158310

Part of subcall function 00180879: OpenProcessToken.ADVAPI32(?,00000008,?,001453BD,00000000,?,?,?,?,?,?,?,0015769D,00000000), ref: 00180897
Part of subcall function 00180879: GetLastError.KERNEL32(?,?,?,?,?,?,?,0015769D,00000000), ref: 001808A1
Part of subcall function 00180879: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0015769D,00000000), ref: 0018092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00158336
GetLastError.KERNEL32 ref: 00158340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 001583BD
GetLastError.KERNEL32 ref: 001583C7
UuidCreate.RPCRT4(?), ref: 00158406

Strings

Failed to copy working folder path., xrefs: 0015848B
Temp\, xrefs: 00158395
%ls%ls\, xrefs: 00158458
Failed to get temp path for working folder., xrefs: 001583F5
Failed to convert working folder guid into string., xrefs: 00158446
Failed to concat Temp directory on windows path for working folder., xrefs: 001583AD
Failed to append bundle id on to temp path for working folder., xrefs: 00158470
cache.cpp, xrefs: 00158364, 001583EB, 0015843C
Failed to ensure windows path for working folder ended in backslash., xrefs: 0015838B
Failed to create working folder guid., xrefs: 00158413
Failed to get windows path for working folder., xrefs: 0015836E

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$Process$ChangeCloseCreateCurrentDirectoryFindNotificationOpenPathTempTokenUuidWindows
String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 2898636500-819636856
Opcode ID: aff301b57cea3e803cda76d120fb57a851f6440860aa336675d80a387dde7561
Instruction ID: e32736e4a98a81170e65c38ceff93471a2222ea4fef73c908efaaea2f7c2c2b8
Opcode Fuzzy Hash: aff301b57cea3e803cda76d120fb57a851f6440860aa336675d80a387dde7561
Instruction Fuzzy Hash: DB41F672A45326F7DB30A6A48C4AFAA73A8AB14B11F114165BE14FF140EB74DE4886E1

Uniqueness

Uniqueness Score: -1.00%

Function 001610FB, Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 0016111D
CoUninitialize.OLE32 ref: 00161398

Strings

cabextract.cpp, xrefs: 00161193, 001612BA, 00161307, 00161346, 00161372
Failed to set operation complete event., xrefs: 001612C4
Failed to reset begin operation event., xrefs: 00161350
Invalid operation for this state., xrefs: 0016137C
Failed to wait for begin operation event., xrefs: 00161311
Failed to initialize COM., xrefs: 00161129
Failed to initialize cabinet.dll., xrefs: 0016119F
<the>.cab, xrefs: 001611BD
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00161279

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: 01dec410d5b84e585c074683b6bec5d25f299e26d730e5d181dbfe76bf1e5a42
Instruction ID: c68a9c08e43e0ca25d36d8671aedd4d5dc72702127852d906dfb45d5550fa89e
Opcode Fuzzy Hash: 01dec410d5b84e585c074683b6bec5d25f299e26d730e5d181dbfe76bf1e5a42
Instruction Fuzzy Hash: 7F514836A84262F7CF2057948C55ABB7664AB05770B3B4329BD12FB390D7258D20C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00163AAD, Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 571
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UX aborted detect., xrefs: 0016418A
msiengine.cpp, xrefs: 00163C34, 00163D38, 00164169, 00164180
msasn1.dll, xrefs: 00163C15, 00163D1F, 00163FEF, 0016412A
UX aborted detect compatible MSI package., xrefs: 00163D42
Failed to query feature state., xrefs: 00164157
Failed to get version for product in user unmanaged context: %ls, xrefs: 001640CE
UX aborted detect related MSI package., xrefs: 00163C3E
Failed to copy the installed ProductCode to the package., xrefs: 00163D62
Failed to get version for product in machine context: %ls, xrefs: 001640F0
Language, xrefs: 00163EFC
Failed to enum related products., xrefs: 001640FA
Failed to get product information for ProductCode: %ls, xrefs: 00163C5E
Invalid state value., xrefs: 00164173
VersionString, xrefs: 00163B08, 00163C93, 00163DEE, 00163E25
Failed to convert version: %ls to DWORD64 for ProductCode: %ls, xrefs: 00163B4D

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: lstrlen
String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to copy the installed ProductCode to the package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to query feature state.$Invalid state value.$Language$UX aborted detect compatible MSI package.$UX aborted detect related MSI package.$UX aborted detect.$VersionString$msasn1.dll$msiengine.cpp
API String ID: 1659193697-2574767977
Opcode ID: fe253b63022b2a1eb1dde1832c8017e19bf76823309af2fb99ca8b9b3913bf46
Instruction ID: 7fe4145db733e6e593c69f93343e074eed1240b1914fd027ee66fd196d8ce426
Opcode Fuzzy Hash: fe253b63022b2a1eb1dde1832c8017e19bf76823309af2fb99ca8b9b3913bf46
Instruction Fuzzy Hash: 46228C71900224EFDF25DF94CC85EAEBBB9BF44700F144169F919AB256D731AAA0CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001442D7, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00145266,?,?,00000000,?,?), ref: 00144303
InitializeCriticalSection.KERNEL32(000000D0,?,?,00145266,?,?,00000000,?,?), ref: 0014430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00145266,?,?,00000000,?,?), ref: 00144352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00145266,?,?,00000000,?,?), ref: 0014435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00145266,?,?,00000000,?,?), ref: 00144370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00145266,?,?,00000000,?,?), ref: 00144380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00145266,?,?,00000000,?,?), ref: 001443D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00145266,?,?,00000000,?,?), ref: 001443DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00145266,?,?,00000000,?,?), ref: 001443EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00145266,?,?,00000000,?,?), ref: 001443FE

Strings

burn.filehandle.self, xrefs: 001443CB, 001443D3, 001443D8, 001443D9, 001443F9, 001444CB
burn.filehandle.attached, xrefs: 0014434D, 00144355, 0014435A, 0014435B, 0014437B, 0014449F
Failed to parse file handle: '%ls', xrefs: 00144482
Failed to initialize engine section., xrefs: 00144467
engine.cpp, xrefs: 00144495, 001444C1
Missing required parameter for switch: %ls, xrefs: 001444A4

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: 3334b92204f87765745beb83ce2de3eba3b5552b4ba9950909345b1c6fe557e2
Instruction ID: b70d2aa325641e6c9c88785d8188a60ff71227ab0616daec28b3c6fc5439ba1f
Opcode Fuzzy Hash: 3334b92204f87765745beb83ce2de3eba3b5552b4ba9950909345b1c6fe557e2
Instruction Fuzzy Hash: 1851A371A44216BFC724EF68DCC6F9A776CFF15760F040115F615AB2A0D770AA50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0015E7B4, Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 0015E7FF
RegisterClassW.USER32 ref: 0015E82B
GetLastError.KERNEL32 ref: 0015E836
CreateWindowExW.USER32 ref: 0015E89D
GetLastError.KERNEL32 ref: 0015E8A7
UnregisterClassW.USER32 ref: 0015E945

Strings

uithread.cpp, xrefs: 0015E85A, 0015E8CB
Unexpected return value from message pump., xrefs: 0015E930
WixBurnMessageWindow, xrefs: 0015E824, 0015E940
Failed to register window., xrefs: 0015E864
Failed to create window., xrefs: 0015E8D5

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 5903786d7d2d9d1f1924b599071b1f2b8772f3a47fb8f31d75ee8618c3cd1783
Instruction ID: 4b172f9f6b5084832d58da34a064783c17bd6342fa43fac0f6fe8d3c940d8c82
Opcode Fuzzy Hash: 5903786d7d2d9d1f1924b599071b1f2b8772f3a47fb8f31d75ee8618c3cd1783
Instruction Fuzzy Hash: 3B419372D04215EBDB289BA5DC84ADEBFF8FF08751F114129FD24BA150D731AA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0014C28F, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0014C47F,00145405,?,?,00145445), ref: 0014C2D6
GetLastError.KERNEL32(?,0014C47F,00145405,?,?,00145445,00145445,00000000,?,00000000), ref: 0014C2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0014C47F,00145405,?,?,00145445,00145445,00000000,?), ref: 0014C336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,0014C47F,00145405,?,?,00145445,00145445,00000000,?,00000000), ref: 0014C33C
DuplicateHandle.KERNELBASE(00000000,?,0014C47F,00145405,?,?,00145445,00145445,00000000,?,00000000), ref: 0014C33F
GetLastError.KERNEL32(?,0014C47F,00145405,?,?,00145445,00145445,00000000,?,00000000), ref: 0014C349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0014C47F,00145405,?,?,00145445,00145445,00000000,?,00000000), ref: 0014C39B
GetLastError.KERNEL32(?,0014C47F,00145405,?,?,00145445,00145445,00000000,?,00000000), ref: 0014C3A5

Strings

crypt32.dll, xrefs: 0014C397
Failed to duplicate handle to container: %ls, xrefs: 0014C37A
Failed to move file pointer to container offset., xrefs: 0014C3D3
Failed to open container., xrefs: 0014C3F1
feclient.dll, xrefs: 0014C398
Failed to open file: %ls, xrefs: 0014C318
container.cpp, xrefs: 0014C30B, 0014C36D, 0014C3C9

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 5ab84e732c4408310a996b509b24d9a336fb1e18e0133c8f549c6e75b60f3b23
Instruction ID: 48caef3afa8ee4094ccaff5a039b31ab338b9dbc52454d4e0093d6a07496141a
Opcode Fuzzy Hash: 5ab84e732c4408310a996b509b24d9a336fb1e18e0133c8f549c6e75b60f3b23
Instruction Fuzzy Hash: 2041FB36240202ABDB619F598C49F5B7BB6FFC5720F218129FD14EB2A1DB71D901DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00182AF7, Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00143838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00143877
Part of subcall function 00143838: GetLastError.KERNEL32 ref: 00143881

Part of subcall function 00184A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00184A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00182B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00182B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00182B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00182BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00182BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00182BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00182C01

Strings

Msi.dll, xrefs: 00182B09
MsiSetExternalUIRecord, xrefs: 00182BD6
MsiSourceListAddSourceExW, xrefs: 00182BF6
MsiGetProductInfoExW, xrefs: 00182BB6
MsiDeterminePatchSequenceW, xrefs: 00182B36
MsiDetermineApplicablePatchesW, xrefs: 00182B56
MsiEnumProductsExW, xrefs: 00182B76
MsiGetPatchInfoExW, xrefs: 00182B96

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 4442420653fdab313004ce5a7c5bc6453c630c5ca653d8a36155b4098f4d7345
Instruction ID: c510c2695628b394d67fd58898b7dbb82ae660b7e841f6b8f2ad0cc5908df241
Opcode Fuzzy Hash: 4442420653fdab313004ce5a7c5bc6453c630c5ca653d8a36155b4098f4d7345
Instruction Fuzzy Hash: 9031E8B4949288EFDB12AFA1ED82B697BB0F717704F04012AE40C96972F7B109C5DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0018304F, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00183609,00000000,?,00000000), ref: 00183069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0016C025,?,00145405,?,00000000,?), ref: 00183075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 001830B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001830C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 001830CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001830D6
CoCreateInstance.OLE32(001AB6B8,00000000,00000001,0018B818,?,?,?,?,?,?,?,?,?,?,?,0016C025), ref: 00183111
ExitProcess.KERNEL32 ref: 001831C0

Strings

xmlutil.cpp, xrefs: 00183099
Wow64DisableWow64FsRedirection, xrefs: 001830BB
IsWow64Process, xrefs: 001830AF
kernel32.dll, xrefs: 00183059
Wow64EnableWow64FsRedirection, xrefs: 001830C3
Wow64RevertWow64FsRedirection, xrefs: 001830CE

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: f51f5efd13e692afc6ac138f2946f2d376e6f95c64e81bd2095c8b4623c6f5b8
Instruction ID: f30e957678d7019294f48e4bb5df3b914fb7fdca9fbf012c4af8b3b10a2567d0
Opcode Fuzzy Hash: f51f5efd13e692afc6ac138f2946f2d376e6f95c64e81bd2095c8b4623c6f5b8
Instruction Fuzzy Hash: 8741D235A01215ABDB24EBA8C889FAEB7B4AF45F10F194068F911EB281D771DF408F90

Uniqueness

Uniqueness Score: -1.00%

Function 0014A28B, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0014A2B3
_MREFOpen@16.MSPDB140-MSVCRT ref: 0014A30E
RegQueryValueExW.KERNELBASE(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 0014A32F
RegCloseKey.KERNELBASE(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 0014A405

Strings

search.cpp, xrefs: 0014A360
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0014A3DD
Failed to format key string., xrefs: 0014A2BE
Registry key not found. Key = '%ls', xrefs: 0014A396
Failed to open registry key. Key = '%ls', xrefs: 0014A3C7
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0014A37A
Failed to format value string., xrefs: 0014A319
Failed to set variable., xrefs: 0014A3BD
Failed to query registry key value., xrefs: 0014A36A

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: f609486d30721f60a17a25f50c5d0f95705b2cf2e1234cdafb47b2c5bbcbc319
Instruction ID: c3c6278e584d7cddf2b6a09c5180f68536bb76c12a6a6ea0fe3e770427d53fc1
Opcode Fuzzy Hash: f609486d30721f60a17a25f50c5d0f95705b2cf2e1234cdafb47b2c5bbcbc319
Instruction Fuzzy Hash: 9141D372D80128BBDB226EA4CC06FAEBB65FF14710F524251F914B61B1E7719F10AB92

Uniqueness

Uniqueness Score: -1.00%

Function 00161741, Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0014C3EB,?,00000000,?,0014C47F), ref: 00161778
GetLastError.KERNEL32(?,0014C3EB,?,00000000,?,0014C47F,00145405,?,?,00145445,00145445,00000000,?,00000000), ref: 00161781

Strings

cabextract.cpp, xrefs: 001617A5, 001617EB, 00161837
Failed to create operation complete event., xrefs: 001617F5
Failed to copy file name., xrefs: 00161763
wininet.dll, xrefs: 00161757
Failed to create begin operation event., xrefs: 001617AF
Failed to create extraction thread., xrefs: 00161841
Failed to wait for operation complete., xrefs: 00161854

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 3f7efe65d388d9e99826fcf1b0ffc4f61bb666f662b2eaf8b82eb24b2122ef8a
Instruction ID: 45a14153d8a3c24690d3a18700a5e042d3a01b0d1e54a338ef0b597011dc4d56
Opcode Fuzzy Hash: 3f7efe65d388d9e99826fcf1b0ffc4f61bb666f662b2eaf8b82eb24b2122ef8a
Instruction Fuzzy Hash: FD210677E8163777D72116A94C86F6B7A9CFF00BA4B560225BE10BB680EB60DC1086E1

Uniqueness

Uniqueness Score: -1.00%

Function 001608C2, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 001608F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0016090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 0016090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00160912
GetLastError.KERNEL32(?,?), ref: 0016091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 0016098B
GetLastError.KERNEL32(?,?), ref: 00160998

Strings

cabextract.cpp, xrefs: 00160940, 001609BC
Failed to open cabinet file: %hs, xrefs: 001609C9
Failed to duplicate handle to cab container., xrefs: 0016094A
Failed to add virtual file pointer for cab container., xrefs: 00160971
<the>.cab, xrefs: 001608EB

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 767dc5150627ed254c4b2dbdc6ca84fbf86d933c8fb2130337f428eeea1ece3c
Instruction ID: 51d96342f1f84456953b8fcba21e8d13f2cc1985eda2fe9f5b3712ddf23fcea1
Opcode Fuzzy Hash: 767dc5150627ed254c4b2dbdc6ca84fbf86d933c8fb2130337f428eeea1ece3c
Instruction Fuzzy Hash: F331F572941636BBEB225B958C49F9FBB69FF08764F110111FD08BB690D760AE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00146DB9, Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,00145445,00000006,?,001482B9,?,?,?,00000000,00000000,00000001), ref: 00146DC8

Part of subcall function 001456A9: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00146595,00146595,?,0014563D,?,?,00000000), ref: 001456E5
Part of subcall function 001456A9: GetLastError.KERNEL32(?,0014563D,?,?,00000000,?,?,00146595,?,00147F02,?,?,?,?,?), ref: 00145714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,001482B9), ref: 00146F59

Strings

Failed to insert variable '%ls'., xrefs: 00146E0D
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00146ED0
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00146F6B
Attempt to set built-in variable value: %ls, xrefs: 00146E56
Setting hidden variable '%ls', xrefs: 00146E86
Setting string variable '%ls' to value '%ls', xrefs: 00146EED
Unsetting variable '%ls', xrefs: 00146F15
Failed to find variable value '%ls'., xrefs: 00146DE3
Failed to set value of variable: %ls, xrefs: 00146F41
Setting numeric variable '%ls' to value %lld, xrefs: 00146EFA
variable.cpp, xrefs: 00146E4B

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 4a602e4bd831247a0b09dedc210ac553c6815fbeed8930f7a7de54eec933e45c
Instruction ID: b0e9f04f3bdfe4c29384fcc537bd343c3a2e91dae1b4e1288042eee4a5797c89
Opcode Fuzzy Hash: 4a602e4bd831247a0b09dedc210ac553c6815fbeed8930f7a7de54eec933e45c
Instruction Fuzzy Hash: 51511671A00315A7CB34EF59DC5AF6B3BA8EB56718F110119F885662A2C371DE44CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 00144AE5, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00144C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00144C75

Strings

Failed to create the message window., xrefs: 00144B98
WixBundleLayoutDirectory, xrefs: 00144BF5
Failed to set registration variables., xrefs: 00144BDE
Failed to open log., xrefs: 00144B18
Failed to set action variables., xrefs: 00144BC4
Failed to check global conditions, xrefs: 00144B49
Failed while running , xrefs: 00144C2A
Failed to query registration., xrefs: 00144BAE
Failed to set layout directory variable to value provided from command-line., xrefs: 00144C06

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: a9b6a697dfda63fd956cd6dd0155117f9b8e38749949198617368b2020440c4c
Instruction ID: b1f00c3f1bc0241ea91e51cd1f2e9b78cc8f16077c3db1aa5027b6e15bce7487
Opcode Fuzzy Hash: a9b6a697dfda63fd956cd6dd0155117f9b8e38749949198617368b2020440c4c
Instruction Fuzzy Hash: 32410471A0561BBBCB2A6BA0CCC5FAAB66CFF04755F054215F814A6170EBB0EE149BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0015EA7D, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,0014548E,?,?), ref: 0015EA9D
GetLastError.KERNEL32(?,0014548E,?,?), ref: 0015EAAA
CreateThread.KERNELBASE ref: 0015EB03
GetLastError.KERNEL32(?,0014548E,?,?), ref: 0015EB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,0014548E,?,?), ref: 0015EB4B
CloseHandle.KERNEL32(00000000,?,0014548E,?,?), ref: 0015EB6A
FindCloseChangeNotification.KERNELBASE(?,?,0014548E,?,?), ref: 0015EB77

Strings

Failed to create the UI thread., xrefs: 0015EB3B
uithread.cpp, xrefs: 0015EACB, 0015EB31
Failed to create initialization event., xrefs: 0015EAD5

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CloseCreateErrorLast$ChangeEventFindHandleMultipleNotificationObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 1372344712-3599963359
Opcode ID: cbbc683c672bd716d264dca866a196e9733522e53d4a831a8f5be2a7e1663e57
Instruction ID: da24d6413b8d0895c639c78da25ab6fc07fd1e0758631ec44a3af9b181721378
Opcode Fuzzy Hash: cbbc683c672bd716d264dca866a196e9733522e53d4a831a8f5be2a7e1663e57
Instruction Fuzzy Hash: 5E318376D0122AFBDB159FA98D85A9EBAF8BB04351F110169BD14FB240E7309F048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001614E1, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74B5F5E0,?,?,00145405,001453BD,00000000,00145445), ref: 00161506
GetLastError.KERNEL32 ref: 00161519
GetExitCodeThread.KERNELBASE(0018B488,?), ref: 0016155B
GetLastError.KERNEL32 ref: 00161569
ResetEvent.KERNEL32(0018B460), ref: 001615A4
GetLastError.KERNEL32 ref: 001615AE

Strings

cabextract.cpp, xrefs: 00161540, 00161590, 001615D5
Failed to wait for operation complete event., xrefs: 0016154A
Failed to get extraction thread exit code., xrefs: 0016159A
Failed to reset operation complete event., xrefs: 001615DF

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: af42824a4d873570c46f71e334476f7910f6c60e1ef5d05b87b4a8579c5dbfd5
Instruction ID: bdbf5c44567bb9456f114f3890f7b95d10567126c3b526b98402f2be8955e697
Opcode Fuzzy Hash: af42824a4d873570c46f71e334476f7910f6c60e1ef5d05b87b4a8579c5dbfd5
Instruction Fuzzy Hash: 3B31C571B00206FBDB10DFA98D41AAEB7F8FF45710B10815AF907DA1A0E730DA109B51

Uniqueness

Uniqueness Score: -1.00%

Function 00142DBF, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00142E5F
GetLastError.KERNEL32 ref: 00142E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00142F09
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00142F96
GetLastError.KERNEL32 ref: 00142FA3
Sleep.KERNEL32(00000064), ref: 00142FB7
CloseHandle.KERNEL32(?), ref: 0014301F

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00142F66
pathutil.cpp, xrefs: 00142E8D

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-1101990113
Opcode ID: ac6d45fa878375fd98f45bfffd30ec72a5ac914b5a066412f24dbbc9b5d39ddd
Instruction ID: 506ebbbb1f4f7b24148587138fc45d2560af9249953d7ae4e94ee783d47a94e3
Opcode Fuzzy Hash: ac6d45fa878375fd98f45bfffd30ec72a5ac914b5a066412f24dbbc9b5d39ddd
Instruction Fuzzy Hash: DE715372D41229ABDB309F94DC89BEAB7B8AB18710F5102D5F914F71A1D7349EC08F60

Uniqueness

Uniqueness Score: -1.00%

Function 0014CBC5, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,001453BD,00000000,00145489,00145445,WixBundleUILevel,840F01E8,?,00000001), ref: 0014CC1C

Strings

Failed to find embedded payload: %ls, xrefs: 0014CC48
payload.cpp, xrefs: 0014CD1D
Failed to extract file., xrefs: 0014CCE7
Failed to get directory portion of local file path, xrefs: 0014CCF5
Failed to get next stream., xrefs: 0014CD03
Failed to ensure directory exists, xrefs: 0014CCEE
Failed to concat file paths., xrefs: 0014CCFC
Payload was not found in container: %ls, xrefs: 0014CD29

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: 813b8f57b435d8a5201eaeb0055f72b5da064dd38939a820e85b54a8f59804c8
Instruction ID: e18fcff6ddbd541241ae8be5c120362c90d3177ec8d38e2150f0580e962c24de
Opcode Fuzzy Hash: 813b8f57b435d8a5201eaeb0055f72b5da064dd38939a820e85b54a8f59804c8
Instruction Fuzzy Hash: 3C41C031D42219EBCFA9AF88CC819AEBBA5FF10710B118179E815AB271D7709E41DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00144796, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 001447BB
GetCurrentThreadId.KERNEL32 ref: 001447C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0014484F

Strings

Unexpected return value from message pump., xrefs: 001448A5
wininet.dll, xrefs: 001447EE
Failed to start bootstrapper application., xrefs: 0014481D
Failed to load UX., xrefs: 00144804
engine.cpp, xrefs: 0014489B
Failed to create engine for UX., xrefs: 001447DB

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: dc7eb0c116b348101f394ec03a0bb1311115f9a0342e4e903e73abab9724c11b
Instruction ID: e5780f8d16b5a15ca3aa76e8b5e25ac92820fe5fc1ba3ac8b5ff1a17795297d6
Opcode Fuzzy Hash: dc7eb0c116b348101f394ec03a0bb1311115f9a0342e4e903e73abab9724c11b
Instruction Fuzzy Hash: 0B41A371A00556BFEB15ABE4DC85FBAB7ACFF14314F110125F914E7160DB30AD4587A0

Uniqueness

Uniqueness Score: -1.00%

Function 0014D6C9, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000008,00000000,?,001447FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0014548E,?), ref: 0014D6DA
GetLastError.KERNEL32(?,001447FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0014548E,?,?), ref: 0014D6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0014D71F
GetLastError.KERNEL32(?,001447FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0014548E,?,?), ref: 0014D72B

Strings

Failed to create UX., xrefs: 0014D76F
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0014D756
BootstrapperApplicationCreate, xrefs: 0014D719
userexperience.cpp, xrefs: 0014D708, 0014D74C
Failed to load UX DLL., xrefs: 0014D712

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 1876fd26de9cc8270c8085440e399f3d25eae79bb3fe8697904bacfa97313e4d
Instruction ID: e40265b6479c0cd660d533ccfb0f828bfc83abe5efe1e5a31a3e0602c932ad0e
Opcode Fuzzy Hash: 1876fd26de9cc8270c8085440e399f3d25eae79bb3fe8697904bacfa97313e4d
Instruction Fuzzy Hash: 4011E737A80732A7CF2166946C05F5B7A94AF05B26F020529FF10FB2E0DB20ED008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00149EC7, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00149EED
_MREFOpen@16.MSPDB140-MSVCRT ref: 00149F12

Strings

MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0014A006
Failed to get component path: %d, xrefs: 00149F76
Failed to format component id string., xrefs: 00149EF8
Failed to set variable., xrefs: 00149FF6
Failed to format product code string., xrefs: 00149F1D

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: 3b827b1e9c22ffdf010f61ceee028b4204a1ee8b72629107266c7a05388c477a
Instruction ID: 498a876d852d141e1ba9ac866585d5c0090875a7dcf6cb1393ca174d54558e17
Opcode Fuzzy Hash: 3b827b1e9c22ffdf010f61ceee028b4204a1ee8b72629107266c7a05388c477a
Instruction Fuzzy Hash: 76412732900115BACF35AAE88C46FBFBFA8EF14320F244612F515E61B1E7719E48DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00180523, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(001AB5FC,00000000,?,?,?,00154207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,001454FA,?), ref: 00180533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,@b,?,00154207,00000000,Setup), ref: 001805D7
GetLastError.KERNEL32(?,00154207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,001454FA,?,?,?), ref: 001805E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00154207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,001454FA,?), ref: 00180621

Part of subcall function 00142DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00142F09

LeaveCriticalSection.KERNEL32(001AB5FC,?,?,@b,?,00154207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,001454FA,?), ref: 0018067A

Strings

logutil.cpp, xrefs: 00180606
@b, xrefs: 0018054A, 0018056D

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: @b$logutil.cpp
API String ID: 4111229724-1334354122
Opcode ID: 23ecabe42a33c8d69bbf4c21bb0734d24840c50d1efaa475111bb6b31e1fc466
Instruction ID: 62f79471c955dd96a84084d1b5595337530d816a3a8bd97af26556fd9cb49ac7
Opcode Fuzzy Hash: 23ecabe42a33c8d69bbf4c21bb0734d24840c50d1efaa475111bb6b31e1fc466
Instruction Fuzzy Hash: F731E631D0426EFBDB126FB09D85E9A7B69EF09750F510224F910A6161E771CFA09FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0014F812, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0014F942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0014F94F

Strings

Failed to format pending restart registry key to read., xrefs: 0014F846
Failed to read Resume value., xrefs: 0014F8D8
Failed to open registration key., xrefs: 0014F8AB
%ls.RebootRequired, xrefs: 0014F82F
Resume, xrefs: 0014F8B6

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 5aedf8f1deca8dd2162bde35946b52944a54fdc2130ec5843c2b9a7ea0aec2ec
Instruction ID: b323322b0ff34bfe44f251db87edadc62e4fd4b54d0f4080c232abb19db94442
Opcode Fuzzy Hash: 5aedf8f1deca8dd2162bde35946b52944a54fdc2130ec5843c2b9a7ea0aec2ec
Instruction Fuzzy Hash: 3F412A72940159FFDF129F98C881AADBBB4EB14314F56817AF914AB360D371AE42DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00160B8E, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00160BDE
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00160BFD
GetLastError.KERNEL32 ref: 00160C07

Strings

cabextract.cpp, xrefs: 00160C2B
Failed to write during cabinet extraction., xrefs: 00160C35
Unexpected call to CabWrite()., xrefs: 00160BC1

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: f6e273f509f9403788ed4f8f9426b346415ba52cc8fdc49b040622966332c6b0
Instruction ID: 3561d5a673a99d09317640d6a37b569333501164f195a588ac7904da8d34df50
Opcode Fuzzy Hash: f6e273f509f9403788ed4f8f9426b346415ba52cc8fdc49b040622966332c6b0
Instruction Fuzzy Hash: 4E210176500205ABCB16CF5CDC85D9A37B8FF88320B224299FE14CB251E732DE20CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00180879, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,001453BD,00000000,?,?,?,?,?,?,?,0015769D,00000000), ref: 00180897
GetLastError.KERNEL32(?,?,?,?,?,?,?,0015769D,00000000), ref: 001808A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,0015769D,00000000), ref: 001808D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,0015769D,00000000), ref: 001808EC
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0015769D,00000000), ref: 0018092B

Strings

procutil.cpp, xrefs: 00180919

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastToken$ChangeCloseFindInformationNotificationOpenProcess
String ID: procutil.cpp
API String ID: 3650908616-1178289305
Opcode ID: 9b33e05835530779b01f298490372fdb5e325c6c2b559f9ee9f4b131df3c5205
Instruction ID: 57a203f399fc0e016eca07ce7420a46c11e58571e46761db2d50c6951f529669
Opcode Fuzzy Hash: 9b33e05835530779b01f298490372fdb5e325c6c2b559f9ee9f4b131df3c5205
Instruction Fuzzy Hash: 0921D432D0022DEBD722AB958845A9EBBB8EF18710F114156FD18BB250E3708F44DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00160C57, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00160CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00160CD6
SetFileTime.KERNELBASE(?,?,?,?), ref: 00160CE9
FindCloseChangeNotification.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,001608B1,?,?), ref: 00160CF8

Strings

cabextract.cpp, xrefs: 00160C93
Invalid operation for this state., xrefs: 00160C9D

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Time$File$ChangeCloseDateFindLocalNotification
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 1330928052-1751360545
Opcode ID: 6503c4962d715f7e7f95bf0bd8628e7974bb48490d6761fc69f99f4c99a8136f
Instruction ID: b491b5432dc53e3a328f74fa78e73ba7326e40010a046ba3fe3aed432529985f
Opcode Fuzzy Hash: 6503c4962d715f7e7f95bf0bd8628e7974bb48490d6761fc69f99f4c99a8136f
Instruction Fuzzy Hash: 9821C07280061AABCB11DFA8DD499ABBBBCFF087207504356F865D6590D770EE61CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00183565, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00183574
InterlockedIncrement.KERNEL32(001AB6C8), ref: 00183591
CLSIDFromProgID.OLE32(Msxml2.DOMDocument,001AB6B8,?,?,?,?,?,?), ref: 001835AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,001AB6B8,?,?,?,?,?,?), ref: 001835B8

Strings

Msxml2.DOMDocument, xrefs: 001835A7
MSXML.DOMDocument, xrefs: 001835B3

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: dedb54319942a9e4c54165d64d78f389098351bf2f2b16a894408a6af22ddb09
Instruction ID: 26c5b9f24fecb874535d081446844ece6767ac63928c35b74137c885a68cafaf
Opcode Fuzzy Hash: dedb54319942a9e4c54165d64d78f389098351bf2f2b16a894408a6af22ddb09
Instruction Fuzzy Hash: 87F0E53074917657C3202BA27D88B572E65EB82F54F0C0529EC14D2450D360CBC18FB0

Uniqueness

Uniqueness Score: -1.00%

Function 00184A6C, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00184A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00184ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00184AF6
GetLastError.KERNEL32(00000000,0018B7A0,?,00000000,?,00000000,?,00000000), ref: 00184B34
GlobalFree.KERNEL32 ref: 00184B65

Strings

fileutil.cpp, xrefs: 00184AB8, 00184B11

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: ddaee48e1f27e0df9d2f02210d6746d6bf2461f190b185ac6ab9fb6c1ef0d58d
Instruction ID: 87574e5bc120e52fb4ce221bb23b5eef53c9f3002f041f4e9d77942befd6958f
Opcode Fuzzy Hash: ddaee48e1f27e0df9d2f02210d6746d6bf2461f190b185ac6ab9fb6c1ef0d58d
Instruction Fuzzy Hash: 40319837D4462AABC721AA958C41FAFFAB8AF44750F164255FD14EB241EB30DE009FD4

Uniqueness

Uniqueness Score: -1.00%

Function 0015E956, Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 0015E985
SetWindowLongW.USER32 ref: 0015E994
SetWindowLongW.USER32 ref: 0015E9A8
DefWindowProcW.USER32(?,?,?,?), ref: 0015E9B8
GetWindowLongW.USER32(?,000000EB), ref: 0015E9D2
PostQuitMessage.USER32(00000000), ref: 0015EA31

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 979a1c590a01c0bc2cc5e8a81e2bf3e49f55f2fb7ded1b96cf65fb7d448e39c8
Instruction ID: 9301ef13e4c07f5a768ccf2498fa0768cc64c2a275cbb4a13e4cd7bf04adc953
Opcode Fuzzy Hash: 979a1c590a01c0bc2cc5e8a81e2bf3e49f55f2fb7ded1b96cf65fb7d448e39c8
Instruction Fuzzy Hash: B721DE31504204EFDF099FA8DC48E6A3BA5FF49352F104218FD2AAB1A4C3319E549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00181217, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0018123F
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,001570E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00181276
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 0018136E

Strings

BundleUpgradeCode, xrefs: 0018121E
regutil.cpp, xrefs: 001812BF

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 748f269eb3f5cd0d195ad4a7f39468c1e7edf4c4fa2fa7dceed51ae7ee058820
Instruction ID: 620c588afdbb6f4e7f4aad1dd7125b6995317ee8d9c1f0a33c8120da548a37b1
Opcode Fuzzy Hash: 748f269eb3f5cd0d195ad4a7f39468c1e7edf4c4fa2fa7dceed51ae7ee058820
Instruction Fuzzy Hash: 1F416577A0011AFBDB25AF95C8449AEB7AEBB54720F254169FD01EB610D7309E02DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00160A81, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00160B27
GetLastError.KERNEL32(?,?,?), ref: 00160B31

Strings

cabextract.cpp, xrefs: 00160B55
Invalid seek type., xrefs: 00160ABD
Failed to move file pointer 0x%x bytes., xrefs: 00160B62

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: fa0bd60cdce7ab019519b63edbdeb6cd9a7e9c4ca1c98a8edc81745a3223cb6f
Instruction ID: 71a35f80242abb049d1ba63ffa38d7bfc8ce4e58a4f10f79e7c44c922ee1f2ec
Opcode Fuzzy Hash: fa0bd60cdce7ab019519b63edbdeb6cd9a7e9c4ca1c98a8edc81745a3223cb6f
Instruction Fuzzy Hash: 5F31A035A4021AEFCB16DFA8DC84DAEB769FF08764B158215F91497650D770EE20CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00168DB6, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00180F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,001AAAA0,00000000,?,001857E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00180F80

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 00168E3A
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,0014F7E0,00000001,00000100,000001B4,00000000), ref: 00168E88

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00168DD7
Failed to open uninstall registry key., xrefs: 00168DFD
Failed to enumerate uninstall key for related bundles., xrefs: 00168E99

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: 777d0a3c476d843ec817988b0e52cad1bb843ba1f9ec6d9f12611f7d12ab5e6a
Instruction ID: 25dd333ff42b59942ed5f28003f4db220dd00127d3d885e70b6cb3cc12881e4c
Opcode Fuzzy Hash: 777d0a3c476d843ec817988b0e52cad1bb843ba1f9ec6d9f12611f7d12ab5e6a
Instruction Fuzzy Hash: DB219536940228FFDF22AA94CC46FEEBA79EB04724F254764F510A6060DB764EA0D790

Uniqueness

Uniqueness Score: -1.00%

Function 001832F3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00183309
SysAllocString.OLEAUT32(?), ref: 00183325
VariantClear.OLEAUT32(?), ref: 001833AC
SysFreeString.OLEAUT32(00000000), ref: 001833B7

Strings

xmlutil.cpp, xrefs: 0018333C

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: xmlutil.cpp
API String ID: 760788290-1270936966
Opcode ID: 4cccdc3c77c29bf9e504109215e19cdf57308fa2d12a73f4de38a689ed079446
Instruction ID: a460c02da241c9d42c9c13b0f6a15d67fada5bc5226eae0913077dfc1e4fad77
Opcode Fuzzy Hash: 4cccdc3c77c29bf9e504109215e19cdf57308fa2d12a73f4de38a689ed079446
Instruction Fuzzy Hash: 27218336901219EFCB11EF94C848EAEBBB9BF45B11F190158FD15AB220DB319F41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00144115, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,0015A0E8,00000000,00000000,?,00000000,001453BD,00000000,?,?,0014D5B5,?), ref: 00144123
GetLastError.KERNEL32(?,0015A0E8,00000000,00000000,?,00000000,001453BD,00000000,?,?,0014D5B5,?,00000000,00000000), ref: 00144131
CreateDirectoryW.KERNEL32(?,840F01E8,00145489,?,0015A0E8,00000000,00000000,?,00000000,001453BD,00000000,?,?,0014D5B5,?,00000000), ref: 0014419A
GetLastError.KERNEL32(?,0015A0E8,00000000,00000000,?,00000000,001453BD,00000000,?,?,0014D5B5,?,00000000,00000000), ref: 001441A4

Strings

dirutil.cpp, xrefs: 001441D4

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: d6b0264606eb9d4ace3a8e10da6650e0cacda58da270620fd2fa4b2f4d011df3
Instruction ID: 11d65e7362d442176c2bbeb1bc30694cf844496ddb46f1bd051c1af205be1fbc
Opcode Fuzzy Hash: d6b0264606eb9d4ace3a8e10da6650e0cacda58da270620fd2fa4b2f4d011df3
Instruction Fuzzy Hash: 9811247660433697E7312AA15C84B7BA664EF75F61F110021FD49EB270E360BDC183D0

Uniqueness

Uniqueness Score: -1.00%

Function 001421AC, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8000FFFF,00000000,?,?,00000000,00000000,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 001421F2
GetLastError.KERNEL32(?,00000000,00000000,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 001421FE

Part of subcall function 00143BD3: GetProcessHeap.KERNEL32(00000000,?,?,001421CC,?,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143BDB
Part of subcall function 00143BD3: HeapSize.KERNEL32(00000000,?,001421CC,?,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143BE2

Strings

strutil.cpp, xrefs: 00142222

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: fdff6863ee3dcdf7044163c4dcdf08d04b3c47e4cfbf7e66c7819d2532d0ae4c
Instruction ID: 880137ee6632149b8e9f92167f2970eb77890880c660d7f6df4c3d19ed1192e5
Opcode Fuzzy Hash: fdff6863ee3dcdf7044163c4dcdf08d04b3c47e4cfbf7e66c7819d2532d0ae4c
Instruction Fuzzy Hash: 0B310832605226ABD7248EA5CC44E6A7B95AF55774B620324FD15EF2B0EBF1DCC087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00180E4F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00168E1B), ref: 00180EAA
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00168E1B,00000000), ref: 00180EC8
RegEnumKeyExW.KERNELBASE(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,00168E1B,00000000,00000000,00000000), ref: 00180F1E

Strings

regutil.cpp, xrefs: 00180EEE

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: c2fe9d717cdc5aa753e1eec0f9dc59232bdb9e91717e641cc776d249bea5bb56
Instruction ID: c672f56c1e6dbd42c020529f521728ca9b84ab2c2866d41e33ca741d1979e4b0
Opcode Fuzzy Hash: c2fe9d717cdc5aa753e1eec0f9dc59232bdb9e91717e641cc776d249bea5bb56
Instruction Fuzzy Hash: BE31B07690112DBFEB32AAD48D80EAFB76DEF08750F164065BE04AB210D7718F449FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00168B17, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00180F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,001AAAA0,00000000,?,001857E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00180F80

RegCloseKey.KERNELBASE(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00168E57,00000000,00000000), ref: 00168BD4

Strings

Failed to ensure there is space for related bundles., xrefs: 00168B87
Failed to open uninstall key for potential related bundle: %ls, xrefs: 00168B43
Failed to initialize package from related bundle id: %ls, xrefs: 00168BBA

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: e90a769cbe6235f211d8df01f166266e5e21e8b483ccb0b0abca36c321917eac
Instruction ID: da3dcae4c42925d40aab6a8e8e3b50f44bc2550916232e40af7022d7087b349a
Opcode Fuzzy Hash: e90a769cbe6235f211d8df01f166266e5e21e8b483ccb0b0abca36c321917eac
Instruction Fuzzy Hash: 55219DB2940619FBDF229E84CC46FEEBB78EF14711F114255FA10A61A0DB719A30EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00153AA6, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00180F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,001AAAA0,00000000,?,001857E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00180F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00153FB5,feclient.dll,?,00000000,?,?,?,00144B12), ref: 00153B42

Part of subcall function 001810B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0018112B
Part of subcall function 001810B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00181163

Strings

feclient.dll, xrefs: 00153AAB
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00153AB7
Logging, xrefs: 00153AD4

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: c58f2c13ae255feeb661e743567aefc2d3771ec1c97da2e299806678b4e7a15f
Instruction ID: 0c57e3a753b1e1959e44ca698a2f63a6e1dac717e0b3db540bf8c1d5f3334836
Opcode Fuzzy Hash: c58f2c13ae255feeb661e743567aefc2d3771ec1c97da2e299806678b4e7a15f
Instruction Fuzzy Hash: EA11B236B40208FBDB21DB95DC86EAABBB8EB14B82F500065F921AF091D7719F85D710

Uniqueness

Uniqueness Score: -1.00%

Function 00180764, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(0015E93B,00000000,00000000,?,?,?,00180013,0015E93B,0015E93B,?,00000000,0000FDE9,?,0015E93B,8000FFFF,Unexpected return value from message pump.), ref: 00180776
WriteFile.KERNELBASE(0000025C,00000000,00000000,?,00000000,?,?,00180013,0015E93B,0015E93B,?,00000000,0000FDE9,?,0015E93B,8000FFFF), ref: 001807B2
GetLastError.KERNEL32(?,?,00180013,0015E93B,0015E93B,?,00000000,0000FDE9,?,0015E93B,8000FFFF,Unexpected return value from message pump.), ref: 001807BC

Strings

logutil.cpp, xrefs: 001807ED

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 4f1b0ae2f4d6524ce78cacfa1619a3f0478699f65b2f32224048691083dc4e2d
Instruction ID: 789cebb2344c3419a32b5996369e220d621370f4741dd9049403887c370c3d68
Opcode Fuzzy Hash: 4f1b0ae2f4d6524ce78cacfa1619a3f0478699f65b2f32224048691083dc4e2d
Instruction Fuzzy Hash: DB11CA77A01129ABC311AAA5DC849ABBA6CEB49760B410214FD40EB640D730AE40CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0017FE21, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,001804F4,?,?,?,?,00000001), ref: 0017FE40
GetLastError.KERNEL32(?,001804F4,?,?,?,?,00000001,?,00145616,?,?,00000000,?,?,00145395,00000002), ref: 0017FE4C
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,001804F4,?,?,?,?,00000001,?,00145616,?,?), ref: 0017FEB5

Strings

logutil.cpp, xrefs: 0017FE6B

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: c190ff0f3d63715e6266922ba38bb42a54288358a0d9de8d332a655afc45ce28
Instruction ID: 0b31fa886949b5bec08a4b17e0929198ea0dcb0706f50f8f4e7318454ded90e4
Opcode Fuzzy Hash: c190ff0f3d63715e6266922ba38bb42a54288358a0d9de8d332a655afc45ce28
Instruction Fuzzy Hash: FF118F32A00129EBDB219F948D05EAF7B79EF54710F028029FD0896271DB318E61D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 001609EA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0016140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00160A19,?,?,?), ref: 00161434
Part of subcall function 0016140C: GetLastError.KERNEL32(?,00160A19,?,?,?), ref: 0016143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00160A27
GetLastError.KERNEL32 ref: 00160A31

Strings

cabextract.cpp, xrefs: 00160A55
Failed to read during cabinet extraction., xrefs: 00160A5F

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 36525ee4454ce836036cc2b59714d896b2cb473182a8b40d578b63d70bf8360d
Instruction ID: f799cbd183f31dfc38c2e8c99128b1f2493fa26d06c0c3b955367bd9f7416e82
Opcode Fuzzy Hash: 36525ee4454ce836036cc2b59714d896b2cb473182a8b40d578b63d70bf8360d
Instruction Fuzzy Hash: 0511A136A41229BBCB229FD5DC04E9F7BB8FF097A0B124155FD14A7650D7309A20CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0016140C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00160A19,?,?,?), ref: 00161434
GetLastError.KERNEL32(?,00160A19,?,?,?), ref: 0016143E

Strings

cabextract.cpp, xrefs: 00161462
Failed to move to virtual file pointer., xrefs: 0016146C

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: cef56e54ae4af8ccff4b65d46804776d0863c55d9465d3951cd0e995a5e098a8
Instruction ID: 5d8c08ad41634278688b0699031690660d1fe33833e8514a9e21738d36f8b920
Opcode Fuzzy Hash: cef56e54ae4af8ccff4b65d46804776d0863c55d9465d3951cd0e995a5e098a8
Instruction Fuzzy Hash: E001A23794063AB7CB215A968C08A8BFF29FF007B07168125FD286B651DB31DC20C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 001607B5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0018B478,00000000,?,00161717,?,00000000,?,0014C287,?,00145405,?,001575A5,?,?,00145405,?), ref: 001607BF
GetLastError.KERNEL32(?,00161717,?,00000000,?,0014C287,?,00145405,?,001575A5,?,?,00145405,?,00145445,00000001), ref: 001607C9

Strings

cabextract.cpp, xrefs: 001607ED
Failed to set begin operation event., xrefs: 001607F7

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 29bf2622512576638e6935bfc8b24e295e0c62319e59eddad5318b81b67554b7
Instruction ID: 48ef7449d761fcdc7446266d5c62837bba2eed8e976e03736ab16435c30863c3
Opcode Fuzzy Hash: 29bf2622512576638e6935bfc8b24e295e0c62319e59eddad5318b81b67554b7
Instruction Fuzzy Hash: FAF02B37A4663567C722A3D95D06A8F77989F0CBB0B120125FE41FB250FB10AD60C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 0015EC5C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32 ref: 0015EC71
GetLastError.KERNEL32 ref: 0015EC7B

Strings

EngineForApplication.cpp, xrefs: 0015EC9F
Failed to post detect message., xrefs: 0015ECA9

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 73228386d0b3dffab48228b9a80dfbfa3b133a68d24d156e0f60e4a04365fd1f
Instruction ID: 5730fb7f71ee93f5d9b3cd13021dd3e374b326d0045dee3f954ba54e978e80b3
Opcode Fuzzy Hash: 73228386d0b3dffab48228b9a80dfbfa3b133a68d24d156e0f60e4a04365fd1f
Instruction Fuzzy Hash: 65F0A733A41235A7DA3557955C09F8BBFD4AF04B71B024011BD64FF191D760DD04C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 00145123, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00141104,?,?,00000000), ref: 00145142
CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00141104,?,?,00000000), ref: 00145172

Strings

burn.clean.room, xrefs: 0014512F, 0014513C, 00145169

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 518fcdab1cd34635358c9159ea9c3638fa3f2ac8c8f78bbebf7401c4c01f6e36
Instruction ID: 78edac2a9cd8f3fd9d339ba997730bf4f67fe72cf9b159f5e1f25d3433f4b8e0
Opcode Fuzzy Hash: 518fcdab1cd34635358c9159ea9c3638fa3f2ac8c8f78bbebf7401c4c01f6e36
Instruction Fuzzy Hash: 0F0186726005256F87344B58ADC8E73BBADEF16B60B504116F509C7A31D3709C81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00143838, Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00143877
GetLastError.KERNEL32 ref: 00143881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 001438EA

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 34f39fd1b73334f0a8dfdf7899f7c38aaa7510b71982e4debaa050f147efe3f8
Instruction ID: 1514035de73ac23119d353547d41b29e07d965a036f6712d100124f4403f1dc1
Opcode Fuzzy Hash: 34f39fd1b73334f0a8dfdf7899f7c38aaa7510b71982e4debaa050f147efe3f8
Instruction Fuzzy Hash: D821B6B6D0123E67DB209B65DC89F9AB7A89B04710F1102A5BD24EB291DB70DE448BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00143A16, Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00143BB6,00000000,?,00141474,00000000,7743A770,00000000,7743A770,00000000,?,?,001413B8), ref: 00143A20
RtlFreeHeap.NTDLL(00000000,?,00143BB6,00000000,?,00141474,00000000,7743A770,00000000,7743A770,00000000,?,?,001413B8,?,00000100), ref: 00143A27
GetLastError.KERNEL32(?,00143BB6,00000000,?,00141474,00000000,7743A770,00000000,7743A770,00000000,?,?,001413B8,?,00000100,?), ref: 00143A31

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 561c3785b710fe3dfc65cb9e6f0b1a62e6fe21516f2908f57e4a30b3d1729aa1
Instruction ID: 914ae15d285b3514046221247a5a061fd03f74e4c917d87adb2e3c1d67a2e2f9
Opcode Fuzzy Hash: 561c3785b710fe3dfc65cb9e6f0b1a62e6fe21516f2908f57e4a30b3d1729aa1
Instruction Fuzzy Hash: 8ED0C233A4813957832017E66C8C95B7E58EF10AA17050020FD54DB630D721CE4087E0

Uniqueness

Uniqueness Score: -1.00%

Function 0014F755, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00180F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,001AAAA0,00000000,?,001857E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00180F80

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00157D59,?,?,?), ref: 0014F7B9

Part of subcall function 00181026: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,?,00000000,?,?,?,0014F78E,00000000,Installed,00000000,?), ref: 0018104B

Strings

Installed, xrefs: 0014F781

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: 3a07862be5400dd35454f709a543efae16fa4f3383a69cd1419ca5f583d3d91a
Instruction ID: 10c0fad39579e2e88f77cb73035727cad842449604adbe4159217dd44db5f747
Opcode Fuzzy Hash: 3a07862be5400dd35454f709a543efae16fa4f3383a69cd1419ca5f583d3d91a
Instruction Fuzzy Hash: B4014F36921118FFCB11DBE4CC46BDEBBB8EF04712F1141A9F900A7220D7759E549B90

Uniqueness

Uniqueness Score: -1.00%

Function 0017F479, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017F491

Part of subcall function 0018998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00189A09
Part of subcall function 0018998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00189A1A

Strings

px8p, xrefs: 0017F479, 0017F48B

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: px8p
API String ID: 1269201914-1459850159
Opcode ID: a166d8440ee62035ffbfe3ebbb6bbeec12baf1c7bea759aa8adac6df67c0d416
Instruction ID: d5bf4ac82c7a30dd3f4cd95d582593101eb19da9cb86370027e5774d167cff9e
Opcode Fuzzy Hash: a166d8440ee62035ffbfe3ebbb6bbeec12baf1c7bea759aa8adac6df67c0d416
Instruction Fuzzy Hash: 4BB012AD2A9401BEB20821101D02C37011CC6D3F25371C26FF401E4041AB401D01C032

Uniqueness

Uniqueness Score: -1.00%

Function 0017F49A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017F491

Part of subcall function 0018998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00189A09
Part of subcall function 0018998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00189A1A

Strings

px8p, xrefs: 0017F48B

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: px8p
API String ID: 1269201914-1459850159
Opcode ID: 5b5264ca798a9685afc1a151e163aaae2a1e6032d3245ab02669aec345fed5cd
Instruction ID: 385f4278185bdccfa036d6f427bf1df92ef23191ba7a88f7345885f2a7e7d731
Opcode Fuzzy Hash: 5b5264ca798a9685afc1a151e163aaae2a1e6032d3245ab02669aec345fed5cd
Instruction Fuzzy Hash: 7CB012A92A9401AFB24861145E03D37011CC6D7F25371816FF006D5041EB401D02C132

Uniqueness

Uniqueness Score: -1.00%

Function 0017F4AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017F491

Part of subcall function 0018998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00189A09
Part of subcall function 0018998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00189A1A

Strings

px8p, xrefs: 0017F48B

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: px8p
API String ID: 1269201914-1459850159
Opcode ID: 41aa2b41ab9bfd0af71da3f98785e1832d929a3dbbb5c6092175ebc83f1876cb
Instruction ID: d7d7cdf0f4db6a5a5faab77b1f52f2718e98e2024be7d0b32d447c8038c5c44e
Opcode Fuzzy Hash: 41aa2b41ab9bfd0af71da3f98785e1832d929a3dbbb5c6092175ebc83f1876cb
Instruction Fuzzy Hash: 9BB012A92A9501AEB24861141D02D37011CC6D7F25371C26FF005D5041EB401D41C133

Uniqueness

Uniqueness Score: -1.00%

Function 00143AF0, Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,0014226D,?,?,00000001,7743A770,8000FFFF,?,?,00180267,?,?,00000000), ref: 00143B04
RtlReAllocateHeap.NTDLL(00000000,?,0014226D,?,?,00000001,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143B0B

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: abc1fa08a2d5690e82fa06b5c1c71034b384cdff166198905e376c4646d0ae6c
Instruction ID: 76fa7c2399b443d690f77e52b0bdcf6ecb0202f7b65913d5f960bc933af551b6
Opcode Fuzzy Hash: abc1fa08a2d5690e82fa06b5c1c71034b384cdff166198905e376c4646d0ae6c
Instruction Fuzzy Hash: 52D0C93215820DABCF005FE8EC8DDAA3BACFB586027048405B915C6520C739E5609B60

Uniqueness

Uniqueness Score: -1.00%

Function 0014394F, Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00142274,?,00000001,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143960
RtlAllocateHeap.NTDLL(00000000,?,00142274,?,00000001,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143967

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 7c80b6dad1e0aeff299962245965ffbbbbd84603859c0e7bf24ecc7b679d4654
Instruction ID: 3468065fe5fbd31422735461600e137a8864cf3c1daf70d9287b3db61b8a06be
Opcode Fuzzy Hash: 7c80b6dad1e0aeff299962245965ffbbbbd84603859c0e7bf24ecc7b679d4654
Instruction Fuzzy Hash: 2EC0123219820CA7CB005FF4EC4DC56379CB714A027048400B505C6520C738E1508760

Uniqueness

Uniqueness Score: -1.00%

Function 001835C3, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001835F8

Part of subcall function 0018304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00183609,00000000,?,00000000), ref: 00183069
Part of subcall function 0018304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0016C025,?,00145405,?,00000000,?), ref: 00183075

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 727e6f8fb46d1f3929ed4a6cf8c05300ae5ac43e0e9928c65a53bc892b5072f9
Instruction ID: 37458344c835ec53bef17975af6ab579aa7a77b9396a7edfd38cfeb809b9573f
Opcode Fuzzy Hash: 727e6f8fb46d1f3929ed4a6cf8c05300ae5ac43e0e9928c65a53bc892b5072f9
Instruction Fuzzy Hash: 90314176D00229ABCB11DFA8C884ADEB7F4EF08710F15456AED15AB311E7319E008FA0

Uniqueness

Uniqueness Score: -1.00%

Function 001891FC, Relevance: 1.6, APIs: 1, Instructions: 82registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00188E44: lstrlenW.KERNEL32(00000100,?,?,?,00189217,000002C0,00000100,00000100,00000100,?,?,?,00167D87,?,?,000001BC), ref: 00188E69

RegCloseKey.ADVAPI32(000002C0,000002C0,00000100,00000100,00000100,?,?,?,00167D87,?,?,000001BC,00000000,00000000,00000000,00000100), ref: 001892B4

Part of subcall function 00180F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,001AAAA0,00000000,?,001857E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00180F80

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: CloseOpenlstrlen
String ID:
API String ID: 514153755-0
Opcode ID: 241429d76ed84f6892cc05304e4f0d998e91a030e0efda59fa9c17ffd9af56e4
Instruction ID: 98b422d7188b9d2aa80132fdbc1e6f265d0ecf80d7fbe0f866777dd4a3585bc7
Opcode Fuzzy Hash: 241429d76ed84f6892cc05304e4f0d998e91a030e0efda59fa9c17ffd9af56e4
Instruction Fuzzy Hash: 53211B33C00129BB8F22AEA4CC418AEBABAAB54750B194365FD40A6525E7324F50EFD0

Uniqueness

Uniqueness Score: -1.00%

Function 0015EDFB, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0015EE33

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Open@16
String ID:
API String ID: 3613110473-0
Opcode ID: 92d7a1b853d7588ad17e54212e02ec1d7b98e11b791082a7a9feb6469196ec55
Instruction ID: 10e597a0aa72290e16714532474849986780a533044f398519501383f4ccddf0
Opcode Fuzzy Hash: 92d7a1b853d7588ad17e54212e02ec1d7b98e11b791082a7a9feb6469196ec55
Instruction Fuzzy Hash: A6119172D1011AEBDB25CF98C881D9EB7E9EB14361F114269FD14AB200D731AF549BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00185870, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,001AAAA0,00000000,80070490,?,?,00158B19,WiX\Burn,PackageCache,00000000,001AAAA0,00000000,00000000,80070490), ref: 001858CA

Part of subcall function 001810B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0018112B
Part of subcall function 001810B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00181163

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: d96e4d1b23b2e7c6094797b0c487c7b9bf7d98566b456cc8a130d22a76bc877b
Instruction ID: b75c3cdbee4aea3087bd394dad91763ca8639c10d5b34237ba41a0474f036b32
Opcode Fuzzy Hash: d96e4d1b23b2e7c6094797b0c487c7b9bf7d98566b456cc8a130d22a76bc877b
Instruction Fuzzy Hash: 1811A03680062AEFCB21BE9588819AEBB6AEF06360B21413AFD4267211C7314F50DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00175305, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00176213,00000001,00000364), ref: 00175346

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7f223c09efc44b004807b26ffe639cf8affb3b21715c1300ed3db4c9d877ee0a
Instruction ID: f5bf276c68be251ed2def88f8e5b6423cfa7525e78a40b0ef28fc007b9e2ec79
Opcode Fuzzy Hash: 7f223c09efc44b004807b26ffe639cf8affb3b21715c1300ed3db4c9d877ee0a
Instruction Fuzzy Hash: 70F0E932604E24A7DB651A319C05F5A777ABF417E0B29D125B81CE71B1CBF0DD4082E0

Uniqueness

Uniqueness Score: -1.00%

Function 001434B5, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00158BD3,0000001C,80070490,00000000,00000000,80070490), ref: 001434D5

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 87e9c387092e66835bb0288c3cf12635662ba0b7721323fb205293c17f03515e
Instruction ID: 5a7a6463f15fff3bbb8f7e7dbd1168ce0efccaf0192dce2be7aee81e48ef657e
Opcode Fuzzy Hash: 87e9c387092e66835bb0288c3cf12635662ba0b7721323fb205293c17f03515e
Instruction Fuzzy Hash: A5E05B722051247BE7032F655C05DEB7B5CEF153647048051FE40D6030D776D69087B0

Uniqueness

Uniqueness Score: -1.00%

Function 001441E7, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,?,0015A42F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,80070490), ref: 001441F0

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: acb4998825e0601b457a636caaebeff14db366f932e2d5d3177643f14cf099e9
Instruction ID: c7be22cb926c7261f2cc1924f7eba6da42bb37d8573c11277884f4883e4a5a8f
Opcode Fuzzy Hash: acb4998825e0601b457a636caaebeff14db366f932e2d5d3177643f14cf099e9
Instruction Fuzzy Hash: 7FD02E72201128578B284EFAA808AAABF8AEF027B03814215FE25CB1B0C3708C12C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00189653, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018966B

Part of subcall function 0018998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00189A09
Part of subcall function 0018998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00189A1A

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9b1a2a6ccaa293154b77aef5eb5f658fa72e1a90b19a4e621c430a36ee38a071
Instruction ID: 43c9acadadb2e01f7c166faa40a3d622b941db8d0e04b0319b9ee0116354d631
Opcode Fuzzy Hash: 9b1a2a6ccaa293154b77aef5eb5f658fa72e1a90b19a4e621c430a36ee38a071
Instruction Fuzzy Hash: A4B01299268102BC7A4831006D82C37010CDBC2B15375811FF000F4040BB400E04C733

Uniqueness

Uniqueness Score: -1.00%

Function 00189674, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018966B

Part of subcall function 0018998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00189A09
Part of subcall function 0018998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00189A1A

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a9a84875bdc6bcc59ccd7af59beaa284310872f026d04acade1e404433361241
Instruction ID: 3432a0c2017f52d6488f836546bd6e1f7464445e711245a095f46756328da463
Opcode Fuzzy Hash: a9a84875bdc6bcc59ccd7af59beaa284310872f026d04acade1e404433361241
Instruction Fuzzy Hash: 97B01299268003AC764971141D03D37010CC7C2B15375C11FF400E5040FB400D0C8732

Uniqueness

Uniqueness Score: -1.00%

Function 00189684, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018966B

Part of subcall function 0018998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00189A09
Part of subcall function 0018998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00189A1A

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 41d1b2dc004666d37614ba601d7cb9068905ee1b214ee9160e0c51e7f53e0e01
Instruction ID: 232d3256148426e73de8766c79749690037708f667028cd24aec7aa469bedb7b
Opcode Fuzzy Hash: 41d1b2dc004666d37614ba601d7cb9068905ee1b214ee9160e0c51e7f53e0e01
Instruction Fuzzy Hash: 7FB01299268202AC7A4871446F43D37010CCBC2B15375411FF000F5040FB440D05C732

Uniqueness

Uniqueness Score: -1.00%

Function 001414B6, Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,001421A8,?,00000000,?,00000000,?,0014390C,00000000,?,00000104), ref: 001414E8

Part of subcall function 00143BD3: GetProcessHeap.KERNEL32(00000000,?,?,001421CC,?,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143BDB
Part of subcall function 00143BD3: HeapSize.KERNEL32(00000000,?,001421CC,?,7743A770,8000FFFF,?,?,00180267,?,?,00000000,00000000,8000FFFF), ref: 00143BE2

Memory Dump Source

Source File: 00000004.00000002.470288175.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000004.00000002.470279825.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470445854.000000000018B000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.470502685.00000000001AA000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.470519486.00000000001AD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000_MIOffice-1.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 6649b1ac5e6c8f58d7dc1510538f8389e4e350143b4c188ef6898f174614b01f
Instruction ID: 7c24937a2c8330165ad3826837a0cb3d06c15517cd5d1a35272dbe4ef04b4cb1
Opcode Fuzzy Hash: 6649b1ac5e6c8f58d7dc1510538f8389e4e350143b4c188ef6898f174614b01f
Instruction Fuzzy Hash: B801F53320022DBBCF215E64ECD4FDA77AAAF85760F254215FA169F271D731AD8086A4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://platform.marketintelligence.spglobal.com/apisvcs/office-tools-service/file

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 4628 Parent PID: 792

General

Chronological Activities

Analysis Process: iexplore.exe PID: 6000 Parent PID: 4628

General

Chronological Activities

Analysis Process: MIOffice-1.0.20310.2.exe PID: 2600 Parent PID: 4628

General

Chronological Activities

Analysis Process: MIOffice-1.0.20310.2.exe PID: 2996 Parent PID: 2600

Function 001C5195, Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Function 001CF9E3, Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Function 001CB48B, Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Function 001E0D16, Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Function 001C4D39, Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220
COMMON

Function 001D752A, Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Function 001D86D0, Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209
fileCOMMON

Function 001C762C, Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Function 001D82BA, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 153
COMMON

Function 001E10FB, Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Function 001C42D7, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Function 001CC28F, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre